Criminals are interested in return on investment, and the return on investment for an attack like this is much higher, because you can target multiple ATMs without leaving your house.
This is a home-based command centre, think of it as the IT-technician for this crime.
This is just a standard ATM.
So I'm going to withdraw $40 from this ATM.
Select English, [INAUDIBLE] PIN, I'm gonna make sure to protect my PIN.
I'm gonna do withdraw checking for 40.
We have two X-force red $20 bills.
I'm gonna request $40 again.
Let's see how much money I can get out.
I'll take a receipt, now, this time, in fact, if you look at my receipt, it also says $40.
From a criminal point of view one of the great things about this attack is that the bank has no idea what's happened.
The bank told the ATM to dispense two bills.
It has no idea that the attacker modified the response and changed it to 10 bills.
And what operating systems do these generally run?
You see everything from XP Embedded, XP Windows 7, All the way up to more modern variants of Windows.
So you're saying that the most vulnerable versions of Windows are deployed on thousands of ATM machines across the country?
Yes, you have a lot of ATMs across the country that still run Windows XP.
So the type of vulnerabilities that we exploit initially on an ATM are very common.
ATMs are architected a very similar way to home PC.
In fact it often times it may be more vulnerable because of the difficulty in patching ATMs that are distributed across the wild geographic area.
Most of the ATMs don't have a support staff that are standing there.
And that the bank has to send someone out to each ATM to install software.
It significantly increases cost.
So they're usually very conservative about which patches of which software they push out.
This is the receipt printer has the standard USB connection shows up in Windows just like any other printer.
You could actually print Word documents on this the same is true for the safe.
The cash dispenser is also just a USB device was printed out our own money stopped it up.
Once the ATM is compromised, that's where it gets a lot more complicated.
An attacker has to know how to communicate with the specialized devices.
Each vendor has a separate set of hardware that they're going to be using every piece of software on an ATM has the potential to be a little bit different.
So we create our own custom software when we're performing attacks.
The attacker can monitor everything that's going on.
For example, the attacker can see what's actually displayed on the screen of the ATM and also observe the network traffic.
The highlighted text here is the magnetic stripe data from the card.
You can see the 4000 is corresponds to the $40 that Charles requested.
A lot of people assume that when an ATM withdraws, a process that the bank issues a yes or no response, but in reality it tells the ATM how many bills to dispense.
So in the response it told the ATM to dispense two bills, but We can modify it as the attacker change that 02210 so the 10 bills are dispensed
Do I need to people do I need to you extracting cash and some attacker sitting in a remote location synced up
Conceivably he could do it from right outside the atm but it makes more sense because there's less risk to him being compromised if he can send A low cost criminal employee to go pick up the cash for.
This is us taking control the ATM now notice it goes out of service.
Sometimes criminals may not want to put a card into the ATM for whatever reason and they may just want to dispense money.
Is often referred to in the industry as jackpotting.
And it doesn't even require a card.
David is just going to remotely dispense cash.
How often they're updated often depends
On the volume of usage for an ATM, but an ATM like this can hold over $200,000.
In fact, in certain rare instances they can be stocked with up to a million dollars.
And it's very difficult for banks to detect this in the short run because.
ATMs don't have a precise way of measuring how many bills are in the back.
It's just a counter.
It's really only if the criminals empty the ATM completely of cash that warning bells go off.
So a lot of the technology that is needed to defend against these are things that are already on the market.
For example, having encrypted network connections between the ATM and the bank.
Well, that's been available for for literally decades now, surprising how many banks are still using insecure network communication.
When an ATM like this is compromised, it's the consumer that pays and the form of increased fees.