Historical Commentary on Physical ATM Attacks


In the last few months there has been more information and commentary on physical ATM attacks.

This has become a fairly large problem where a group of attackers will identify weakly secured (physically) ATMs, fly in country, attack the physical machine, boot from a cdrom, interface with the front panel and eject cash (all of the cash).

Once the cash has been secured/extracted, they promptly catch a plane out of the country. The return on investment is great, while the industry response has been interesting.

Purpose For Sharing

It is our goal to share some of the progressions in these attacks over the last 8-9 years observed through internal investigations internationally for some of our clients. Before jumping to our story, the existing information that can be referenced can be found at:

Leaning into the issue, Brian Krebs had obtained some valuable information from NCR. We have observed the comments to be helpful but may not be complete.
Comments from NCR @krebsonsecurity "OW: If you work on the configuration setting…for instance, if you lock down the BIOS of the ATM to eliminate its capability to boot from USB or CD drive, that gets you about as far as you can go. In high risk areas, these are the sorts of steps that can be taken to reduce risks.”

Our Experience?

Locking down the bios on these units is a bit of a misnomer, as you can usually bypass this by taking out the bios battery, thus resetting the bios. The current attackers are doing this. The NCR comments may have been taken out of context, I’m not sure. Bios protection bypass through battery popping… 1980’s we know.

The real takeaway here is the weakest link will always be attacked, especially on components that are believed to be obscure. There has been a progressing in this attack pattern that we have observed since at least 2005/2006. It is important to understand the progression of these types of events over a longer period of time so there is a deeper appreciation and knowledge of the evolution of criminal intent and capabilities.

Looking at the groups that have used some of these methods over the last 10+ years it has been implemented in different ways.

The first wave of attacks, circa (2005/2006)

Location Latin America

The first response we had been involved in ATM attacks was in Latin America. Most of these groups would perform a mixture of attacks against ATMs. The first attack would be to physically just replace the ATM with a fake ATM. This was affective primarily because of the half-life of the actual attack, mixed with the ease of duplication of track1 and track2 information, followed by cloning and cash out in a neighboring country.

The second iteration we observed came when the fake/synthetic ATMs would have extended user interfaces (e.g. Touch Screens) installed to further instill confidence and trust. Touch screen’s are cool, newer and must be more secure, plus the half-life in a Latin American country could be weeks if not months. (We typically observed one to two month lifespan)

Capitalizing, and moving past the first two attacks would be simple theft of the ATM machines, with the goal to acquire PIN and track data, with a cash out scheme. These attack patterns had been the pre-cursor to the attacks being currently deployed.

Moving into the present, I think it is important to understand that these attacks are occurring in different geographical locations in the world and have been practiced, perfected and currently automated to a snatch and grab type deployment. It is an easy return on investment for the attackers, especially when the cost is a few flight tickets, a short time frame and a duffle bag of cash. In the end, the criminal intent will persist, this will occur likely on other versions in a slightly modified form until the victim who exhibits the weakest link evolves.

The NCR comments:

"If you work on the configuration setting…for instance, if you lock down the BIOS of the ATM to eliminate its capability to boot from USB or CD drive,..."

This quote appears almost correct, but we have observed the current attackers or a group of attackers utilizing the same toolkit to bypass the bios password with ease as they kindly ask the machine to hand over all of their cash.

We look forward to any other responders / investigators that have observed similar attack patterns since 2005 to present.