Advanced ATM

Penetration Testing
Methods
Cardless ATMs & Bitcoin ATMs
 ATM Penetration testing
An ATM is a machine that empowers the
clients to perform keeping money exchange
without setting off to the bank.
Hackers have found different approaches to
hack into the ATM machines. Programmers
are not restricting themselves to physical
assaults, for example, money/card
catching, skimming, and so forth they are
investigating better approaches to hack
ATM programming.
 ATM Work Function :
Most of the ATMs have 2 input and 4 output.
The card reader and keypad are input
whereas a screen, receipt printer, cash
dispenser, and the speaker are output.

The most part two sorts of ATM’s which vary

as indicated by the way they work. They can
be called as
1.Rented-line-ATM
2.Dial-up ATM machines
 Continue ……
Any ATM machine needs an information
terminal with two data sources and four yield
gadgets. Obviously, for this to happen there
ought to likewise be the accessibility of a host
processor..

The host processor is important so that the

ATM can interface furthermore speak with the
individual asking for the money
Continue ……
 Continue ……
A rented line ATM machine has a 4-wire,
indicate point committed phone line which
assists in associating it with the host
processor.

The dial-up ATM machines just has an

ordinary telephone line with a modem and a
toll free number. As these are typical
associations their underlying establishment
cost is less.
.
 Continue ……
New ATMs can access the latest
hardware, software, features, and
functions. Some of those things may
not have hit the refurbished market
yet.

Consequently, new ATMs might be

more Windows 10-ready, more likely to
support cash recycling, and even sport
a video terminal. They'll also be more
expensive. Old ones cost is less.
.
SO WHAT HAPPENS
WHEN A CLIENT
EMBED HIS CARD TO
PULL BACK THE
MONEY?
 Continue ……
1. Client’s record data is put away on the
attractive portion of the card which is
situated posterior of the card. The client
embeds the card in card peruse.

2. After the card is perceived, the client is

requested that give the stick. The client
enters the stick utilizing the keypad. The
stick is encoded and sent to the host server
 Continue ……
3.The client enters the add up to pull back.
The ask for goes to the host processor. The
host server sends the exchange demand to
the client’s bank which approves the sum,
pull back cutoff, and so forth.

4.The application running on the ATM

teaches the money container to administer
the money.
.
 Continue ……
5. Amid the administering procedure, a
sensor sweeps every bill for its thickness.
This is to check if two bills are stuck
together or if any bill is torn or collapsed. In
the event that two bills are stuck together,
then they are occupied to the reject
receptacle.
ATM BPT STYLE
PENETRATION
TESTING
 Continue ……
ATMs test with our ‘Business Penetration
Test’ (BPT) methodology, which simulates
real attacks on ATM solutions. This includes
carefully designed targeted attacks, which
combines physical, logical and optionally
social engineering attack vectors
 Continue ……
ATM security is often considered a complex
area by IT security managers, who tend to
focus more on the physical risks and less on
the logical weaknesses in the operating
system and application layer.
 Continue ……
Physical controls

Many banks rely heavily on the assumption

that physical access to their ATM solutions
is effectively restricted. In the meantime
repeated, illustrates how little effort is often
required to gain unauthorized access to the
ATM CPU, which controls the user interface
and transaction device.
.
 Continue ……
Logical controls

With physical access to the ATM CPU,

authentication mechanisms can be
bypassed to gain unauthorized access to
the ATM platform.
 ATM ecosystem
An ATM solution and network form a
complex ecosystem that consists of different
vendors and responsible agents, both
internal and external to the banking
organization
 Attacks
The cyber-criminals use external
malware or electronic devices to
conduct logical ATM attacks to gain
physical access to the cash dispenser.
Once the criminal gains access to the
cash dispenser, they can steal money
from ATM. The process is also called as
jackpotting or cash out.
ATM PENETRATION
TESTING
 ATM Penetration testing
As the number of ATM units increase, the
machine is prone to hack attacks, robberies,
fraud, etc. Most of ATMs are still using
Windows XP which make this ATM an easy
target for the hackers.
 Continue ……
Electronic fund transfer has three
components which are communication link,
computer, and terminal (ATM). All three of
the components must be secured to avoid
the attack. We will look into the type of
assessment we can perform to analyze the
overall security of an ATM.
 Continue ……
1. Vulnerability Assessment and Network
Penetration Testing
VAPT are two types of vulnerability testing.
The tests have different strengths and are
often combined to achieve a complete
vulnerability analysis. In short, Penetration
Testing and Vulnerability Assessments
perform two different tasks, usually with
different results, within the same area of
focus.
 Continue ……
2. Application Security Audit:
An application security audit is an intensive,
technical, unprivileged and privileged
security test of an application and its
associated components with a high
percentage of manual testing and
verification. Since unprivileged and
privileged tests will be carried out, both the
perspective of an outsider (e.g. hacker) and
an insider are covered.
 Continue ……
We can divide this activity into two

a. Thick client application penetration

testing: Majority of the ATM application
are a thick client. We can perform an
application penetration testing of this
thick client application

b. Application Design Review: In this

activity, we can check for security
practices.
 ASSESSMENT OF
ATM SECURITY
SOLUTION
INSTALLED IN THE
ATM
What is ATM security solution?
Most of the ATMs run on Windows XP and
7.Patching individual ATM is a quite complex
process. Since Windows XP is no longer
supported by Microsoft, many ATM vendor
uses security solution to mitigate the threats
related to ATM attacks such as Malware-
based attacks, OS-level vulnerabilities.
 Continue ……

These security solutions allow the ATM

application to run in very restrictive
environment with limited services and
processes in the back end. Two of such
security solutions are Mcafee Solidcore and
Phoenix Vista ATM.
Test cases related to access the
OS and related file:
1. Check if USB is enabled, make your USB
bootable.

2. Plug-in the USB and boot the system

through USB.

3.Since most of the security solution take

over the OS as soon as it boots, keep on
pressing the “Shift” button at boot time.
Test cases related to access the
OS and related file:
4. If you are aware of valid username, then
enter that and press the “Enter” button. This
will result in direct access to the OS without
a password.

5. If you are not aware of valid username,

try login with “Administrator” as many ATM
does not disable the default administrator
account.
 Continue…..
6. Another way is to make your USB
bootable. Boot from USB, this will give
access to file system directly without any
Windows login.
 Test related to runtime code
authorization
Check if USB is enabled, try to run
unauthorized code (exe or batch file) directly
from the USB or using autorun feature of the
USB.
Test related to code protection:

Check if application related files can be

moved to another location, modified or
deleted
 Checks related to process
modification: :
Rename unauthorized file to a valid security
solution process. This will result in the
execution of unauthorized file when the
application starts.
Threats related to unauthorized
execution through registry
Check if any critical registry key can be
modified or unauthorized software can be
executed by keeping them in the Windows
startup folder. Executable under Windows
startup folder will execute first when the
system restarts.
Security Best Practices to be
followed for ATM
The banks can implement security best
practices to reduce the attack surface for the
attacker. This section can be categories into
three categories:
What are the threats to
ATMs?
The biggest risk in the transaction is
the magnetic stripe that exists on
most cards.

Card skimming is still the most

common and costly form of ATM
attacks.

On the software level, criminals are

also able to take advantage of ATMs
 Continue ……
 Protection against physical attacks

 Protection against logical attacks

 Protection against fraud attacks

Thank You
For Your
Attention
41