The advent of chip and PIN has made those old ATMs terribly attractive to hackers - with dire consequences.
Since chip & PIN turned up a couple of years ago, the cash machine has started to become a whole lot more interesting to the hacker. Faking signatures for stolen cards was easy, but now we need the PIN for a (bogus!) cardholder-present transaction.
I was involved in a pen test of an ATM a long while back. I was a bit surprised to see some data being passed to the Link network in the clear, but I was a whole lot more shocked to find that the organisation kept its cash machines on the same flat, unsegregated network as its call centre operators. Oh, and the thing was based on a cut-down Windows kernel, and hadn't been patched for any of the significant Windows vulnerabilities at the time. Even more helpfully, the ATM APIs were published on the internet by the manufacturer, including a particularly handy one called ‘SecureCashOut'.
Let's hope the call centre staff background checks were good, eh?
Various stories have popped up in the press. You will probably remember one about a chap who used an iPod to sniff and store card details over the wire from a pub-based ATM.
This summer, some bright spark placed a dummy ATM in the foyer at the Defcon hacking conference in Las Vegas (where else?) and several delegates fell for it. So ironic, scamming hackers – well ethical-ish ones, anyway.
Credit card and CVV/CV2 numbers are easy to buy from online sources. Getting the PIN is a whole lot harder, though. So that's where the rigged PED (PIN entry device) and bogus cash machine comes in, because you can easily sniff the PIN as it's entered by your victim. But ATMs are expensive to buy, and, as proven at the Defcon event, likely to be confiscated fairly quickly if you're not very careful.
I have talked before about data left on old hard disks, memory cards and even old smartphones when disposed of. That got us thinking about what happens to old ATMs after they're replaced. Where do you buy old IT kit? eBay!
Surely ATMs don't cache lots of useful card data locally? Surely they're wiped before disposal?
Not in all cases, it seems...
We found a used one for £400, the ‘1.5%' fee type, complete with keys, instructions and credentials to hook it up to a service provider. For fun, we had a go at picking the locks. That took 30 seconds. Then we noticed that the hinges were external, which would also be trivially easy to force.
Playing around with the admin interface, it didn't take long to convince the machine to dump a list of all the card numbers it had cached – over 200 of them. Too easy. It also held detailed logs of the amounts of cash requested, and whether the transaction was successful or not. It looked to us as if this machine had been used to test out the validity of stolen cards, as a significant proportion of the failed transactions were for significant amounts.
To cap it all, it appears that the ATM in my local corner shop has been compromised. Several friends who shop there have all had their accounts compromised and funds withdrawn. Rather too much of a coincidence?
What's to stop anyone placing ‘back-doored' ATMs around the place? They don't even have to dispense cash – a message saying ‘out of cash' after the victim has entered the PIN would do. Find some ‘sympathetic' shopkeepers to locate machines in their premises, perhaps?
I for one won't be using standalone ATMs. It amazes me that used versions of these machines can be bought on the open market for trivial amounts. Further, that they're poorly secured and cache card data locally.
Even cash machines physically located in banks, however, have had skimmers installed in the past. I guess I'll have to buy everything online in future; it's safer...