By Catalin Cimpanu
An extensive testing session carried out past times banking concern safety experts at Positive Technologies has revealed that most ATMs tin hold out hacked inwards nether xx minutes, together with fifty-fifty less, inwards surely types of attacks.
Experts tested ATMs from NCR, Diebold Nixdorf, together with GRGBanking, together with detailed their findings inwards a 22-page report published this week.
The attacks they tried are the typical types of exploits together with tricks used past times cyber-criminals seeking to obtain coin from the ATM condom or to re-create the details of users' banking concern cards (also known every bit skimming).
Image: Positive Technologies Experts said that 85 per centum of the ATMs they tested allowed an aggressor access to the network. The question squad did this past times either unplugging together with tapping into Ethernet cables, or past times spoofing wireless connections or devices to which the ATM usually connected to.
Researchers said that 27 per centum of the tested ATMs were vulnerable to having their processing middle communications spoofed, piece 58 per centum of tested ATMs had vulnerabilities inwards their network components or services that could hold out exploited to command the ATM remotely.
Furthermore, 23 per centum of the tested ATMs could hold out attacked together with exploited past times targeting other network devices connected to the ATM, such as, for example, GSM modems or routers.
"Consequences include disabling safety mechanisms together with controlling output of banknotes from the dispenser," researchers said inwards their report.
PT experts said that the typical "network attack" took nether fifteen minutes to execute, based on their tests.
Image: Positive Technologies
Image: Positive Technologies But inwards instance ATM hackers were looking for a faster agency in, researchers also constitute that Black Box attacks were the fastest, usually taking nether 10 minutes to line off.
A Black Box ready on is when a hacker either opens the ATM instance or drills a hole inwards it to achieve the cable connecting the ATM's figurer to the ATM's cash box (or safe). Attackers hence connect a custom-made tool, called a Black Box, that tricks the ATM into dispensing cash on demand.
PT says that 69 per centum of the ATMs they tested were vulnerable to such attacks together with that on xix per centum of ATMs, at that topographic point were no protections against Black Box attacks at all.Image: Positive Technologies
Image: Positive Technologies Another agency through which researchers attacked the tested ATMs was past times trying to perish kiosk fashion --the OS fashion inwards which the ATM interface runs in.
Researchers constitute that past times plugging a device into i of the ATM's USB or PS/2 interfaces, they could pluck the ATM from kiosk fashion together with run commands on the underlying OS to cash out coin from the ATM safe.
The PT squad says this ready on usually takes nether fifteen minutes, together with that 76 per centum of the tested ATMs were vulnerable.Image: Positive Technologies
Image: Positive Technologies Another attack, together with the i that took the longest to line off but yielded the highest results, was i during which researchers bypassed the ATM's internal difficult drive together with booted from an external one.
PT experts said that 92 per centum of the ATMs they tested were vulnerable. This happened because the ATMs either didn't receive got a BIOS password, used i that was slowly to guess, or didn't operate disk information encryption.
Researchers said that during their tests, which usually didn't receive got to a greater extent than than xx minutes, they changed the kick fellowship inwards the BIOS, booted the ATM from their ain difficult drive, together with made changes to the ATM's normal OS on the legitimate difficult drive, changes which could permit cash outs or ATM skimming operations.Image: Positive Technologies
Image: Positive Technologies In to a greater extent than or less other test, PT researchers also constitute that attackers alongside physical access to the ATM could restart the device together with forcefulness it to kick into a safe/debug mode.
This, inwards turn, would permit the attackers access to diverse debug utilities or COM ports through which they could infect the ATM alongside malware.
The ready on took nether fifteen minutes to execute, together with researchers constitute that 42 per centum of the ATMs they tested were vulnerable.Image: Positive Technologies
Image: Positive Technologies Last but non least, the most depressing results came inwards regards to tests of how ATMs transmitted carte du jour information internally, or to the bank.
PT researchers said they were able to intercept carte du jour information sent betwixt the tested ATMs together with a banking concern processing middle inwards 58 per centum of the cases, but they were 100 per centum successful inwards intercepting carte du jour information piece it was processed internally within the ATM, such every bit when it was transmitted from the carte du jour reader to the ATM's OS.
This ready on also took nether fifteen minutes to line off. Taking into line of piece of occupation concern human relationship that most real-world ATM attacks travel on during the nighttime together with target ATMs inwards isolated locations, xx minutes is to a greater extent than than plenty for most criminal operations.
"More oftentimes than not, safety mechanisms are a mere nuisance for attackers: our testers constitute ways to bypass protection inwards close every case," the PT squad said. "Since banks tend to operate the same configuration on large numbers of ATMs, a successful ready on on a unmarried ATM tin hold out easily replicated at greater scale."
The next ATMs were tested.Image: Positive Technologies
Image: Positive TechnologiesBuat lebih berguna, kongsi:
