Most ATMs Can Be Hacked in Under 20 Minutes

An extensive testing session carried out by bank security experts at Positive Technologies has revealed that most ATMs can be hacked in under 20 minutes, and even less, in certain types of attacks. From a report: Experts tested ATMs from NCR, Diebold Nixdorf, and GRGBanking, and detailed their findings in a 22-page report published this week. The attacks they tried are the typical types of exploits and tricks used by cyber-criminals seeking to obtain money from the ATM safe or to copy the details of users' bank cards (also known as skimming). Experts said that 85 percent of the ATMs they tested allowed an attacker access to the network. The research team did this by either unplugging and tapping into Ethernet cables, or by spoofing wireless connections or devices to which the ATM usually connected to. Researchers said that 27 percent of the tested ATMs were vulnerable to having their processing center communications spoofed, while 58 percent of tested ATMs had vulnerabilities in their network components or services that could be exploited to control the ATM remotely.

Re:So what?

[Nidi62]

Anyone with sense limits the amount of money in their ATM / online banking accessible account to a small amount, like 15-20k, unless a large purchase is coming. This is a simple way to protect yourself.

The majority of people in the US don't even have enough liquid money to afford a $1000 emergency and you think 15-20k is a small amount?

Re:

[HornWumpus]

'Trust fund kids' are the ones that the parents know are too incompetent to handle money (e.g. Jerry Brown, CA governor).

If they had 150k, they'd spend it on hookers and blow. That's why the trust has to dribble out a monthly allowance.

Someone claiming 150k$ in a checking account, is either a moron or a troll, depending on if it's true or not.

Re:

[mrvan]

'Trust fund kids' are the ones that the parents know are too incompetent to handle money (e.g. Jerry Brown, CA governor).

If they had 150k, they'd spend it on hookers and blow. That's why the trust has to dribble out a monthly allowance.

Someone claiming 150k$ in a checking account, is either a moron or a troll, depending on if it's true or not.

Or someone who assumes that the stock market will crash quickly, which will force the Fed to lower interest rates again, which will mean almost all asset classes will lose value over the coming month.

Re:

[mysidia]

which will force the Fed to lower interest rates again, which will mean almost all asset classes will lose value over the coming month

No.... the Fed has been doing the opposite of Quantitative Easing they were aggressively doing during Obama's administration: attempting to trim their balance sheet, in addition to the aggressive interest rate increases --- the reverse QE will mean they could lower interest rates to 0 and still potentially make a catastrophe;

But leaders in the Fed have been looking disd

Re:

[HornWumpus]

You don't know what a trust is. It has nothing to do with the assets, only putting an adult in charge of the assets so the 'Trust fund kid' can't blow it all.

Jerry Brown's parents knew him better than the voters of CA. Like most true morons, he has only gotten dumber with age.

Re:

[Anonymous Coward]

Anyone with sense limits the amount of money in their ATM / online banking accessible account to a small amount, like 15-20k, unless a large purchase is coming. This is a simple way to protect yourself.

The majority of people in the US don't even have enough liquid money to afford a $1000 emergency and you think 15-20k is a small amount?

Gosh, I have foolishly been keeping a billion and a half dollars in my checking account connected to my ATM card... I should probably reduce that to 15 to 20 times the maximum amount I’ve ever HEARD of an ATM allowing someone to take out, (or more like about 40 times, for most ATMs I’ve ever used).

What I was going to suggest though, is that it’s okay for most ATMs to be hackable in under twenty minutes, as long as they alert the police when someone starts trying to hack them, and the time

Re:

[F.Ultra]

Don't you have the colouring anti theft measures in the ATMs in the US?

Re:

[F.Ultra]

over here they all have die packs and cameras

Re:

[bob4u2c]

Anyone with sense limits the amount of money in their ATM / online banking accessible account to a small amount, like 15-20k, unless a large purchase is coming. This is a simple way to protect yourself.

[British Accent]Quite right you are my man. Unless Foofy needs a new rolls I try to limit my personal cashier boy to a similar small fund which they may withdraw from these mechanical money boxes. Least the less trustworthy boys have been known to drain a persons account to the point that one must take a public jet to the Alps instead our families private whirly birds.[/British Accent]

Re:

[Anonymous Coward]

You didn't read the article. They are literately talking about jackpotting the ATM's by telling the ATM's OS to dispense money at will, or intercepting data to the ATM network. The latter is likely easier to catch by the ATM network, but if someone jackpots an ATM nobody will know unless the ATM has been physically damaged in the process.

Here's a theoretical example. Someone installs the malware on the Windows XP ATM, Someone comes by and withdraws or deposits 20$, the crook then waits for them to go away a

Re:

[DethLok]

How does the camera in the ATM - that takes photos of every person pushing ATM buttons - not see the culprit?

