Monday, January 29,
2018 09.05AM / By Olga Kochetova written
on April 26, 2016 / Securelist
Cash machines have been part of our
lives since 1967 when a London branch of Barclays Bank unveiled the first ATM.
Millions of people around the world now use ATMs every day to withdraw cash,
pay in to their account or make a variety of payments. When using ATMs people
give little or no thought to the hardware, software or security of the
machines. Unfortunately, ATM manufacturers and their primary customers – banks
– don’t pay much attention to the security of cash machines either. This is
confirmed by the increasing number of thefts from ATMs using non-destructive
methods, i.e. without the use of metal cutting tools or explosives.
To understand why this is happening,
let’s first look at what exactly a cash machine is.
An ATM is basically a construction
kit. The manufacturer builds them from a dispenser, a card reader and other
units produced by different companies. The units are placed in a housing which
usually consists of two parts: the top box called the cabinet, or the
servicezone, and the lower section called thesafe.
The cabinet includes units such as the
system unit (yes, a standard system unit, which sometimes even has the same
housing as a typical home computer), the EPP (Encrypting PIN Pad) the card
reader, and so on. The service zone, according to ATM manufacturers, contains
everything that makes it impossible to access the money. Probably for this
reason the cabinet cover is made of plastic and the service zone is protected
from unauthorized access by just a simple lock. By the way, a set of locks and
separate keys can both easily be purchased online as the manufacturers install
the same locks on their devices, and most banks usually don’t bother to replace
The safe has much better protection:
it is a ‘sandwich’ of steel and concrete with two types of locks – one coded
(electronic or limb, sometimes electro-mechanical) and the other a key lock
(usually a lever tumbler lock). The safe contains the devices directly related
to the money – a dispenser from which cash is withdrawn, and a cash-in module.
All devices are connected to the
system unit, which in this case performs the function of the host (as we shall
refer to it) via the USB or RS232 ports (often referred to as a COM port).
Sometimes these ports are located directly on the system unit; if there aren’t
enough ports, a USB/COM hub is used. Older ATM models can still be found that
are connected via the SDC bus.
The software used on almost every ATM
This is sufficient for the ATM to
carry out its immediate functions, but for some reason certain banks also
install Acrobat Reader 6.0, Radmin, TeamViewer and other unnecessary and in
some cases even dangerous software.
When it comes to the operating system,
the vast majority of ATMs still use … Windows XP! Despite the fact that
Microsoft stopped issuing security updates for it in April 2014. Of course,
0-day vulnerabilities for this system will remain unpatched. The engineers
servicing ATMs often think that if the ATM is working, it is better “not to
touch” (read: “not to update”) it. As a consequence, some cash machines still
have the unpatched critical vulnerability MS08-067 which allows remote code execution.
ATM units are implemented on
microcontrollers based on real-time operating systems (RTOS), which is
particularly irksome for the guys with IDA
Pro because static analysis is almost unheard for such systems. That’s
basically all the information cybercriminals need to start hacking.
In 2009, the appearance of Trojan Backdoor.Win32.Skimer caught the world’s attention:
it was the first malicious program targeting ATMs. Skimer attacked ATMs from a
particular manufacturer – one of the market leaders. Using this malicious
program the criminals emptied the cash dispensers and also skimmed the data
from bank cards processed in infected ATMs. Since then, ATMs of different
manufacturers have been repeatedly exposed to malware infection.
The process of stealing money from
ATMs using malware consists of four stages:
- The attacker gains local/remote
access to the machine.
- Malicious code is injected into
the ATM system.
- As a rule, infection is
followed by rebooting of the ATM. The system seems to reboot in standard
mode but at the same time comes under the control of a malicious program,
- The final stage, i.e. the main
aim of the process, is the theft of money.
