28
Jul 16

Would You Use This ATM?

One basic tenet of computer security is this: If you can’t vouch for a networked thing’s physical security, you cannot also vouch for its cybersecurity. That’s because in most cases, networked things really aren’t designed to foil a skilled and determined attacker who can physically connect his own devices. So you can imagine my shock and horror seeing a Cisco switch and wireless antenna sitting exposed atop of an ATM out in front of a bustling grocery store in my hometown of Northern Virginia.

I’ve long warned readers to avoid stand-alone ATMs in favor of wall-mounted and/or bank-operated ATMs. In many cases, thieves who can access the networking cables of an ATM are hooking up their own sniffing devices to grab cash machine card data flowing across the ATM network in plain text.

But I’ve never before seen a setup quite this braindead. Take a look:

A not-very-secure ATM in front of a grocery store in Northern Virginia.

An ATM in front of a grocery store in Northern Virginia.

Now let’s have a closer look at the back of this machine to see what we’re dealing with:

groceryatmback

Need to get online in a jiffy? No problem, this ATM has plenty of network jacks for you to plug into. What could go wrong?

Daniel Battisto, the longtime KrebsOnSecurity reader who alerted me to this disaster waiting to happen, summed up my thoughts on it pretty well in an email.

“I’d like to assume, for the sake of sanity, that the admin who created this setup knows that Cisco security is broken relatively simple once physical access is gained,” said Battisto, a physical and IT security professional. “I’d also like to assume that all unused interfaces are shutdown, and port-security has been configured on the interfaces in use. I’d also like to assume that the admin established a good console login.”

While it’s impossible to test the security of this setup without tampering with the devices, “considering that this was left like this in the front vestibule of a grocery store with no cameras around AND the console cable still attached, my above assumptions are likely invalid,” Battisto observed.

“In my experience, IT departments often overlook basic security practices, and double down on the oversight by not implementing proper physical security controls (you’d be surprised, maybe, at the number of server rooms that I’ve been in that had the keys to all of the racks taped to the outside of the doors),” he said.

If something doesn’t look right about an ATM, don’t use it and move on to the next one. It’s not worth the hassle and risk associated with having your checking account emptied of cash. Also, it’s best to favor ATMs that are installed inside of a building or wall as opposed to free-standing machines, which may be more vulnerable to tampering.

If you liked this piece, check out my entire series on skimming devices, All About Skimmers.

Tags: , ,

117 comments

  1. Half or more of the ATMs in Thailand are set up just like this. And trying to point out the risks to bank officials gets only blandishments in return. Even so, I prefer to use one such machine near my residence for the very reason that I can recognize instantly if there’s a new piece of equipment behind it. Familiarity has its upside. Of course uptime is an issue — stray dogs like to sleep behind the machine and sometimes knock out the power plug.

  2. Amazing post written by you,
    Nowadays, ATMs are the most important device for money, it may be credit card or debit card. But after reading your post, I am so frightened for my safety. So shared about problems, but tell me the solutions to be safe for such problems.
    Thanks

  3. Scott Borcherdt

    They’ve even left the console cable there for you! How polite.

  4. This is all assuming that no one will walk into it for being so focused on their smartphone.

    Thanks Brian….
    wow 😉

  5. WTF why hasn’t that store had its banking privs revoked. Have the banks put a few businesses into bankruptcy and you will see this idiocy stoped.

    • It exists this way and hasn’t been shut down for one very simple reason – cost avoidance. The costs to “do things properly” are more than the losses from fraud. Combined with systemic architectural plausible deniability in the financial industry, there is no business case to support making it better.

      The fees incent the entire supply chain from the bank to the ATM operator to the store and all of the HW amd SW infrastructure vendors in between to maximize profits by cutting costs at every step of the way. This is also why EMV adoption in the US has and is taking forever. It is the fight over who pays for shared infrastructure (i.e. security) itself combined with unfunded mandates that torpedo even the best intentioned InfoSec practitioners.

      Those pictures are what lowest cost “race to the bottom” universal banking access looks like.

      It also begs the question as to what kind of local micro-economy is going on that requires cash-only transactions when the store is closed – to the point where putting in an ATM is profitable to meet that market demand.

