In these times of COVID-19 concerns and germs, not putting your card into a machine could be a good idea. But it might also be a great way for criminals to steal your money.
It's still surprisingly easy for criminals to hack into ATM machines and steal your cash, researchers say. The study, from information-security consulting firm Positive Technologies, looked at a range of ATM models by NCR and Diebold Nixdorf. It found that most of them gave up customer card data without opening their cabinets, and that all but two of the machines were vulnerable to attacks that didn't require breaking open their safes.
The researchers' proof-of-concept attack tapped into a set of standard software APIs (application programming interfaces) that most ATM host computers and components use to communicate with each other. By tinkering with these APIs, the researchers were able to bypass the ATM's own host computer and communicate directly with individual devices -- like the text displays, card readers and cash dispensers. Then, in just two minutes, the researchers were able to unlock an ATM enclosure, install their device, connect it to the bank's network and tell it to dispense money.
To do this, the researchers bought a key from an insider that opens the ATM chassis, exposing an Ethernet port that lets attackers disconnect the ATM's network cable and plug in a laptop that spoofs a bank server and directs it to spit out cash. The thieves then replace the ATM's operating system with a custom one that allows them to control it remotely.