ATM theft and fraud is nothing new and culprits are coming up with new ways all the time to either get cash out of ATM in some way or steal ATM user’s card number and pin code. One expects the banks to stay vigilant and at top of the security game to cope with such notorious acts by keeping their ATMs up to date with cutting edge technology. However, this is not the case as over 95 percent of the ATMs run on an operating system which was released initially about 13 years ago that is Windows XP. Microsoft will stop supporting the historic operating system on April 8 this year after which it will be officially declared dead. According to Symantec researchers, this will affect the banks heavily. What can be the reason for banks to not upgrade to a new OS in ATMs? Clearly, shortage of funds is not something that is associated with banks.
The users and the banks have already been warned by Microsoft and hackers are eagerly waiting for the day when support will be withdrawn. Microsoft will neither issue any more patches nor will it investigate the flaws any further after that.
It could be as easy as to send an SMS through a mobile sharing the internet connection of the ATM machine to collect the cash from the ATMs. The Trojan threat named as “Backdoor.Ploutus.B” is an English variant of its earlier Mexican version called “Backdoor.Ploutus” which used an external keyboard to send commands. How does it work? The hacker attaches a mobile phone in the compromised ATM running on Windows XP using USB tethering which creates a shared Internet connection for ATM and mobile phone to connect to the servers of the bank. Then the hacker sends SMS commands to the connected phone which converts the commands in proper network packets that are sent through the ATM to the bank servers. The servers think that the request for cash is legitimately coming from a properly working ATM thus releases the cash to be collected by the hacker.
Two SMSs are required to carry out this hack successfully:
“SMS 1 must contain a valid activation ID in order to enable Ploutus in the ATM.”
“SMS 2 must contain a valid dispense command to get the money out.”
Symantec suggest a number of measures that can be taken to make the ATMs more secure from Ploutus attacks. Symantec writes:
- “Upgrading to a supported operating system such as Windows 7 or 8
- Providing adequate physical protection and considering CCTV monitoring for the ATM
- Locking down the BIOS to prevent booting from unauthorized media, such as CD ROMs or USB sticks
- Using full disk encryption to help prevent disk tampering
- Using a system lock down solution such as Symantec Data Center Security: Server Advanced (previously known as Critical System Protection)”