Last year, Indian banks such as HDFC Bank, ICICI Bank, Yes Bank, Axis Bank and SBI were targets of the biggest financial data breach of the country—as many as 3.2 million debit cards were hacked. Weeks after attack, the forensic report showed that hackers had penetrated Hitachi Payment System, a network to which some banks had outsourced their ATM transaction processing. Hackers capture all probable four-digit numbers from 0000 to 9999 to create a 'dummy code book'. With the help of that code, hackers steal the debit card PINs when customers use their cards in the ATMs. "ATMs have become an attractive site of attack from cyber criminals globally. There have been reported cases of malware being injected through USB sticks into the teller machine forcing it to spew cash or sometimes the back end of the network is hacked such that an ATM is given false instructions to release cash completely remotely. ATMs are attractive points for criminals both for money as well as for card data of customers," says Aleks Gostev, the chief security expert at Kaspersky Labs.
Below are seven reasons, according to Kaspersky Lab experts, why it's so easy for hackers to compromise ATMs:
1. First of all, ATMs are basically computers. They consist of a number of electronic subsystems, including some exotic industrial controllers, but there’s always a conventional PC in the very center of ATM’s system.
2. Moreover, it’s very likely that this PC is controlled by a rather old operating system like Windows XP. You probably know what is wrong with Windows XP: it is not supported by Microsoft anymore, so any vulnerability found after support was killed off is a perpetual zero-day that nobody will ever patch. And you can bet there are a lot of these vulnerabilities. The outdated Windows XP version that has turned out to be the weak link, crippling information systems around the world, is used by 70% of Indian ATMs.
3. Besides, it’s also very likely, that there’s a lot of vulnerable software running in ATM’s system. From some outdated flash players with over 9000 widely known bugs inside to remote administration tools and more.
4. ATMs manufacturers tend to believe that ATMs are always operating in ‘normal conditions’ and nothing ever goes wrong. Hence there’s usually no software integrity control, no antivirus solutions, no authentication of an app that sends commands to cash dispenser.
5. In contrast to cash deposit unit and money dispenser, which are always pretty carefully armored and locked, the PC part of an ATM is easily accessible. Its enclosure is usually made of plastic, thin metal at best, and secured with locks too simple to keep criminals at bay. The logic of ATMs manufacturers is as following: if there’s no money in this part of an ATM, why bother to keep it secure?
6. Modules of ATMs are interconnected with standard interfaces, such as COM and USB ports. Sometimes these interfaces are accessible from outside of the cabinet. Even if not, you still need to keep in mind previous issue.
7. By their very nature, ATMs must be connected—and they always are. Since the Internet is the cheapest way of communicating these days, banks use it to connect ATMs to processing centers. And guess what? Yes, you can find ATMs on Shodan, a search engine that lets the user find specific types of computers (web cams, routers, servers, etc.) connected to the internet using a variety of filters. Shodan has shown there are thousands of exposed ATMs potentially vulnerable to a network attack.
While users have no way to find out if an ATM computer network is compromised, there are ways to know if the thieves have compromised the machine. Besides, malware attacks, there are other ways to hack ATMs—using counterfeit card readers, hidden cameras, ATM skimming, etc.
