ATM Security: Where are the Gaps?

Staged Hack Raises Questions About Vulnerabilities, Practices
ATM Security: Where are the Gaps?
If an ATM can be hacked effortlessly during a conference presentation, then how vulnerable to fraud are these devices when deployed by banking institutions and merchants?

This was the question top-of-mind for industry thought leaders in response to reports of ATM hacking at the Black Hat Technical Security Conference in Las Vegas last week.

During what's been described as a dramatic display at Black Hat, Barnaby Jack, a former employee of Juniper Networks, demonstrated how effortlessly a hacker could infect an ATM, sometimes without physical contact. Two common ATM models - the Triton RL2000 and the Tranax 1700 - were injected with malware, giving the hacker control to spit out all the money he wanted. On the Tranax machine, Jack bypassed the remote authentication system. On the Triton machine, he infected the ATM with malware saved to a thumb drive. In both cases, Jack used a homemade rootkit that attacked the CE Windows operating system, giving him undetected system-administrative privileges.

For Rich Madley, the electronic-funds-transfer manager for Los Angeles-based USC Credit Union ($350 million in assets), reading a news story about compromised ATMs was alarming. "I have two Tritons out there," Madley says. "How vulnerable am I for this to happen to me?"


Bob Douglas, vice president of engineering for Mississippi-based Triton Systems, which manufactures the RL2000, says Triton was made aware of the vulnerability last fall; in November, Triton released two patches - the XScale Security 2.2 Update and the X2 Security 2.1 Update.

"[Jack] defeated our authentication methodology," Douglas says. "But the patch we released will take care of it."

California-based Tranax Technologies, which in June filed for bankruptcy, could not be reached for comment. Nicole Sturgill, an analyst for Boston-based TowerGroup who covers the ATM industry, says she is not aware of any updates for the Tranax hack. "They seem to be oddly silent about it," she says. "[But] since financial institutions and credit unions are more likely to use Triton than Tranax, I think the patch should be the answer."

The real problem, however, may be the risk posed for retailers, Sturgill says. "What are the chances that they know they are at risk, unless they've seen this story?"

Jack, who actually hacked the ATMs last year, used the demonstration as a way to get the word out about vulnerabilities to Windows-based machines. Similar hacking techniques are used to break into point-of-sale terminals and systems via the Internet. Vulnerabilities to the Windows OS have been discussed within the ATM industry for the past 10 years, when manufacturers began migrating their platforms from IBM's OS/2 to Microsoft's Windows. IBM stopped supporting OS/2 in 2006, which necessitated the move.

Mike Lee, chief executive of the international ATM Industry Association, says demonstrations that highlight security risks help the industry stay ahead. "We are always looking to raise awareness to continuously improve the security of the ATM," Lee says. "To ensure the most effective protection against a variety of threats - including internal, external, physical and logical threats - the industry advises financial institutions to implement and maintain a comprehensive, multilayered security approach."

New Holes to Fill

Beyond vulnerabilities to Windows, however, two other disturbing security holes were brought to light:

  • Hole No. 1 - The Tranax ATM was hacked remotely, after Jack was able to bypass the machine's remote-monitoring system (RMS). Once in, he took control and was able to collect card numbers.
  • Hole No. 2 - Triton's RMS package, Triton Connect, was not bypassed. But the machine's physical security was. With a universal key, Jack was able to open the ATM's enclosure and easily access the PC inside. "Ninety percent of the machines out there have generic top-hat keys or locks," Madley says.

Triton's Douglas says all manufacturers offer unique keys for the physical locks that secure the top of the ATM's enclosure, which is where the PC is located. But few institutions or retailers order unique keys. "Almost always, universal keys are used," he says.

Security gaps posed by the use of universal keys have cropped up in other sectors, namely at pay-at-the-pump gas terminals, where criminals have been able to easily open enclosures and hide skimming devices.

It's more about convenience, Douglas adds, since an institution or retailer has several ATMs. Mixed estates of ATMs, coupled with the number of technicians, service providers and employees who have to access the machines, are the problem. "To have a specific key for each ATM is a pain for them," Douglas says. "But unique keys would offer a clearer security measure that they could take."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.