BSides Weighing in at 800kg secondhand, freestanding ATMs - a “safe with a computer on top” - are a logistical nightmare to own and research, security boffin Leigh-Anne Galloway warned delegates at the BSides Manchester infosec conference yesterday.

Security boffin Leigh-Anne Galloway, cat and pieces of ATM...

Galloway, Positive Technologies' security resilience lead, explored various ways to purchase an ATM including through a seemingly cancelled eBay auction and a quickly discarded plan to drive a leased machine from Moscow before discovering that it is easier to get one through the regular market in the UK. Suppliers are used to selling in bulk to banks but they will sell to firms providing they set up a line of credit.

Galloway’s logistical problems kicked in after the purchase of an NCR "Personas 77" ATM for £2,600 (before tax). Most courier firms wouldn’t move and Positive Technologies' third floor UK office had a lift rated only to 600kg. “Part of the security of these devices is their immovability,” Galloway explained. “They are designed to be brought somewhere and to stay in situ”.

Four out of five cash machines still run Win XP or Win XP Embedded.

The security researcher’s house is a converted warehouse. The ATM was initially brought - where moving it caused damage to her floor - before it was left outside, protected from the elements by pond liners. It later found a home in a car park outside Positive Technologies' offices.

Galloway reports that in both locations, neighbours asked when the device would be operational.

The ATM was initially was left outside, protected from the elements by pond liners, later finding a home in a car park...

To make the ATM more practical to transport, Galloway and colleagues cut off its base with an angle grinder. The safe element is typically concrete and steel and cutting through that with industrial-grade kit allowed the team to halve its weight.

ATMs can be compromised and used to jackpot cash, skim cards and even infect banking networks. Having gained access to the front of the machine, a criminal can access USB ports within the device to perform various attacks. These include forcing the machine to dispense cash and installing malware to skim card details.

ATM logic attacks involving malware started in earnest in 2009, with the "Skimer" trojan. Ever more sophisticated malware has been developed in the years since.

Crooks typically look for people with legitimate access to the ATM such as a bank employee or contractor responsible for ATM maintenance that can be bribed to compromise machines and install the malware. Once the necessary ATMs have been infected, the criminals proceed to the cash withdrawal phase. Mules have to physically come to the ATM and take the cash.

There are also attacks that will focus on bypassing the ATM’s computer altogether, so encryption should be enforced between the computer and the dispenser. Galloway added, “While ATMs made in the last six years will likely have this any manufactured pre-2011, of which there are many in use today, should be fitted with an 'after-market' device that monitors the current between the dispenser and PC for anomalies. These devices typically retail at £150."

Banks should install and properly configure application control software to monitor software integrity, allowing only whitelisted programs that have been checked for unauthorised modifications.

Although Galloway said she'd learned a lot from the project, which helped her firm secure consultancy work with Wincor, she said she “would not recommend” it to others because of the logistical problems and general hassle involved. At the end of the exercise, Galloway was saddled with the device. “An ATM is for life, not just for infosec,” she concluded.

A trailer for Galloway’s talk, Money Makes Money, How To Buy An ATM, can be found below. ®

Youtube Video