Business challenge

This bank found that, despite its strong security posture, criminals were breaking into ATMs and installing malware that allowed them to withdraw cash at will, resulting in significant losses. 

Transformation

X-Force Red veteran hackers uncovered the vulnerability that the thieves exploited—a weak approach to generating encryption keys for the ATM hard drives—and helped determine a stronger defense.

Results

Identified

the vulnerability that made it possible for thieves to install malware

Helped determine

a cost-effective approach to remediating the vulnerability

Validated

the effectiveness of other ATM security measures the bank had in place

Business challenge story

Thieves steal two ATMs—and ultimately millions in cash

It was a bank’s worst nightmare. A ring of thieves had turned many of its ATMs into personal piggy banks, withdrawing cash at will. Through a combination of periodic withdrawals and one-time empty-the-vault “cash outs,” the criminals ultimately made off with the equivalent of 4 million USD over a period of months—all in largely untraceable cash. 

A pattern did emerge, however. The ring was only targeting one model of ATM. As it turned out, two machines of that model had been stolen. Assuming that the ATM theft was carried out by the same criminal network that was making the cash withdrawals, the thieves had plenty of time to figure out how to “crack” the ATM.

These ATMs were not protected by video cameras or intrusion detection sensors. But a surveillance video acquired from a neighboring business revealed the gang had figured out how to open the top half of the ATM—the cabinet that houses the computer system. The video showed someone opening the cabinet, removing the hard drive and leaving, then returning 40 minutes later and reopening the cabinet and reinstalling the hard drive. 

The bank’s own forensics revealed that in that 40-minute interval the thieves were installing malware that enabled them to withdraw cash. What the bank did not know, however, was how the criminals were breaking into the computer cabinet and bypassing security measures in place to prevent malware installation. 

We found that the bank was doing a lot of things right with their ATM security. It was just this one flaw they overlooked that the thieves were able to exploit.

X-Force Red hacker, IBM

Transformation story

One vulnerability undermines otherwise solid security measures

The bank’s Chief Information Security Officer (CISO) had engaged IBM Security Services for assistance with ATM monitoring—so it was a natural next step for the X-Force Red team of veteran hackers to investigate the ATM thefts. Working onsite in the bank’s lab, the team set out to find the software, hardware and physical vulnerabilities being exploited by the criminal network.

X-Force Red discovered the bank was doing a lot of things right in securing its ATMs, including running anti-virus software, hardening the Windows environment and preventing the USB bus from accepting anything other than approved devices like the keypad and cash dispenser. In fact, the X-Force Red hacker running this test was, for the first time, unable to escape out of the Windows console mode and escalate access privileges.

The bank had also enabled full disk encryption on the ATMs. That should have prevented the thieves from being able to load the malware, which was a variation of a common ATM malware readily available on the dark web. However, the bank faced an issue in the field that resulted in a vulnerability—the one thing the bank had overlooked. Because many of its ATMs are located in areas with poor connectivity and spotty cell service, the bank was not able to use the “call home” approach for distributing encryption keys when the ATMs are booted up. As a result, every one of a particular model had the same key. Once the thieves figured this out, they could freely install their malware on the stolen ATMs and then, using their own access codes, instruct the machines to dispense cash.

Identifying the physical vulnerabilities that provided the thieves easy access to the computer cabinet was relatively straightforward. While the bottom cabinet housing the cash vault was protected by a sophisticated lock, the top cabinet lock was comparable to the lock on a standard filing cabinet—a common vulnerability across many ATM models. The X-Force Red team was able to pick that lock in under 15 seconds. They also determined that wedging a screwdriver into a particular spot would easily pop the cabinet open. Either way, the thieves could open the cabinet and remove or reinstall the hard drive in under a minute. 

One thing that makes ATM testing complex is the number of different security disciplines involved, including application testing, hardware testing, network testing, electronics in some cases and physical security.

X-Force Red hacker, IBM

Results story

Hardening ATMs with a more secure approach to encryption key management

With the results of the X-Force Red penetration testing, the bank was able to further harden its ATMs and disrupt the criminal network targeting its machines. X-Force Red worked with the bank and the encryption software vendor to determine a more secure approach to generating encryption keys that was also feasible to implement across thousands of machines. 

The testing engagement also uncovered vulnerabilities that were not major security risks but which the bank was able to remediate. For example, unpatched software made it possible to reboot or power off the ATM remotely. The team also uncovered minor flaws in the remote monitoring setup that could be readily addressed.

Overall, the testing engagement validated the bank had indeed been doing an exceptional job with its ATM security program—a finding also well worth the investment in X-Force Red penetration testing services.

About Large commercial bank

This bank has more than 25,000 employees and operates a widespread ATM network with thousands of machines.

Take the next step

To learn more about the IBM solutions featured in this story, please contact your IBM representative or IBM Business Partner, or visit the following websites:

For more information on IBM Security solutions and services, visit:  ibm.com/security. Follow us on Twitter at @IBMSecurity