How to Hack an ATM

How easy is it to hack an ATM? Probably easier than you think, according to cybersecurity expert Fred Mastrippolito and Peter Quach, project manager at Polito Inc., a cybersecurity company that recently tested new ATM machines for a banking client. The Polito team discussed that experience during a recent AppGuard webinar and revealed some surprising findings — and broadly applicable lessons.

Quach says the ATM hack was much easier than most people would suspect. He pointed out that ATMs are computers at their core, and therefore, they are as vulnerable as any other device to hacking. Of course, ATMs are also a physical piece of equipment that dispenses money, so the Polito team tested the physical enclosure first, which they easily penetrated.

Once the team gained access to the ATM’s internal USB ports, they were able to connect any device to the machine’s hard drive, including a keyboard they could use to gain access to its Windows 7 operating system. This vulnerability would allow a bad actor to engage in all kinds of malicious mischief, including placing a skimmer inside the machine to collect highly sensitive account data.

The Polito team provided their client with a series of recommendations, including improvement in segmentation and firewalling, application whitelisting and working with the service vendor to fix other vulnerabilities. They also recommended that the bank monitor the new ATMs, applications, and overall infrastructure to mitigate the threats the assessment uncovered.

What Can Other Businesses Learn from the ATM Hack?

Those are great takeaways for the bank, but what conclusions should the rest of us draw from the ATM hack? One lesson learned is that even the most secure-seeming devices are vulnerable to hackers in a number of ways. Another is to pay attention to security basics and have a scalable strategy for addressing known vulnerabilities across endpoints and networks.

It’s not just banks that are vulnerable to catastrophic hacking. A look at the newsmaking data breaches that have occurred in 2019 underscores the scale of the challenge and how widespread the risk is across industries. Here are just a few examples:

  • A major automaker suffered another data breach that may affect more than 3 million employees and customers.
  • The exploitation of a vulnerable web application at a university exposed the records of more than a million students and employees.
  • Improperly secured servers led to a data breach that exposed more than 540 million Facebook-related records.
  • A real estate and insurance company suffered a massive breach affecting data for more than 885 million customers, including Social Security numbers and sensitive financial information.
  • A hacker accessed a leading medical diagnostics company’s data, exposing the records of approximately 12 million

This sampling of high-profile hacks all occurred in the first half of this year. There’s no reason to believe the pace of data breaches will decrease. Hackers are as motivated as ever, and the “detect and respond” cybersecurity strategies so many companies have invested in over the years aren’t up to the challenge of stopping breaches and, due to the cost and time resources required, aren’t infinitely scalable either.

New Approach Needed to Reach Different Results

The Polito team’s white hat hack let their client know about major lapses in security basics on a seemingly secure endpoint device many of us use routinely: an ATM machine. There are broader lessons for IT and security experts employed in other sectors, and among the first is that it’s crucial to pay attention to the basics. As the security landscape grows more complex, that’s more important than ever.

If you missed the webinar, you can view the recording here. It contains more details about how Polito assessed the ATM and more about the steps the company recommended to reduce risks. If you have endpoints of your own to worry about, check out a demo that shows exactly how AppGuard can protect your business and systems with an entirely new approach to cybersecurity.