The Russian antivirus vendor Kaspersky Lab reports that ATMs are poorly secured. An important reason is that the majority runs on Windows XP but also because banks sometimes install software like Acrobat Reader 6.0, Radmin and TeamViewer on the machines.
“The engineers servicing ATMs often think that if the ATM is working, it is better “not to touch” (read: “not to update”) it. As a consequence, some cash machines still have the unpatched critical vulnerability MS08-067 which allows remote code execution”, Kaspersky Lab’s Olga Kochetova writes on the company’s blog.
Besides insecure software, Kochetova also warns for insecure hardware. According to her it’s relatively easy to open an ATM to use an USB port to infect a system. In some cases the system can even be accessed without opening the ATM because it’s possible to connect to it through communication cables or routers that are connected. After a malware infection a cash box can be emptied with a specific key combination.
Another issue is the XFS standard which used by malware to communicate with the ATM. The XFS standard (extensions for financial services) works the same on all ATMs and provides API’s that allow cybercriminals to issue money without authorisation or to open cash boxes.
ATM manufacturers are very lax about security. For example they’ve told Kaspersky when the company pointed out the USB issues, “This vulnerability is inherent in the USB technology and is expected be mitigated by the use of appropriate physical controls on access to the ATM top box.”
Another ATM manufacturer told Kaspersky, “We regret informing you that we had decided to stop producing this model more than 3 years ago and warranties for our distributors been expired.”
Obviously ATMs should be properly secured, Kochetova therefore advises ATM manufacturers to focus more on security. An advice is to use two-factor authentication, to revise the XFS standard and to use legitimate software.
She also advises to use encryption for all data transferred between hardware components of the ATM and the computer. And last but not least, banks are advised to stimulate ATM manufacturers to develop secure products and to quickly fix vulnerabilities.