From the outside, your bank's automated teller machine probably looks like an impenetrable cash-dispensing vault. As well it should: The average ATM is stocked with about $200,000 in cash, locked behind steel doors and your secure PIN code.
But according to security experts at IBM, the flashy user interface on most bank ATMs is simply a facade that hides a surprisingly insecure computer running an old operating system on archaic components.
There are over 3 million ATMs across the globe and about 500,000 active units in the US. The vast majority of these machines run Windows XP, a platform that was released in 2001 and no longer receives security updates. This makes cash machines prime targets for cybercriminals, said Charles Henderson, the global head of IBM's hacking unit X-Force Red.
At the 2019 Black Hat cybersecurity conference in Las Vegas, his team used a custom Linux application to demonstrate how coordinated groups of cybercriminals launch cyberattacks against cash machines. Henderson's team was able to demonstrate how small groups of criminals could communicate to install code, avoid the ATM's built-in defense mechanisms, and avoid leaving a record on the transaction log. Within moments, he was able to make a machine spit cash and avoid being documented.
"The ATM is really just an interface to your bank. Banks spend billions each year on cyberdefense, but there are so many ATM machines in the wild that updating and securing them individually can be a serious challenge," said Henderson. "Which makes them a hacker magnet."