Taiwan Heist Highlights ATM WeaknessesKey Vulnerability: Many ATMs Still Run Versions of Windows XP
The theft of $2.2 million from dozens of ATMs in Taiwan, executed using malicious software, defies a years-long effort by banks and software vendors to strengthen the security controls of ATM fleets.
Investigators suspect two Russian nationals may have remotely commanded a specific kind of ATM made by Wincor-Nixdorf to dispense thick wads of cash. As a precaution, some of the country's biggest banks suspended withdrawals from 1,000 ATMs of the same kind.
Since 2009, researchers have warned that hackers were developing malicious software for ATMs. The malware is designed to cause ATMs to disgorge bills, known as jackpotting, or collect details of payment cards used at a machine.
Just the Latest ATM Attack
The most famous jackpotting demonstration came in July 2010 at the Black Hat security conference. The late security expert Barnaby Jack exploited security flaws in two ATMs, causing the machines to spew a flurry of bills onstage.
The ATM thefts come as the banking industry has faced increasingly bold and well-planned attacks. Bangladesh Bank lost $81 million in February after hackers compromised its credentials for the SWIFT interbank payment system (see Bangladesh Bank Attackers Hacked SWIFT Software ).
Then in May, fraudsters in Japan stole $19 million from South Africa's Standard Bank in a quick, coordinated attack using counterfeit cards at ATMs (see Lessons From ATM Cash-Out Scheme in Japan).
3 Types of Malware
Three types of malware were used in the Taiwan thefts, which affected First Bank, according to the Ministry of Justice's Investigation Bureau. The dispensing of the cash could have been triggered by a mobile phone, a laptop or a hacked PC at First Bank, the bureau told the news agency.
The malware wasn't named, but the description could fit ATM malware called Ploutus. Once the malware is installed on an ATM, an attacker can command the machine to dispense cash by sending a text message, according to a May 2014 blog post by Symantec.
ATMs are widely viewed as vulnerable because nearly all run aging software. They're complex, networked devices that have many potential weaknesses if not carefully configured, updated and physically secured.
About 90 percent of the world's ATM machines still run Windows XP, according to Kaspersky Lab. Microsoft stopped providing security updates for XP in April 2014, although extended support was available for some special embedded versions through this year.
Steve Wilson, a principal analyst with Constellation Research in Sydney, says critical infrastructure - from ATMs to medical devices to internet-connected vehicles - should simply not be built using commercial operating systems that "are barely adequate to run word processors.
"It's just asking for trouble," he says. "It's amazing that this [ATM malware thefts] doesn't happen more often."
When Microsoft ended support for Windows XP, it posed a major problem for ATM vendors. The manufacturers had to ensure their ATMs were compliant with the Payment Card Industry Data Security Standard and were not vulnerable to malware. The standard is a set of recommendations for securing payment card data.
Most ATM manufacturers continued to use Windows XP, bolting on other security software while trying to lock down the OS to protect cardholder data. Others migrated to Windows 7.
As the deadline for the end of XP support approached, Wincor-Nixdorf released software called PC/E Terminal Security, which could be layered on top of XP. The security software ensured ATMs were PCI-DSS compliant and hardened the OS against unauthorized access.
Wincor-Nixdorf's product catalog gives insight into the operating systems its ATMs currently support. The ProCash 280, for example, lists its compatible software as Windows XP Professional SP3, Windows POSReady 2009 and Windows 7.
The model of the ATM breached by the hackers in Taiwan has not been identified, and Wincor-Nixdorf officials couldn't immediately be reached for comment.
Hacking an ATM
There are a variety of ways to attack an ATM. Installing malware would require either physical or remote access to the ATM's computer. ATMs generally have two cabinets: one that contains the cash, which is heavily secured, and the other that contains the electronics.
Access to the cabinet containing the ATM's computer is often protected by a single lock. It's not uncommon for the same key to open an entire fleet of ATMs to make it easier to access the devices for servicing. If that key is obtained, an attacker could open up the ATM and install malware by slipping a USB key into an open port or by using a CD-drive.
Some manufacturers guard against this type of attack. Triton Systems, which makes stand-alone ATMs, only allows trusted executables to run, a process known as whitelisting, says Henry Schwarz, the company's Australia-based software projects director. The digital signatures of any updates for the ATM's software are verified as well. If an attacker breached the ATM's door, it means that unauthorized code should not run.
ATMs need a network connection in order to communicate with banks, so remote attacks are also a possibility. A network configuration mistake could be all that a hacker needs to get in. Some ATMs have wireless modems or Wi-Fi enabled and communicate over the public internet. Others have dedicated connections.
"There's all sorts of options, and some are more secure than others," Schwarz says. "In the trade-off between convenience and security, a small sacrifice in security can be all that an attacker needs to get their foot in the ATM's door."