    • The store likely doesn’t have banking “privileges”. Ever hear of the fights over “interchange”? The store probably refused to add 3-5% to its costs to accept cards, rejected the EMV terminal upgrade costs, etc. And then decided to outsource all that pain and cost to an ATM operator who put that POS outside the front door to replace the other kind of POS at the register. Problem solved for the store, right?

  6. I’ve seen similar setups in the Dominican Republic, mainly in grocery stores. No console cables though. 🙁

  7. I’m surprised no one has stolen the Cisco gear yet.

  8. James Buchanan

    Remember, what Willie said, that’s where the money is. But now would you use your charge/ debit card in that store? I would opt for cash, but that’s why you went there.

  9. just found your articles a few months ago. Love them. Has anyone bothered to check for the password taped to the underside? Anyone want to give odds?

  10. The only ATMs I recommend are those attached to the wall of the bank that manages it.

    • 8-9 years ago, my local supermarket had a bank inside of it. The ATM was built into the wall, but just above it, a blue ethernet cable came out of a wall, went about 6″ and went back in. Nothing like almost getting the physical right. I refused to use that one as the holes were big enough that you could easly splice in something and push it into the wall undetected. We moved, so it could verywell still be there.

      • Depending upon the quality of the cable they used, it would be trival. If the sheath is poor, you can attach a tap without even cutting open the cable.

  11. At least they’ve used a red cable to connect to the ATM indicating secure practices somewhere..

  12. I love how the admin neatly zip-tied the cable, though. That’s pride in one’s work!

  13. I was wondering whose open Wi-Fi they are borrowing for free! LOL

  14. I like that the console cable (the blue flat serial to Ethernet cable) is still plugged into the switch and left hanging.

    As said by others, the amazing thing is that most people would not think twice about using this and will blindly insert their card.

  15. I think this might happen…
    Someone will walk up to this machine with a uniform shirt, clipboard, and a dolly. They’ll load it on a truck, which will take a couple of guys because it’s about 250 pounds. They’ll use a blowtorch to open it. They’ll get about $10,000 from inside if taken not long after it’s been loaded, like Friday night.

    Why hack the exposed electronics for ATM card data when unmarked cash is sitting right there? That’s not as l33t, but I think it’s actually less risk and more profit than than either selling or using the stolen ATM card data after it’s been hacked. Am I wrong?

  16. My first thought too was why someone hadn’t stolen the gear.
    Looking at this setup, I wonder if the ATM is even bolted to the floor?

    G

  17. At least the ATM is in the DMZ. (not in the store and not in the parking lot but in the shade) It’s a stretch of a joke. 🙂

  18. Is the phrase ‘wireless antenna’ redundant? Are there any antennas that are not for wireless communications?

    • Richard Turnbull

      I think leaving out either noun conveys a different meaning, and is confusing given our linguistic conventions.
      For example, “the wireless” — the wireless what, set up to do what? Ditto “the antennae” — by adding the prefix, the emphasis is on receiving cyberspace signals rather than t.v. or radio broadcasts, although I agree people should be able to figure out what’s what anyway.
      Meanwhile, Brian keeps doing great work to educate us about cybersecurity, as usual.

  19. Admin fail

  20. C-L-A-S-S-I-C. Thank you for a good laugh on a Friday…

  21. but can it play DOOM? why does anything else matter on read only fritag!?

    • Richard Turnbull

      I am trying to track down the credibility of the anecdote that some touch screen voting machines were hacked, one by U. of Michigan fans to play “Hail to the Victors, ” and another to play PacMan.
      Cf. Steal this Vote: Dirty Elections and the Rotten History of Democracy in America (Nation Books, 2005) by Andrew Gumbel, winner of the Project Censored Award. His account of touch screen voting machines alone is a harrowing read, and he lets both parties in for plenty of what looks like condign criticism. ALLEGEDLY, many thousands of the voting machines which will be used across the USA in our over 4,000 counties are over 15 years hold and not that difficult to finagle, to hack.

  22. Moe Larry Curly

    Everyone is assuming this ATM is even legitimate in the first place. Maybe it’s just designed to capture card data and and displays an error message instead of dispensing cash.

