How to Hack an ATM. Illustration: Mattias Adolfsson. Turning automated teller machines into your personal piggy bank is easy—alarmingly easy.

• • • • • • • • • • • • Get Permission • ATM manufacturer NCR has released a security warning regarding a new series of so-called being conducted against ATMs in India. The company released the alert on March 19 and says that its investigation into the attacks remains ongoing. See Also: The alert states that criminals are gaining access to the 'top box' of ATMs to connect a device to a USB port. Thus far, the device remains unidentified, NCR says. By using this USB 'black box,' the attacker can connect a keyboard, issue commands to the ATM, and tell it to dispense cash at will.

Attacking ATMs is big business. Indeed, a report issued in February by anti-virus vendor Kaspersky Lab estimates that one notorious cybercrime gang - called the Anunak or Carbanak gang, in reference to the malware it uses - has caused up to $1 billion in fraud, based in part on using ATM jackpotting malware against machines in Russia, the United States, India and beyond. In the series of attacks against Indian ATMs, NCR says that it is continuing to gather additional digital forensic data from hacked machines. But an NCR spokesman tells Information Security Media Group that based on its initial findings, the attackers could be using a variant of a type of that's been seen in previous examples of these types of 'cashout' or jackpotting attacks.

'There has been a wide variety of malware used in attacks on all manufacturers' ATMs,' he says, adding, however, that over the past six months, the financial services industry worldwide has seen a rapid increase in these types of 'logical' attacks. The NCR spokesman notes that this series of attacks has been focused on a wide variety of locations throughout India, and in particular on standalone ATMs in unattended locations, which underscores the importance of maintaining strong physical security in such locations. The NCR alert details the vendor's guidance and recommendations for protecting against these types of black-box attacks. NCR says that as a priority, ATM operators must ensure the following: • Block all attempts to boot the ATM hardware, using removable media - such as USB black boxes. • Password-protect all access to the BIOS and have robust password management in place. • Deploy an effective anti-virus mechanism. What CISOs Recommend But Agnelo D'Souza, the CISO of Kotak Mahindra Bank, questions how many of these NCR-recommended controls are feasible and cautions that they might not be sufficient to foil a dedicated attacker.

As an additional defense, he says, 'banks should consider implementing active whitelisting software on the ATMs that can be monitored centrally' to prevent any malicious code from being allowed to run. Another CISO at a leading Indian multinational bank, speaking on condition of anonymity, says that many similar alerts about ATM schemes have been arriving through various channels, including government agencies, such as India's computer emergency response team, - and not just for NCR-built machines. But banks are not the only organizations in India responsible for keeping ATMs secure. In general, half of the ATMs on a bank's network are owned by the banks themselves, while half get managed by service providers, according to the CISO who requested anonymity. 'NCR is just one of the ATM types that we use on our network, and various mitigations are already available on ATM network to deal with such exploits,' he says. In the case of his bank, the CISO says that the organization proactively monitors all of its ATMs, and that any unauthorized attempt to install rogue software on a device will trigger an alert in the bank's central control room, following which the ATM is deactivated from the bank's network, which he says renders it unable to dispense cash.

NEW Pthc - 0607!!!