Getting access to the inside of an ATM is not a
particularly difficult task, as the experts at the Positive Hack Days, the
international forum on practical information security, demonstrated. The
process of infecting is also fairly clear – arbitrary code can be executed on
an insecure (or insufficiently secure) system. There seems to be no problem
with withdrawing money either – the malware interface is usually opened by
using a specific key combination on the PIN pad or by inserting a “special
card”, and then all you need to do is stuff your pockets full of cash. Here we
will focus on how a malicious program can gain control of an ATM.
The XFS standard
So the attackers have infected the ATM
system unit. What next?
Here again, a short explanation is
required. As already mentioned, the ATM is managed by a Windows-based
application. Its task is to organize interaction between the user (client or
services), the processing center which sends commands to the ATM and the equipment
that executes these commands. The message exchange with the processing center
occurs via direct connect protocols (NDC or DDC): users communicate with the
GUI while service providers are responsible for the operation of each ATM unit
(gateways to these units). To send commands to the service providers and on to
the equipment as well as to receive status messages, a level called XFS Manager
is used in accordance with WOSA.
operations in the context of the XFS standard
and earlier WOSA/XFS), or the eXtensions for Financial Services, is a standard
that provides a client-server architecture for financial applications on the
Microsoft Windows platform, especially peripheral devices such as ATMs. XFS is
intended to standardize software so that it can work on any equipment
regardless of the manufacturer, and provides a common API for this purpose.
Thus, any application that is developed with the XFS
standard in mind can control low-level objects by using only the logic
described in this standard. And that application could well be the Tyupkin backdoor or any other malicious program.
What opportunities does XFS offer?
For example, the dispenser, which is
the most interesting part for the attackers, can give out money without
authorization. Or use of XFS on some ATM models means cybercriminals can
manipulate the code to open the safe and unlock the ATM cassettes.
of the MS08_067 vulnerability allowing execution of arbitrary code. The video
was shot by experts at BlackHat Europe 2014
With regard to the card reader, XFS
allows the reading and recording of data from the bank card magnetic stripe and
even retrieval of the transaction history stored on the EMV card chip.
Of special note is the Encrypting PIN
Pad (EPP). It is believed that the PIN cannot be intercepted because it is
entered on the ATM PIN pad and is converted directly inside the encryption
module into a PIN block (EPP contains keys to do this, two of which are in the
bank’s Hardware Security Module). However, XFS allows the PIN pad to be used in
1. Open Mode – for entering
different numeric values, such as the sum to be withdrawn;
2. Secure Mode, which EPP switches
to in order to enter a PIN and encryption keys.
This allows cybercriminals to
implement a “man-in-the-middle” (MiTM) attack. They only have to intercept the
command sent from the host to the EPP to switch to Secure Mode and then to
inform the device that work is continuing in Open Mode. In the reply message,
the EPP will send the keystrokes as plain text – exactly what the attacker
But what about authentication and
exclusive access? And surely the standard’s specifications are inaccessible?
Unfortunately, this is not the case
with XFS. The standard does not provide any authentication, and exclusive
access to service providers is implemented, but not for security reasons. This
is just a single-threaded command sending function to avoid accidentally
breaking delicate hardware by simultaneously sending two identical commands.
Surprisingly, although it is a
standard for financial applications, it doesn’t even mention security. Where
can you find the specifications to check if this is true? Just try entering
“ATM XFS” in any search engine and you’ll find the answer among the first few
Banks sometimes use integrity control
software on their ATMs that supposedly prevents the execution of unauthorized
code based on a whitelist, controls connected devices and drives, as well as
providing other useful methods which should, in theory, counter attacks.
But we shouldn’t forget that first of
all it is software, and just like any other software, it’s not perfect. It may
be vulnerable to attacks as such kiosk mode bypassing, whitelist bypassing,
buffer overflow, privileges escalation to SYSTEM user, etc. As you know,
existing vulnerabilities often allow cybercriminals to gain access to the
operating system and to do their dirty work.
