A RM100 chip, specific technical knowledge and a free malware obtained over the Internet is all the necessary to hack Automated Teller Machines (ATMs), this is the opinion of a cybercrime expert, which released an exclusive interview to the FMT (freemalaysiatoday.com).
The cybercrime expert was invited to report in regard to a recent hacking case of 17 ATMs, a Latin American gang of cyber criminals was able to hack and steal millions of dollars from the automated teller machines in Malaysia.
The hackers steal more than $1.2 million from ATMs of at least 17 bank branches belonging to United Overseas Bank, Affin Bank, Al Rajhi Bank and Bank of Islam were reportedly hacked into by the Latin American gang.
The Closed-circuit television (CCTV) footage from the banks showed that 2-3 Latin American men entered and withdraw money from these targeted ATM machines.
“What you need is a mastermind, a RM100 computer chip and possibly a bank ‘insider’ to execute the attacks.” he said.
The 17 ATM hacks must be a warning for the banking industry that according to the expert is loosing field in the fight against cybercrime.
“Banks should look into their security seriously, and not just for the sake of compliance.”“This mentality has to be changed to build security in the DNA of the bank.”
A little information is needed to the attacker, the knowledge of the targeted system could be enough to compromise a banking ATM, all this information typically provided by insiders.
“He (the hacker) will know where the locks and connections are, the model of the machine, the level of security and the version of the operating system.” explained the expert.
The expert also pointed out the roles of the guys captured by the surveillance cameras at the bank
“The guys caught on the CCTV are not the actual criminals.” “It’s like the ‘monkey see, monkey do’ situation. They can be shown what is supposed to be done without the need for any technical knowledge. They probably do not even know what they are doing.”
“It is a simple attack as there are many free malware available online. And it is definitely something that the bank has to seriously think about.”
Based on his experience in the sector, the expert highlighted the wrong approach of the banking industry in the protection of ATMs machines, in many cases these machines run out dates OSs, lack of patch management or they are poorly configured.
The expert is very controversial with financial institutions, he explicitly refers to the results of a series of penetration tests conducted against banking systems that succeeded to breach the
“The bank I worked for was not happy that we breached the system after doing a hacking” he said. “It’s either they wanted to ensure that we couldn’t find anything, or, they will hire incompetent people who will not find anything.”
The results of the penetration testing session demonstrate the presence of several weaknesses in the banking systems, in many cases the ATMs were running on outdated operating systems like Windows XP.
“Banks have been taking things for granted because nothing like this has ever happened before.” the expert added.“They depended heavily on the CCTV and in some locations, they do not even have security guards.
The experts involved in the test also discovered many other serious flaws in the ATM, lack of encryption could expose sensitive data to tampering advantaging the hack of these machines with a malware based attack.
“It is also because of the lack of encryption technology such as the Public Key Infrastructure (PKI). “If the PKI was implemented, it wouldn’t have happened.” he added
(Security Affairs – ATM hacking, RM100 computer chip)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.