A recent extensive testing session has revealed that most ATMs can be hacked in under 20 minutes or even less, in certain type of attacks. Security experts at Positive Technologies have provided a detail report after conducting tests on ATMs from NCR, Diebold, Nixdorf and GRGBanking.
The researchers used typical types of exploits and tricks used by cybercriminals to steal money from ATMs or to capture users’ bank card data - also known as skimming.
After conducting several tests on the ATMs, the researchers came to the conclusion that 85 percent of the ATMs tested could be hacked by attackers. This was possible either by unplugging and tapping into Ethernet cables or spoofing wireless connections. Researchers also revealed that 27 percent of the tested ATMs had vulnerabilities in the processing center communications, while 58 percent of tested ATMS had vulnerabilities in their network components or services.
In addition, the researchers also discovered that around 69 percent cash machines are vulnerable to Black Box attacks. This involved cybercriminals connecting programmed Black Box devices to the cash dispenser to bypass security and collect money, in less than 10 minutes.
Researchers said that 92 percent of the ATMs that were under investigation were vulnerable. This was because, either the ATMs didn’t have a BIOS password or didn’t use disk data encryption. During their experiment, it hardly took 20 minutes to change the boot order in the BIOS and manipulated the ATMs’ normal OS on the legitimate hard drive.
In another test, researchers found that with physical access to the ATM, attackers could restart the device and force it to boot into a safe/debug mode. This vulnerability could allow attackers to access various debug utilities or COM ports through which they could spread malware. The ease with which the researchers could bypass the security and draw cash from the ATMs is a cause of concern.
"More often than not, security mechanisms are a mere nuisance for attackers: our testers found ways to bypass protection in almost every case. Since banks tend to use the same configuration on large numbers of ATMs, a successful attack on a single ATM can be easily replicated at greater scale,” Positive Technology researchers said.