Many ATMs from some of the world's biggest manufacturers are vulnerable to a host of attacks and can be hacked in minutes, according to a report from Positive Technologies.
The security specialist tested machines from NCR, Diebold Nixdorf and GRGBanking, finding that 69% are vulnerable to Black Box attacks, where crooks connect devices to cash dispensers and force the ATMs to spit out money.
These kind of attacks are on the rise, with the US Secret Service warning banks and ATM manufacturers in January that jackpotting has finally hit American shores.
Performing the entire attack — connecting the device to the ATM, bypassing security, and collecting the cash — would take just 10 minutes on some ATM models, says Positive Technologies.
The researchers also found that 85% of ATMs are poorly secured against network attacks such as spoofing the processing center. As a result, a criminal could interfere with the transaction confirmation process and fake a response from the processing center in order to approve every withdrawal request or increase the number of banknotes to dispense.
A failure to implement hard drive encryption makes 92% of ATMs vulnerable to a number of attacks. An attacker could connect directly to an ATM hard drive and, if the contents are not encrypted, infect it with malware and disable security mechanisms to control the cash dispenser.
Exiting kiosk mode was possible on 76% of tested ATMs, which is an issue because when restrictions placed on ordinary users are bypassed an attacker can run commands in the ATM operating system. Positive Technologies experts estimate the time necessary for this attack at 15 minutes.
Leigh-Anne Galloway, cyber security resilience lead, Positive Technologies, says: "To reduce the risk of attack and expedite threat response, the first step is to physically secure ATMs, as well as implement logging and monitoring of security events on the ATM and related infrastructure. Regular security analysis of ATMs is important for timely detection and remediation of vulnerabilities."