180

I'm curious why an ATM computer is considered secure. The general adage of "If an attacker has physical access to my machine, all bets are off," seems to not apply in this circumstance (since everyone has physical access to the machine). Why is this?

I thought of the fact that many have security cameras placed over them, but this doesn't seem sufficient to keep ATMs secure, as there is no one constantly watching the camera feed and looking for suspicious behavior. The most this could be used for is identifying an attacker after an attack has been attempted. It seems like this is fairly easily solved through plain clothes, a mask, gloves, etc.

So if this alone isn't or shouldn't be enough of a deterrent, why do we not see ATMs getting hacked for all their cash at 4:00am? What makes the device so secure? Is it just a simple risk-reward analysis, where the cash in the ATM isn't worth the effort of the hack? Or is there more to it which makes the computer secure?

Also, I noted that there have been a couple questions about ATM security (like this one and this one), but mine is about the physical security of the machine, since it violates a common security principle, not anything network related.

Community
  • 1
asteri
  • 1,885
  • 3
  • 15
  • 22
  • 1
    I wonder if ATM could react in some special way if some special cards are used - have it interface for non-customer in the card reader ? does stuff inactivate it in this way ? – Qbik Mar 20 '13 at 15:22
  • 16
    I try to wiggle the card slot at every ATM I use, to reduce the chance someone attached a skimmer. – Izkata Mar 20 '13 at 15:52
  • 38
    If you have physical access you can simply open the money storage and walk away. No need for hacking or other clever tricks. – gerrit Mar 20 '13 at 16:22
  • 2
    @gernit True. Though theoretically, the value of hacking the system could be greater than just getting the money in the drawer, right? Performing money transfers, etc. – asteri Mar 20 '13 at 16:24
  • 5
    @gerrit breaking open the money box is easier said than done. A lot of would be thieves manage to tear the ATM free from its anchor but then fail to get any money out afterwards. – Dan Is Fiddling By Firelight Mar 20 '13 at 17:57
  • 7
    It does not violate any principles. Physical access in case of a PC means that you can easily boot your own operating system and run your own programs with full rights, because the PC has the interface for it (CD drive, USB port, etc.) – vsz Mar 20 '13 at 19:17
  • @vsz Yeah, I'm starting to realize that from the answers below. :) – asteri Mar 20 '13 at 19:32
  • ATMs can also have alarms that call the police or destroy the cash if they are tampered with; while an attacker _could_ theoretically get to the computer, other security systems can eliminate his reward (or send him straight to jail - physically tampering with an ATM means he's easy to locate) – cpast Mar 20 '13 at 20:04
  • 2
    I think the simple answer is that they're not always secure: http://www.forbes.com/sites/firewall/2010/07/28/researchers-hack-can-make-atms-spew-money/ – Dave Mar 21 '13 at 01:03
  • @Jeff. In my city, some offenders did place the equipment in the card slot that scanned for the card details and some how they were able to get hold of huge cash in the city center. Then after all the bank cards were blocked and the banks have issued new secure cards. This was done in collaboration with the ATM security personnel. People do hack the machines even now and then.. – Saravanan Mar 21 '13 at 05:20
  • 17
    This question comes from wrong assumption: the ATM's computer is **NOT** physically accessible. You can't read it's memory or send signals to processor pins. – Agent_L Mar 21 '13 at 12:00
  • I chose the accepted answer because I think it succinctly states the answer to the question -- that the fundamental assumption or definition of "physical access" is wrong. All the other answers were also incredibly helpful and added to the conversation, though! Thank you all! This really helped me think about computer security in new and different ways. – asteri Mar 21 '13 at 13:18
  • 1
    I'd like to share this picture I took in Thailand. Doesn't look very secure does it? http://i.imgur.com/9VGfPCk.jpg http://i.imgur.com/HENpzLM.jpg < The cables went into the ATM – Chris Dale Mar 26 '13 at 20:56
  • 1
    "The most this (security camera) could be used for is identifying an attacker after an attack has been attempted." Isn't that the main purpose of a security camera? – Memet Olsen Oct 01 '14 at 11:31
  • You also can't access the important thing physically. The place where the information is stored. – jkd Apr 15 '18 at 10:50

12 Answers12

167

I think the assumption here is wrong. They don't have physical access to the machine. They have supervised access to a very limited control panel for a machine which is built into a bomb-proof safe, bolted to the ground and hooked up to an alarm system with an armed response force.

