Unbelievable Security Stories
I was reading a story on Reuters about a security expert who highlighted the point that ATMs (Automated Teller Machines) have certain security flaws that help hackers hit the jackpot. Certainly an intriguing story as I thought ATMs were among the most secure systems in the world since their owners have everything to lose, from money to reputation to ultimately their business.
Barnaby Jack, the security expert testing the ATMs, said (amongst his claims) that some ATMs could be attacked via their communications ports which are sometimes available from the outside. I couldn’t fathom that an ATM could allow administrative access to the machine from the outside where anyone would be able to gain access to the machine – there had to be a mistake! Alas it’s true, as the article goes on to say that some ATM designers didn’t have a basic sense of physical security and placed the administrative port on the outside where it would be accessible by anyone.
Such an administrative port could be used to reconfigure the machine. Imagine swapping the $2 tray with the $100 tray – if you withdraw $4, the machine gives you two $2 notes, but now the machine thinks that the $2 notes reside in the $100 tray thus you’re presented with $200 instead of $4. Obviously if not reconfigured back the person withdrawing $100 will not be very happy when presented with $2.
I searched but couldn’t find any other mention of ATM communication ports exposed, neither images; however, I did find other disturbing security stories. I came across a story by Bruce Schneier about a guy who reprogrammed a Tranax Mini bank 1500 ATM at a gas station to think $5 were sitting in the $20 tray. How did he manage this? Very easily it seems, as he got hold of the ATM manual which listed instructions and the default password to get the machine in administrator mode. This same brand of ATM was also targeted by Thor Alexander Morris whose plan was foiled when he enlisted the help of a genuinely reformed ex-con who went to the FBI. The article claims that this ATM, as well as another manufactured by Triton, was well known by criminals. The default codes and instructions to these ATMs were apparently easy to find online.
One positive thing resulting from these stories is that both Tranax and Triton learned their lessons and now oblige the user to change his secret code on first boot up.
Something to learn from these stories is to never assume that something is secure no matter if one expects it to be. Obviously always change any default password since having a default password is equivalent to having no password at all. If you are either a developer or create security sensitive equipment, do not assume your clients will do their due diligence.
Tranax and Triton may be excused for not forcing their customers to change the default password when they released their product since it’s a basic security step and was likely extensively documented; however, there are users and administrators whose sole goals are to get a system up and running and, if they’re not very security proficient they may be afraid to properly configure it out of fear that they might break it. Ultimately it’s important to never ignore or forget the importance of physical security as in most cases that would be your first line of defence.
Doesn’t surprise me. There are still so many people unaware of basic security protocols. Just think of how many people have their routers still set to the default user name and password!
“…some ATMs could be attacked via their communications ports which are sometimes available from the outside…” – Now ain’t that stupid. These ATMs should be pulled out. IMMEDIATELY.
“…as the article goes on to say that some ATM designers didn’t have a basic sense of physical security and placed the administrative port on the outside where it would be accessible by anyone…” – perhaps because the designer’s philosophy is convenience (for whoever is in-charge for maintaining the machine) over security.
And we thought life is much easier now. Such is the paradox of our time.
Hi Sue, yes indeed you are right, one shouldn’t be surprised. It is obvious that an ATM requires additional precautions and that security should be paramount yet sometimes business owners are only interested in getting their services running not in how secure they will be.
Yes Iam, I am sure the reason for that design decision was convenience. Another possibility may be that the ATM can be set up in an environment where access is only possible from the front; yet it is still inconceivable to me how a manufacturer could have ever justified this as an acceptable risk.
This is why I never use the ATMs anymore. It’s good that most ATM cards can now be used as debit cards through Visa or Mastercard. When I buy stuff, I just use my ATM as a debit card and not have to use the ATM to withdraw cash. Until I am satisfied that ATM machines are safe to use again, I’m staying away from those machines. Besides, they’re a favorite hangout for robbers.
Hi Janice,
You make a valid point that ATMs can be a popular hangout for robbers however paying with the ATM card is not without its risk either. The primary danger is skimming which I discussed in an old article: http://www.gfi.com/blog/21st-century-heists-part-2/
Thankfully a lot of banks are now switching to chip and pin cards which should be an effective defense against these sort of attacks.
It’s shocking how much information is available on the internet. And to think, a lot of the sources for this article are probably from the internet itself. I wasn’t expecting this article to go into that much detail on the ATM scams, but the amount of information is staggering. For administrative access to ATMs to be so readily available to the public (especially to those willing to abuse it) is definitely an unforgivable oversight by both the banks and the ATM manufacturers.
Hi Jennifer,
This is really just the tip of the Iceberg. We all know that once information is leaked onto the internet it can never be taken back. Since the ATM manual containing the administrator credentials has been leaked on the internet one can bet it is still available. If one were to look hard enough I am sure it can still be found. Obviously that would not pose a threat to all the updated ATMs but I am sure that not all were updated. This effectively means that the credentials contained in the old manuals most likely still pose a security threat for some even today.
But how does this affect the average banker? Correct me if I’m wrong, but isn’t money stolen from an ATM attributed to the bank? I’m sure accounts, even small personal savings ones, are insured by the bank. What this really affects are the banks themselves more than their ATM clients.
From the company’s perspective however, it’s quite frightening how much of this compromising information is readily available on the internet.
@Luke
It is not always that straight forward. The ATM might be used by a convenience store and he might be the one managing it and incurring the loss but there is a danger to the client as well. Imagine an ATM you use, someone manages to get administrative access to it through one of the flaws mentioned in this article and switches the tray location of the $1 bills with the $50 bills. The perpetrator then uses a card and withdraws $4 and he actually runs away with $200. You go to this ATM which you don’t know has been compromised, you put in your card and withdraw $200 the machine gives you 4 $50 bills only now it thinks that $50 bills actually reside in the $1 tray so it gives you $4 and deducts $200 off your account/prepaid card or other such medium.
Now you might be lucky and the ATM owner decides that losing $400 is better then losing you as a customer and takes all the financial hit himself or he can play ignorant and say that according to the records, $200 were withdrawn and that’s what the ATM gave and refuses to pay you back, especially if it was not just you but a lot of other people who got hit by this. In any case getting your money back might end up costing more than the money you lost when factoring in time wasted and everything else.
Security issues can have a wide range of repercussions and while at first glance it may seem that they don’t affect us, indirectly or through an unintended consequence, they may actually do.
Good point about the hit against ATM clients. Despite the fact that bank related theft is usually shouldered and insured by the bank, tracing the extent of the damage is easier said than done. Customers can indeed be hustled by fooling them intro withdrawing an amount lower than what they originally intended, but still having them deduct the original amount from their account. A very frightening prospect for ATM users indeed.