Virtually every ATM in the world can be illegally accessed and raided – sometimes even without the need to install malware, according to new research by Kaspersky Lab.
The Russian AV firm’s pen testing team has combined its assessments for some of the world’s major banks alongside investigations of real world attacks to map all the major ATM security issues facing financial institutions.
It claimed that most are exposed either because of physical security shortcomings or software issues.
The latter is mainly due to the majority of ATMs still running Windows XP and XFS – an outdated standard allowing the ATM PC to connect with the rest of the banking infrastructure. This apparently exposes them to exploitation via malware attacks.
XFS requires no authorization for any commands it processes, which means any app installed on the ATM can issue commands at will – i.e. to dispense cash or turn the PIN pad and card reader into a skimmer.
The second major flaw is that many ATMs are built in such a way that criminals can easily reach the PC or network cable inside.
If they can do this, the robbers could install a black box inside the ATM to give them remote access, or reconnect the machine to a "remote processing center" – allowing them to issue their own commands.
Kaspersky Lab security expert Olga Kochetova argued that too many banks believe incorrectly that criminals are only interested today in online banking heists.
“The results of our research show that even though vendors are now trying to develop ATMs with strong security features, many banks are still using old insecure models,” she added in a statement.
“This makes them unprepared for criminals actively challenging the security of these devices. This is today’s reality that causes banks and their customers huge financial losses.”
To fortify ATMs against such attacks, the XFS standard needs updating and enhanced with 2FA between devices and software.
Any data transmitted between the PCs and other pieces of hardware inside the ATM needs to be encrypted and protected with integrity controls, and “authenticated dispensing” applied to block off attacks via fake processing centers, Kochetova added.
A detailed write-up can be found here.
Infosecurity has contacted Kaspersky Lab to ask exactly what percentage of the world's banks/ATMs are at risk.