The bad guys may use modified
utilities that were originally provided by ATM developers or manufacturers to
test a machine’s operability. One of the functions of these utilities is to
test the dispenser function, including the dispensing of cash. In order to
carry out a test, the engineer has to confirm his legitimacy by opening the
safe door or performing actions with the dispenser cassettes. The logic is
simple: if you can open the safe, you have the key, i.e. you are a licensed
engineer or a cash-in-transit guard. But by simply replacing a couple of bytes
in the utility, the “right” people can “test” cash withdrawals without any
Yet another way criminals have of
lining their pockets is to change the denomination of banknotes dispensed by
the ATM using a diagnostic utility. As a result, the attacker receives
banknotes with the largest nominal value (e.g., a 100 dollar/euro banknote)
while the ATM “thinks” it is dispensing the smallest of the available
denominations (five or ten). It means several hundred thousand can be withdrawn
from a card with a balance of just a few hundred.
So-called black box attacks are
another type of attack that is getting increased coverage in the news. On surveillance camera videos the
following occurs: someone opens the service zone, connects a magic box to the
ATM, closes the cabinet and leaves. A little later several people who appear to
be customers approach the ATM and withdraw huge sums of money. Of course, the
criminals retrieve their little device from the ATM once they have achieved
their goal. Usually, these black box attacks are only discovered a few days
later when the empty cassettes and the withdrawal logs don’t tally, leaving the
bank employees scratching their heads. However, there is no magic involved –
the attackers connect a specially programmed microcomputer to the dispenser in
such a way that it bypasses the security measures implemented on the host
(antivirus, integrity control, full disk encryption, etc.).
As mentioned above, USB, RS232, or SDC
can be used as a data transmission channel between the system unit and the
devices. It’s likely that nothing will prevent the attackers from sending the necessary
commands directly to the device port bypassing its service provider. The
standard interfaces often do not require any specific drivers. Authorization is
not required either, which basically makes these insecure proprietary protocols
an easy target – just sniff and replay. The result is direct control over ATM
units, the use of undocumented functions (e.g., changing the unit firmware).
The criminals may also use a software
or hardware traffic analyzer, installing it directly on the port of a particular
device such as a card reader in order to obtain the transmitted data. And this
analyzer will be difficult to detect. Direct control over the dispenser means
the ATM cassettes can be emptied without any entries being made in the ATM
typical packet – the command to dispense a banknote from the first cassette of
For those who are unaware, it may look
like magic. Every great magic trick consists of three parts or acts. There are
dispensing money from the cassette, opening the shutter, and presenting money
to the client.
black box attack on an ATM. Video was prepared by experts for demonstration
purposes at BlackHat Europe 2014
Hardware skimmers are ‘so yesterday’.
Direct connection makes it possible to read and record the magnetic strip of a
credit card. Traffic analyzers, which are freely available on the Internet, can
also be used as a direct connection. Rumor has it that in one fairly large bank
all the ATMs were used as skimmers: the attackers had found vulnerabilities in
the bank’s network and installed a USB sniffer on the ATMs, allowing them to
collect bank card data in plain text for five years! Who knows, maybe your card
was among those affected.
intercepted data of a Track2 card
The connection between ATMs and the
processing center can be protected in various ways. For example, using a
hardware or software VPN, SSL/TLS encryption, a firewall or MAC-authentication,
implemented in xDC protocols. However, all these measures often appear to be so
complex for banks that they don’t bother using any network protection at all.
In such cases, a MiTM attack can be
launched that will result in the attacker getting both bank card data and all the money in the ATM. This requires
remote access to the device, which is usually obtained by using vulnerable
services that can be accessed from the Internet, as well as social engineering techniques. Physical access to the
network hardware, including the ATM Ethernet-cable will also suffice.
On the way to the real processing
center a fake one pops up; it sends commands to the ATM software to dispense
banknotes. Withdrawing money is possible with any card, even one that has
expired or has a zero balance, as long as the fake processing center
“recognizes” it. A fake processing center can be either “homemade” software
that supports communication with the ATM via the xDC-protocol, or a processing
center simulator originally designed to check network settings (yet another
“gift” from the vendors to the cybercriminals).
commands for giving out 40 banknotes from the fourth cassette sent from a fake
processing center and stored in the ATM software logs. They look almost like
the real thing.
