The new method of emptying ATMs in the business of cash-machine burglary is allowing the thief to quietly walk away with only a three-inch hole left behind. Up until recently, an entire ATM had to be blown up in order to steal from it. These days, however, a more sophisticated method is becoming popular.
The new method of robbing the ATMs was demonstrated by researchers from the Russian security firm called Kaspersky, and the attack they described uses the combination of physical penetration and digital savvy. To prove that the attack doesn’t require any special tools, they demonstrated how it’s done by using a $15 homemade gadget and a power drill. These items were all that it took to inject malicious commands that would affect the machine and trigger the cash dispenser. Even though the model of the ATM wasn’t named, nor did they mentioned which bank or banks were affected, it’s known that this attack was used in several locations across Russia and Europe.
Igor Soumenkov, one of Kaspersky’s researchers stated that “We wanted to know: To what extent can you control the internals of the ATM with one drilled hole and one connected wire? It turns out we can do anything with it. The dispenser will obey and dispense money, and it can all be done with a very simple microcomputer.”
These heists were first discovered last fall when a bank called and complained about the empty ATM. The only evidence was a three-inch hole near the PIN pad that was hidden beneath a sticker. The investigation was launched, and several more cases of this type of heist were discovered. One of the suspects that were arrested was found in possession of a laptop and a cable that would be connected with the ATM through the hole.
Researchers had the same ATM model in their test lab, and after removing the front panel, they found a serial port near the place where the hole would be made. It took them five weeks, but they finally managed to decode the protocol of the ATM’s internal communications and discovered that the encryption was pretty easy to hack. Eventually, they managed to build their own device that was able to send cash-ejecting commands and fool the ATM into releasing the money. The device was created out of less than $15 worth of materials.
The tests showed that the ATM became “aware” of the foreign influence and rebooted, but far too late to stop the “heist”.
Kaspersky has notified the ATM manufacturers of the flaw, but the problem is that it can’t be fixed remotely. The only way to deal with this would be to replace every ATM’s hardware or to add additional security, like surveillance cameras.
ATM’s are often targeted by hackers, and in several cases in Thailand and Taiwan, some sort of malware was used to trigger the “cashouts”. Kaspersky also mentioned several more methods used in recent attacks, but they said that the drill method was the simpler and stealthier so far. Also, security experts have stated that “no computer should be considered secure if an attacker takes physical control of it.” With that in mind, additional security around ATM’s might be a really good idea.