Get the machine out of the vault and away from supervision and then yes... all bets are off.

mgjk
  • 7,535
  • 2
  • 20
  • 34
  • 12
    That's not always true. It is certainly true that this describes many (if not most) ATM installations, but there are many types of ATM machines installed in many different locations and ways, and not all of these conditions apply to all of them. – Xander Mar 20 '13 at 14:21
  • 3
    Master codes do still work on the limited keypad, at least some of the time... Google around ;) – Izkata Mar 20 '13 at 15:56
  • 7
    The skinny little gas station ATM machines certainly don't look that hardened, but they probably only keep a few thousand in them at a time. Those ATM companies probably spend more on the statisticians to predict theft than they do on the Fort Knox model ATM... – Dave Swersky Mar 20 '13 at 16:34
  • It's true ENOUGH, though. You know you're on camera at a gas station ATM, or a normal ATM, and you know that if you're wearing a mask or sunglasses at 4AM, anybody else seeing you will be suspicious. It's most likely a matter of setting the bar high enough that most crooks don't bother. – Mark Allen Mar 20 '13 at 19:10
  • I remember wearing a ski mask all the time as a kid growing up in Chicago (really cold). Or I'd bundle my hat and scarf in such a way that only I could see out of the slit between them. As an adult, I'd never dare to do either...despite the fact that it's still cold and windy as hector in Chicago. – Michael Brown Mar 20 '13 at 19:39
  • @MarkAllen, any smart theif knows how to hide in plain sight. It might look strange to see someone walk up with a mask and glasses on, but no one would think twice if the person hopped off their motorcycle, left their helmet on to make a quick withdrawal. – zzzzBov Mar 20 '13 at 19:39
  • 5
    BTW, the skinny ATMs at convenience stores are heavy. You're not going to get them out of there by hand. And they still have the thick metal casing that would take days to grind through. In addition to the failsafes in place (inking the money upon tampering). – Michael Brown Mar 20 '13 at 19:41
  • 1
    ATMs in several bank branches in Berlin, Germany have an easily accessible serial port (I’m guessing, I’m useless at hardware) at the back. I have no idea to what extent this compromises their security but I can’t imagine how that wouldn’t count as “physical access”. – Konrad Rudolph Mar 20 '13 at 20:19
  • @MikeBrown You're right on that one. In my country, every now and then a bunch of smartasses pop up & try to haul away the whole ATM with a truck. The most they've done is move it a couple of meters out of place and ruin the building it's built into. I remember news articles stating they weigh a couple of tons. – TC1 Mar 20 '13 at 20:42
  • 4
    In my home town, some years ago, they blasted the ATM with dynamite and got a hold of the boxes with the money. Guess that isn't hacking... – sshow Mar 20 '13 at 21:11
  • @zzzBov - I don't know what to say, I absolutely WOULD think twice if someone left their motorcycle helmet on at an ATM... and I'd call the police, too. Ah well. – Mark Allen Mar 20 '13 at 21:18
  • 66
    ATM machines. ATM machines. ATM machines. ATM MACHINES. ATM MACHINES. ATM MACHINES. **ATM MACHINES. ATM MACHINES.** – Garrett Albright Mar 21 '13 at 02:30
  • @MarkAllen: Even if they're still on their motorcycle, at a drive-up ATM? – Random832 Mar 21 '13 at 02:43
  • 30
    @GarrettAlbright Automatic ATM Machines >=) – Izkata Mar 21 '13 at 03:47
  • I'm marking this as the accepted answer because I think it succinctly states the answer to the question -- that the fundamental assumption or definition of "physical access" is wrong. All the other answers were also incredibly helpful and added to the conversation, though! Thank you! – asteri Mar 21 '13 at 13:18
  • @Random832 obviously not. – Mark Allen Mar 21 '13 at 22:16
  • ATMs are easy to hit if you know what you're doing and have the tools. cf. this string of robberies in Canada; http://www.cbc.ca/news/canada/toronto/story/2012/11/05/ontario-torch-gang.html where thieves are using torches to cut into and get the cash out in minutes. – mikebabcock Mar 22 '13 at 05:16
  • 3
    @GarrettAlbright - What does your comment mean? Are you saying that "ATM" should be followed by the word "Machine"? Did you know that ATM stands for "[Automated Teller Machine](http://en.wikipedia.org/wiki/Automated_teller_machine)", so "ATM Machine" would mean "Automated Teller Machine Machine"? I trust I've misunderstood your comment :) – Paddy Landau Mar 22 '13 at 13:31
  • 1
    Regarding your comment: "Get the machine out of the vault and away from supervision and then yes... all bets are off." --- ATMs [do get stolen](http://business.time.com/2010/10/07/more-thevies-are-making-total-atm-withdrawls/) and I remember a news story that some years ago someone actually set up a stolen ATM in Romania and used it to steal bank cards and collect their PIN codes. – Szabolcs Mar 22 '13 at 15:32
  • 4
    @PaddyLandau, yes you did, you misunderstood his comment. He was trying to act in a teeny 9GAGy way by repeating the phrase or word he thinks it's incorrect to draw attention to it. You thought he was a mature person making a mature comment, you were wrong. – Adi Mar 22 '13 at 16:29
  • 4
    @Adnan - thanks for clarifying. I think I'm getting old — I had to ask my son what 9GAGy meant! – Paddy Landau Mar 22 '13 at 19:21
  • 2
    Yes, Adnan, thanks for clarifying for me, I think. I did the same in response to an answer which used "PIN number," but it (the answer, and I suppose all the comments) seems to have been deleted. But do watch out for telephone wires, with your nose so high in the air like that. – Garrett Albright Mar 24 '13 at 02:06
  • 4
    It's called RAS Syndrome. :P – Dave_Peachy Mar 24 '13 at 10:03
  • In regard to the little gas station ATMs all bets are off. https://www.youtube.com/watch?v=P9sckOFFXNI – AbsoluteƵERØ May 17 '13 at 22:51
  • https://en.wikipedia.org/wiki/RAS_syndrome – Ivan Kolmychek Apr 01 '16 at 13:59
137

ATM are supposed to be tamper resistant, and to actively react upon any detected breach of physical security, notably by marking bills with some highly conspicuous and hard to remove ink, and also by committing honourable seppuku. For that matter, an ATM should be compared with HSM, payment terminals and smart card. You can imagine the ATM as a kind of Davy Crockett entrenched in Alamo fort and shouting "you'll never take me alive !". By comparison, a basic PC lacks all forms of tamper-resistance and would be more adequately compared with an open buffet at a charity event guarded by non-violent buddhist monks who will discourage discourteous behaviour by making stern faces and striking perpetrators with severe glares only.

In practice, most attacks on ATM are attacks on the ATM environment, e.g. skimming: the ATM itself is untouched, but the debit card is spied upon during its physical transit from the owner's wallet to the ATM entrails.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 6
    Would be ahem... interesting to have another kind of [Davy Crockett](https://en.wikipedia.org/wiki/Davy_Crockett_(nuclear_device)) installed as a tamper-resistance measure. – Deer Hunter Mar 20 '13 at 16:17
  • 45
    Where can I find violent Buddhist monks for my charity buffet? – LarsTech Mar 20 '13 at 17:07
  • 6
    That’s a very interesting, but at the same time very *vague* answer. How are these mechanisms realised? – Konrad Rudolph Mar 20 '13 at 20:15
  • 11
    Vendors are not exactly keen on publishing details, but you can expect a set of detectors for light, pressure, temperature, and a mesh of wire running on the inside of the tamper-proof casing. If light is detected, or a wrong pressure, or a wrong temperature, or one of the wires is cut, then the system "commits suicide". E.g. critical secrets (such as cryptographic keys) are kept in a special RAM, powered by a battery; on intrusion, the RAM contents are erased, then power for that RAM is switched off. – Tom Leek Mar 20 '13 at 20:23
  • 6
    Informative and entertaining. (+1) –  Mar 20 '13 at 21:21
  • 3 ATM's were stolen in my home town because the thief decided to steal a front-end loader and "scoop" the ATM right out of the Scotia Bank Wall. Don't actually know what happened after the fact, but he did get away with the entire machine. – Chase Florell Mar 20 '13 at 23:57
  • As Konrad said, interesting, but it'd be great to have references for: actively react upon any detected breach, bill marking with ink and the seppuku. – Dhaust Mar 21 '13 at 04:36
  • 1
    That is funny sh*t. – dgo Mar 21 '13 at 05:00
  • 1
    In my country, most ATMs use Windows XP as OS. Isn't this a potential security flaw? – Mister Smith Mar 21 '13 at 09:49
  • 2
    @Tom Leek. Thinks may have moved on in the last 5 years since I worked in that industry, but there was nothing like critical RAM protection back then. H/W protection measures sure, but very little on the software side of things. – Kevin Shea Mar 21 '13 at 13:16
  • @MisterSmith The OS could be incredibly vulnerable, but without access to some sort of interface (CD drive, USB port, keyboard and/or mouse, etc) or perhaps the network it is working on, it doesn't matter one bit. As a side note, from [Wikipedia](http://en.wikipedia.org/wiki/Automated_teller_machine#Software): "Today the vast majority of ATMs worldwide use a Microsoft Windows OS, primarily Windows XP Professional or Windows XP Embedded." – Ken Bellows Mar 22 '13 at 15:36
  • @LarsTech In Henan Province, China: http://en.wikipedia.org/wiki/Shaolin_Monastery – Kyle Strand Apr 23 '14 at 22:29
46

The adage is still accurate. Physical access to the machine is not the same as physical ability to interact with the machine. The vast majority of attacks against a physical box involve actually altering the hardware and there is a limited amount you can do to alter the hardware of an ATM as it is locked in a safe, away from the user.

It is, however, worth noting that one of the most successful attacks against ATMs is to cover the keypad and card reader with a card reader and keypad of the attacker's own design. They can then use this to scan the card and get the pin. This allows them to clone the card and access the ATM themselves.

The machine itself is still safe since physical access is restricted, but the interface is not physically protected and is thus easily open to security threats. This is why cameras often watch the ATM to look for the installation of such hardware.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
38

Today's ATMs may be more secure than yesterday's ATM's, but the track record has been spotty.

  • fake ATMs have been set up by criminals and used to duplicate bank cards and collect PINs. This takes advantage of the fact that whereas ATMs authenticate users via cards and PINs, users simply trust that ATMs are real by their visual appearance and bank logos.

  • genuine ATMs have been outfitted with criminal equipment to collect PINs, in response to which ATMs had to incorporate new physical measures.

  • ATMs have been simply ripped out and hauled away by criminals.

  • ATMs are open 24 hours a day and in deserted areas, creating opportunities for criminals to coerce victims into extracting cash. Prior to the ATM, it was not possible to kidnap someone at knifepoint and take them to a bank and 3 in the morning in a seedy part of town.

  • As a general observation, new security measures introduced in banking usually tend to be designed to protect the banks from liability, rather than the safety of customers or their capital.

Kaz
  • 2,303
  • 16
  • 17
  • 5
    Your observation is certainly true of chip-in-pin technology. The technology is incredably flawed and doesn't properly authenticate but it protects credit card institutions from paying out if your card was "chip-in-pin verified" as they are able to say that you were liable for the pin and that it was entirely your fault that the card was used after it was lost. – Colton Mar 20 '13 at 21:05
  • +1 for the disclaimer at the end. Very true and worth keeping it in mind – PPC Mar 20 '13 at 23:19
  • None of your points concentrate on the security of the ATM device itself. The attack surface of the ATM is quite small. The attack surface of humans using the ATM is quite large. – Dan Esparza Mar 22 '13 at 13:37
30

Logged out to post this just to be safe:

I've worked with ATMs in the past. Our test machines are rather insecure indeed; the OS has to be running on verified hardware, but we can get admin rights to the OS easily enough and do whatever we like. We routinely lower the firewall and open the boxes to the network (they won't have internet) so we can run automated tests. They are mostly secured two ways:

  1. Hardware. As others have commented, ATMs in "the wild" have a number of physical security measures to prevent tampering with the box, including dynamite-proofing (by some companies in some locales where dynamite use is a common factor), ink-splattering (so if you do manage to get in, you can't use any of the cash), and anti-skimmer measures (with varying degrees of effectiveness).

  2. Lack of privileges. Running as intended, you never get the chance to log in as an admin user, cannot use USB devices unless they're verified ATM hardware, et cetera. Again, it's fairly simple to get the ATM to run as unintended -- they do so for installs, upgrades, and so forth -- but you can't do so from the pinpad/frontend of the ATM and the back is usually a) locked (see item 1) and/or b) inside the bank, making it very obvious what you're trying to do.

anonymous
  • 301
  • 2
  • 2
18

To a large degree, how safe varies with the attack vector. For instance, they're typically not safe at all from having a skimmer installed, allowing a thief to collect card information from unsuspecting users. They're getting better by added intricately molded fascias that make installing skimmers more difficult, but even that can be overcome by a good sculptor or a 3-D printer.

As for protecting against being broken into - They're often alarmed, so by the time a would-be thief gets into the box, the police are already there. The best bet is to physically haul the machine away and break into in in a safe location, and the machines are often bolted or chained on location to help prevent that.

Xander
  • 35,525
  • 27
  • 113
  • 141
  • One would think that GPSes are cheap enough know where it would be cost effective to implement on the ATM, with maybe a 3G or AM/FM beacon or similar. – MDMoore313 Mar 20 '13 at 14:05
  • @MDMoore313 I've read that they are indeed putting GPSs into ATMs now, but I don't know the details of how they're being used, so you may well be correct. – Xander Mar 20 '13 at 14:06
  • 1
    Get the ATM into the back of an all-metal van and no GPS (or GSM) signal will get through. – Cosmin Prund Mar 20 '13 at 16:47
  • @CosminPrund then how is it that GPS modules mounted in trunks can still acquire their triangulated position? Unless you're referring to a van with a faraday cage mounted to the inside, a standard van probably doesn't stand a chance. – MDMoore313 Mar 21 '13 at 14:18
  • 1
    @MDMoore313, GPS signals are very weak and easy to block; That's why you need to mount your GPS navigator on the windshield of your car. Truck mounted units are mounted by a specialist and mounted so that they can get a signal. The fact that a specialist *can* find such a place doesn't mean you can get a signal *anywhere within the truck*. And I didn't say trucks, because those usually have light-weight sides made of fabric. Think of a white-van, the windowless kind. The kind used by delivery companies. – Cosmin Prund Mar 22 '13 at 10:07
17

I'll try to approach your question from a purely physical point of view.

Physical access still overrides almost all other security measures, this applies to ATMs as well.

Imagine the following scenario: You have a locked (awaiting username & password) PC in a locked nuclear bunker, outside you have a mouse, keyboard, and a monitor. All connected to the PC with long cables. Having access to the keyboard and the mouse isn't very different from having RDP access in this case. You can probably send some high-voltage in the cables, thus performing a DoS attack, but that's as far as you can go.

ATMs aren't attacked simply because the risks outweigh the benefits. The ATM has an embedded security camera, there are security cameras around it, it has an internal alarm, it's placed in a securely-built small room. By the time the thieves break into the ATM, the police will probably be already there.

Matthew
  • 27,233
  • 7
  • 87
  • 101
Adi
  • 43,808
  • 16
  • 135
  • 167
14

physical security of the machine, since it violates a common security principle

Not usually. Physical access doesn't meant you can look at it or be in the same place, it means you can poke at the guts. The guts are in a heavy safe, so unless you can haul it away, have hours to cut it open in place, or are one hell of a super-duper locksmith, it's doing alright as it sits.

A well-trafficked area and public exposure are often enough because the physical attacks to access the locked parts of the machine take time (or heavy equipment).

As for ATM cameras, they're not about preventing theft from the machine. They're about identifying crime that doesn't break the ATM after the fact, such as somebody placing a skimmer or catching forced-withdrawal crimes.

As bolder attempts against the physical security of the device happen, better installation methods are found to prevent them.

So, since the interfaces that aren't on the front of the machine take opening secure locks or damaging the hardware before being able to apply specialized knowledge, it's easier to just rob the cash box or over or focus on external hacks.

Dan Dascalescu
  • 1,945
  • 2
  • 15
  • 23
Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
8

Well, a few factors.