Where do the criminals find ATMs that
can be attacked via the network? Do they scan all the nearby networks or buy
the information on underground forums?
It turns out that you just need to
enter the correct request in a search engine – https://www.shodan.io/ (this Internet of Things scanner is
well-known by the experts). The data collected by this scanner is usually
enough to launch such attacks.
Or you could just take a closer look
at the ATMs in retail and business centers.
the ATM system can be accessed without even opening it – all the communications
are located on the outside
Who’s to blame and what can be done
This part is usually the most
depressing, and here’s why.
When we detect a vulnerability while
analyzing ATM security, we send a notification to the vendor with a description
of the problem and ways to solve it. And often the answers are bewildering:
“The vulnerabilities are essentially
normal specifications of the card readers and not unexpected. As long as the
ATM is running within normal parameters, these
problems cannot possibly occur.”
“However this vulnerability is inherent in the USB
technology and is expected be mitigated by the use of
appropriate physical controls on access to the ATM top box.”
“We regret informing you that we had
decided to stop producing this model more than 3 years ago and warranties for our distributors been
Indeed, why should vendors bother
about ATMs with expired warranties that are still used by banks around the
world, and whose physical security often leaves much to be desired?
Unfortunately, reality shows that manufacturers are only interested in selling new
products and not in eliminating the shortcomings of existing systems, while
banks lack the necessary skills to cope with the problems on their own.
Fortunately, some manufacturers
understand the dangers of unauthorized ATM use, and release security updates.
To prevent attacks on dispensers, two-way authentication and cryptography are
used. It should be noted, however, that not all cryptography is correctly
While the existing countermeasures can
protect ATMs from malware, they are powerless against black box or network
attacks. A huge number of security flaws and vulnerabilities that can be
exploited with minimum expertise make cash machines a prime target for those
desperate to get rich illegally.
So. Is everything
ATM manufacturers can reduce the risk
of attack on cash machines.
- Firstly, it is necessary to
revise the XFS standard with an emphasis on safety, and introduce two-way
authentication between devices and legitimate software. This will help
reduce the likelihood of unauthorized money withdrawals using Trojans and
attackers gaining direct control over ATM units.
- Secondly, it is necessary to
implement “authenticated dispensing” to exclude the possibility of attacks
via fake processing centers.
- Thirdly, it is necessary to
implement cryptographic protection and integrity control over the data
transmitted between all hardware units and PC inside ATM.
And what should banks do? They need to
Encourage those who sell ATMs and
software to make them secure. The manufacturer must eliminate vulnerabilities
as soon as possible; it is necessary to tell them about it as often as
possible. To prevent hacking of ATMs it is necessary to make use of all the
available protection tools. A completed PCI DSS Self-Assessment Questionnaire
is not a silver bullet and won’t protect ATMs from attacks, or banks from
financial and reputational losses. Proactive protection, including regular ATM
security assessment and penetration testing, is better (and often much cheaper)
than security incident and the subsequent investigation.
Bad guys are watching.
PS: No cash machines were harmed in the preparation of this material.
PPS: This overview of the security issues in cash machines is not intended as
a hacking guide.
vs financial institutions in 2018: what to expect
Predictions for Financial Services and Fraud in 2018
Security Bulletin: Review of the Year 2017
Lab – Beyond Black Friday Threat Report, November 2017
Finance Ministers And Central Bank Governors Release Cyber Security Report
Privacy Guide: How to Stay Safe on the Web
SEC Announces Enforcement Initiatives To Combat Cyber-Based Threats And
Protect Retail Investors
SEC Statement: Approach On Cybersecurity, Risks & Markets
SEC Discloses Electronic Trading Was Hacked in 2016, Gains From Illicit
York State DFS Cybersecurity Regulation Compliance Requirements Are
Annual Report of Nigeria Electronic Fraud Forum