Hackers can siphon off cash from ATM: Here's how?

Security firm IOActive sought to make an awareness at its Breaking Embedded Devices panel at Black Hat that ATMs are still vulnerable to hacking.

diebold nixdorf atm
A Diebold Nixdorf ATM. Reuters

A new hacking incident has proven that automated teller machines (ATM) are not as safe as they are touted to be. A group of hackers has withdrawn cash from an ATM Wednesday through a plugged netbook. Fortunately, no money was actually lost during the hack as it was a just a demo at the Black Hat 2017 event by a team of security researchers.

Security firm IOActive sought to make an awareness at its Breaking Embedded Devices panel at Black Hat that ATMs are still vulnerable to hacking. Using the Opteva ATM unit of industry leader Diebold Nixdorf, security researchers hacked the machine to make it discharge cash until it was empty.

CNET reported that the researchers used a netbook plugged into the exposed USB port and embedded the code to the ATM's Automatic Funds Distributor, a bot on the embedded system responsible for determining how much cash will be dispensed. They controlled the bot by reverse-engineering it and deceived the ATM to mete out cash.

The team wants to show that computers, phones, and servers are not the only means for hackers to siphon a large amount of cash, adding that any device with a chip or an internet connection can also be vulnerable to theft. Technically called embedded systems, these machines only have one role, and in the case of ATMs, that is to dispense cash.

ATMs are convenient targets for hackers to draw off cash because as an embedded system, "machine's security is only as strong as its weakest link", CNET reported. Accordingly, IOActive director for embedded systems security Mike Davis tried to reach out to Diebold Nixdorf for a couple of times about their machines' weakness.

Davis particularly singled out that the vulnerable part of the Opteva ATM is near the upper speakers, which hackers can loosen and expose a USB port in a matter seconds. The company has ensured the lower part of the machine, where the cash is stored, leaving the upper part less secure in the belief that it does not need equal security, he added.

In defence, a Diebold Nixdorf representative said the machine hacked was manufactured between 2008 and 2009 which never received any maintenance and security updates. Diebold Nixdorf refused to comment how many ATMs from that time are still in use today.

Some of Diebold Nixdorf's vast clientele include Russian Post Bank, India's AGS Transact Technologies, Taiwan's First Commercial Bank, and several banking corporations in the US.

This article was first published on July 27, 2017
READ MORE