    • Richard Turnbull

      Skepticism is a powerful intellectual frame of mind, but can be pushed too far, even into unhealthy conditions that require some even more focused skepticism and reflection to mellow them out.

  23. Speaking as an ex-ATM software administrator for a financial institution, this is an awful setup. The ATM itself I would hope is sitting on a software whitelist(Solidcore or similar) that will prevent other processes from running but this is wishful thinking at a glance. Hopefully default credentials on the Cisco device have been nuked as well but again pure speculation. Love how they left the router interface cable to make it convenient to access. I would have grilled and canned any vendor that did this job for me.

    The fundamental problem with ATM installs is the vendors contracted by financial institutions or the ATM manufacturers are lowest bidder and generally do not care about the install setup. It is also true financial institutions rarely invest the time and energy into properly maintaining an ATM fleet.

    I was lucky to have worked for an institution that had a heavy hand in its own ATM operations starting from software out and even had a test lab to build and look deeply at how things operate. Most other institutions just go “We want an ATM here. Go do it” and will send someone incapable of pondering the security implications of a setup such as this where there is no ATM topper. If I was a betting man, I would say the institution has never checked the site or considered the ramifications of not having an ATM topper. To them it was a marketing expense not a Physical/InfoSec expense and they just assume that since the ATM is posting good uptime and see transactions everything is fine.

    Its amazing no one who services this ATM on a regular basis sees any problem with this. From the armored vendor supplying cash to the tech who provides second line service. The institution should be performing a site visit randomly. Litigation involving ADA and other laws are very commonplace and turning a blind eye is inviting the lawyers to tea time. You would be amazed what you find on, near, or removed from ATMs every 90 days.

    I wouldn’t be surprised if the fraud attempts skyrockets at this location. People do incredibly stupid things when they can play with ATM power.

    Something our software engineer said something that stands with me to this day:

    “If you are in front of the box, you own the box. Set up all the walls you want but the guy in front of it with access can cut just about anyone out of the equation.”

    ATMSoapBoxTerminate=yes

  24. Thanks for the laugh Brian, great post!

  25. Jeff Katanick

    Seems totally legit !!!

  26. What if its actually a sting operation and setup like that purposely waiting for somebody to tamper with it.

  27. I’m not exactly trusting the installer in this case! Could be connected to a honeypot access point as well – either accidentally or even on purpose.

  28. Hacking tools

    When you have a checking account (sometimes even special high yield saving accounts) you might qualify for an Automatic Teller Machine Card (ATM), which allows you to withdraw cash from a machine. Most ATM machines at a bank will also allow you to deposit money, transfer money and check your account balance. These ATM cards are debit cards. Before an ATM machine dispenses cash, it checks to see if you have adequate funds available for that amount. If not you won’t be able to make a withdrawal. Your bank will also limit the amount of cash you can withdraw on a given day, which may be as small as $100 or it could be as large as $1,000 (or more), regardless of how much you have in your account. This will be based on the type of account you have and the amount of money you keep in the bank. Check with your bank. The amount you can withdraw can be negotiated. Note: all ATM machines are not programmed the same way. Some ATM machines might have different amounts of money you are permitted to withdraw.

    • KrebsonSecurityFan

      Does the ATM Card have Visa or MasterCard printed on it?

      If it does then it’s not an ATM only card.

  29. I had worked at a regional bank (4 yrs ago) and they allowed the ATMs to have access to the internet through the data center! The vendor support staff were surfing the web while servicing the ATMs. When the bank card requirements were discussed they required point to point encryption. The next branch upgrade didn’t implement the encryption because it was not included in the project plan or budget. The phrase used about encryption implementation was “it’s not my job”. Disaster recovery was just a phrase as well as a joke.

    • Richard Turnbull

      It looks like Brian’s investigative journalism is one part of trying to wake people up, share knowledge and key expertise, and slowly but surely push back against the complacency and even legal liability you identify.

  30. Holy crap!

    “Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.”

    http://www.techsupportforum.com/forums/f112/10-commandments-of-security-2163.html

    That was written 14 – fourteen!!! – years ago!

    People STILL don’t know that?