How does the camera filming the area the ATM/s are in not see someone at an ATM?

If you are invisible, there are easier and safer ways to get rich.

Can they be hacked

[toonces33]

with a hacksaw?

Re:

[Locke2005]

Pickup trucks appear to be the meth addicts tool of choice. (Google it)

Re: Can they be hacked

[Anonymous Coward]

Thanks, found several videos of idiots ripping their back axel off. Was very funny.

Re:

[olsmeister]

Hmmm. I guess I never thought about it before, but who is liable for theft from an ATM? The bank? The company that built the ATM? The FDIC? The customer?

Re:

[Anonymous Coward]

The bank is on the hook for the money, and by extension the bank's insurance company. I work for a bank and am familiar with this issue. A bigger issue is online scamming where somebody gets the login info for a legitimate customer's account and then orders a transfer to Paypal or some other online service, and then walks away with that money. The FBI won't even bother investigating for a few thousand bucks. And the transfer recipients generally don't help out either because they're prohibited from giving

Under 20 minutes and even less?

[Anonymous Coward]

Is that the same as even less than under 20 minutes?

Banks

[Zorro]

Good thing they got rid of those banks with safes and armed guards.

Might take some real risks to rob a bank.

Diebold made voting machines

[bluefoxlucid]

Diebold made voting machines.

Everyone else in that industry is just as bad. No threat models, at all. That's why I'm getting into the industry.

Re:

[phantomfive]

Which industry? "Stealing from ATMs" industry? I hear it's profitable.

Re:

[bluefoxlucid]

No, the voting machine industry. They're all terrible. It's so bad people are calling for paper ballots--computer science people, not infosec people, because infosec people would look at paper ballots and cringe...oh, wait, no, Bruce Schneier has also fallen for that noise.

Let's be honest here: paper ballots are data packets. You have a distributed network in which a few trusted individuals are in possession of the packets at any time. Start from the sender (polling center), put the data packet on a

No they can’t. Not in a bank?

[Anonymous Coward]

These attacks seem to require you to be alone with the machine, while having access to its backside where the cables come out.
Yeah... veeery realistic. --.--

Try again with a vandalism-hardened ATM in a brick wall with cameras and security personnel looking at them. Then and only then do you get to write sensationalist headlines like this.

Why do you think the PIN only has 4 digits most of the time? Not because that's so hard to crack. It's only a token. The security is provided by what's around it.

(And yeah,

Re:

[Riceballsan]

Pretty large amount of gas station atms... have a gas station. I haven't seen one before that isn't in sight range from the cash register. You can push a few buttons maybe pull off 1-2 minutes worth of tasks... I wouldn't imagine much in the way of opening doors, plugging in computers etc... as particularly viable, though even the summary mentions something along the lines of "wireless signal spoofing", OK yeah I can see it being fairly easy to get away with a wifi signal hijack

the title, blah blah

[BringsApples]

What constitutes "hacking" these machines? Root access? Money shooting out? Transfer of funds from accountA to accountB?

In these cases, physically breaking it open!

[evanh]

Every one of the methods involved opening/unlocking the physical casing! Obviously, being able to remove the HDD or insert a USB drive is going to make the hack a lot easier.

Re:the title, blah blah

[deathguppie]

apparently it means somehow pulling the machine out of the wall to access it's physical network connections. I was thinking this was a great idea for extra cash but.. seriously this isn't a realistic hack for the average Joe thief.

20 minutes?

[The Grim Reefer]

These guys did it in 36 seconds. [youtube.com] Granted, network hacks and elegant solutions need to be addressed. But what's the point if you cant keep a couple of guys with a pickup truck and a chain from driving off with it. It always reminds me of this xkcd. [xkcd.com]

Re:

[DethLok]

Damnit, I don't have mod points at the moment! :)

Is this a real problem or just theoretical?

[King_TJ]

I mean, are banks actually running across a regular problem where they go to refill an ATM machine and verify all the transactions, and discover somebody emptied out a few hundred or thousand bucks that they can't account for?

Seeing the attitude they seem to take with credit card fraud (just cancel the card, refund the fraudulent transactions and move on) ... I guess nothing would surprise me. But I have to think the number of folks with the expertise to pull these hacks off who ALSO would risk jail time t

Re:

[account_deleted]

Comment removed based on user account deletion

Uhh, what?

[dnaumov]

What are you talking about. Why would an ATM have wifi-anything and why would you have an ATM with an ethernet cable accessible in a timeframe that less than what it takes for cops to arrive?

Good thing that we do not use this tech for voting

[aberglas]

... here in Oz.

Link to research article

[183771]

https://www.ptsecurity.com/ww-... [ptsecurity.com]