Hackers want to crack bank ATM networks - and your nearest cash machine is probably running Windows XP

Hackers are looking to crack ATM networks without needing physical access to the devices. And many cash machines are running antiquated versions of Windows like Windows XP.
Written by Danny Palmer, Senior Writer

Hackers can remotely infect an ATM and issue commands to it by hacking a banks network.

Image: iStock

Cyberattacks against ATMs aren't new, but until now they've mostly required the attackers to have physical access to the target machine in order to compromise it.

However, a joint report by Europol and Trend Micro warns how hackers are increasingly targeting banks' corporate networks in an effort to move across to ATMs and infect them with malware.

The fact the machines are basically moneyboxes attached to a Windows PC makes them an appealing target for attackers, but the icing on the cake for criminals is how large swathes of ATMs are running on obsolete or unsupported operating systems.

"A majority of ATMs installed worldwide still run either Windows XP or Windows XP Embedded. Some of the older ATMs run Windows NT, Windows CE, or Windows 2000. Microsoft," said the report.

According to the Cashing in on ATM Malwarereport, that means there are hundreds of thousands of cash machines which no longer receive support.

The WannaCry ransomware outbreak demonstrated how at risk unsupported and unpatched systems can be to cyberattacks, meaning that with the correct technical expertise, a criminal operation could exploit the vulnerabilities in an ATM to make off with a fortune via a network-based attack -- or even shutting down machines.

"Should a worm like WannaCry or NonPetya ever manage to breach these networks, then the effect could be devastating, knocking out the whole network," Simon Edwards, cybersecurity solution architect at Trend Micro told ZDNet.

It isn't theoretical; hackers have already demonstrated how they can remotely attack ATMs without physical access to the device on a number of occasions -- like many other forms of cyberattack, the infiltration begins with phishing emails sent to bank employees. If one of these is successful, the hackers can access the rest of the network.

One example is ATMitch, which saw hackers remotely infect banks -- one in Khazakstan and one in Russia -- with malware. The infection allowed the attackers to issue remote commands to the machine, allowing it to distribute money to people working alongside the hackers.

Another incident saw hackers able to access 41 ATMs in Taiwan, stealing a total of $2.5 million from 22 branches of First Commercial Bank without using cash cards or even touching the PIN pads. Some of the perpetrators were eventually tracked down and sentenced for their involvement, but not all of the funds were recovered.

Trend Micro and Europol have dubbed the rapid developments in network-based ATM malware attacks as "unnerving" because "the criminals have realized that not only can ATMs be physically attacked, but it is also very possible for these machines to be accessed through the network".

While this type of attack has mostly only been seen in regions such as South America and Asia, the report warns that it won't be long before North America and Europe see this type of attack as "we believe this to be a new tendency that is probably going to consolidate in 2017 and beyond".

As a result, the report warns, law enforcement agencies must be aware that cybercriminal groups are looking to target ATMs in this way -- and financial organisations must take more steps to secure their ATM installations by installing more security layers, such as keeping the machines on a separate part of the network.


Editorial standards