I assume many of the thieves that will attempt to target ATMs fall into two categories.

  1. Thieves that will be deterred by physical locks.
  2. Thieves that wants the money is the ATM so bad he is willing to physically smash open the machine.

The thieves that are actually smart enough to hack into the ATMs system to obtain the cash will probably find the risk of being caught due to being physically present not worth the amount of cash they can obtain from the ATM, considering there are probably less risky and more lucrative black market activities they can be taking part in.

There have been plenty of demonstrated exploits against ATMs though, many of them illustrated in this blog post here. I'm not sure if any of the exploits have been used in the wild though.

8

"If an attacker has physical access to my machine, all bets are off,"

This is generally applied to PCs/laptops/servers. These have things like USB ports/CD drives (not to mention easy-to-remove screws from which you can poke at the innards) from which you can easily get full access. For example, if I want to get into my friends (Linux) computer, I can just boot from a live USB/CD, chroot into their Linux FS, change the password from their (or create a new user), reboot, and I now have full access. Windows is trickier, but doable. If they've put a lock on it via BIOS, then I can open it up, remove the hard drive, and then mess with it. Basically, such devices aren't made for security. They have lots of software security, but there is no provision for hardware security since keeping the hardware secure is understood to be your problem.

ATMs, on the other hand, are designed to be secure hardware wise. A well designed ATM will be tough to get into. You probably can cut a hole in the side and get physical access (after which you can take the money and/or get into the banking system), however there probably are alarms that alert the police when an ATM is being tampered with. Any USB slots/ports an ATM may have may be locked down in such a way that only authorized devices can get through. Nevertheless, people are able to get away with installing skimmers in ATM card slots or sledgehammering ATMs and running with the cash. There have been some cases demonstrated where one can flash new firmware (gasp) very quickly.

Manishearth
  • 8,237
  • 5
  • 34
  • 56
7

Apparently some models of ATMs use a universal key that you can get off the internet. Giving physical access to the hardware. In 2010 a security expert demonstrated how he was able to use this (and the fact that some ATMS can be updated via phone line) to make the ATM spew out money on demand.

As others have mentioned, the enclosures in ATMs pretty much prevent direct access to the computer inside. But if you use a skeleton key assuming that only legitimate owners would have one, or allow a random phone call full access to update your system, it doesn't matter.

Michael Brown
  • 171
  • 3
5

ATM is secure in a same way all physical security works: your house door lock or a bank vault. It's not "impenetrable to everything", it's just not penetrable in a time allowing to grab the loot and escape.

Indeed it is simple risk-reward analysis. A house in "nice neighborhood" can do with weak locks, because it's very likely that someone will notice, call the police and they'll arrive in a short time. On the other hand, in "bad neighborhood" you often see reinforced doors, because burglar can assume that no one would care about a door being kicked open.

ATM is pretty heavily armored and locked up, so there is no physical access to the computer inside. Just to start hacking the computer you'd have to crack the shell open first. The risk-reward analysis still applies: can you crack and hack it before anybody notices? It would certainly take more than couple of hours, that's why you don't see anyone doing it at 4:00am. However, there are many examples of robberies when thieves ripped the ATM from the wall and stole it in one piece. In this way the part when being exposed can be shortened enough to make the effort worthwhile and move the lengthy part to a safer place.

Please note there is one more variable coming into play: it can't be known for sure how much money is inside the ATM. One can only guess. ATM are rarely "filled up", they are loaded with "just enough" to make it to the next scheduled loading. Sometimes the circumstances give away a hint: there was an incident in Poland when a brand new ATM was stolen the night before a grand opening of a new shopping mall. Predicting the huge crowds, ATM company filled the machine with amount of cash far larger than normal on the day before. Robbers anticipated and took advantage of that, but it still was a risky move.

To sum up:

  • Inner computer is not physically accessible from the outside.
  • Just to start hacking you need lengthy and noisy cracking open part.
  • Once you're equipped to crack the outer shell (to get to the computer) you might just as well continue cutting the money cases, thus alleviating the need of any computer literacy.
  • ATM is likely to be equipped with content-destruction devices (paint sprayers).
  • You can never know for sure if there's enough money inside just to pay the cost of cutting tools.
Agent_L
  • 1,921
  • 14
  • 13