🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!
Schedule a DemoATM hacking, often known as ATM jackpotting, is the illegal withdrawal of cash from automated teller machines by exploiting their physical or technical vulnerabilities. Given how ubiquitous ATMs are, exploiting them is an attractive scheme for criminals across the world.Â
Even before the technological advances of the past decade, criminals have been pilfering ATMs using crafty physical methods such as forking, ATM lock picking, stealing entire ATM machines, etc. However, easy access to technology in recent years have allowed criminals to employ tools such as jackpotting, malware, exploits, etc., to achieve their goals.Â
In this article, we delve into the specifics of the numerous physical and electronic attack vectors used by ATM hackers, highlighting the 2021 Rajasthan ATM hack as an example of the continued proliferation of novel ATM hacking tools and techniques.Â
A typical ATM is composed of two primary components: a cabinet and a safe. The cabinet is the main body of the ATM which contains its main computer. This computer is connected to all the other devices of the ATM, such as network equipment, card readers, keyboards (PIN pads), and cash dispensers. With merely a plastic door secured by a flimsy lock, the cabinet is practically unprotected.Â
Furthermore, most ATM manufacturers utilize the same lock for all ATMs of a particular series, and these keys are readily available on the internet, but attackers can also pick them or drill through the weak plastic. Considering that these plastic cabinets house the cash dispenser and the cash acceptor modules, if they are instead made of steel and concrete, they would be more durable.
Majority of ATMs in the world now run on Microsoft Windows, primarily Windows XP Professional or Windows XP Embedded. Earlier in 2014, 95% of ATMs were still running on Windows XP. According to Wikipedia, a small number of deployments may still be running older versions of the Windows OS, such as Windows NT, Windows CE, or Windows 2000, even though Microsoft currently supports only Windows 8 and Windows 10.
To execute properly, the software must communicate with ATM peripherals such as the card reader, the keyboard, and the cash dispenser. XFS (extensions for financial services), a standard for simplifying and centralizing equipment control, facilitates this communication. XFS is implemented differently by every ATM vendor.
Since most ATM thieves are not particularly tech savvy, they resort to tried-and-tested physical jackpotting methods. To make a quick heist, they primarily use conventional ATM jackpotting techniques, such as shoulder surfing card PINs, brute forcing into the ATM safe, and so on. Some of the common methods include:Â
Lately, ATM thieves have also begun to employ technology to circumvent ATM security systems. Since they lack the technological training and financial resources required to evade ATM security, they turn to threat actors that sell the finished products required to accomplish this. On cybercrime forums and underground markets, there is a burgeoning ecosystem of actors selling numerous software along with detailed video tutorials on how the software can be leveraged to hack an ATM.Â
The most common of these methods are:
The communication between the ATM and the processing servers is either unencrypted or has a low level of encryption. The attacker installs a counterfeit processing centre on the server and delivers fake processor-server responses to the machines, resulting in a cash jackpot.
On 26 July 2021, the Indian SOG (Special Operations Group) arrested two foreign nationals for illegally withdrawing INR 3.2 million from different ATMs in Rajasthan. The two women who were arrested are residents of Uganda and Zambia. The duo used a device known as Raspberry Pi to hack into the ATM server and siphon off money illicitly from six ATMs in Jaipur, across the areas of Mahesh Nagar, Gopalpura, Nehru Place, and Sanganer, from 16—18 July 2021.Â
Prior to this incident, the duo had unsuccessfully attempted to tamper with a Bank of Baroda ATM at Keshavpura. This incident was brought to light by the Manager of Bank of Baroda, Mahesh Nagar, when he lodged an FIR regarding the ATM hack on 16 July.
The two women involved in this crime have been identified as Laura Keith and Nan Tongo Alexander, residents of Zambia and Uganda respectively. Both of them have completed their education up to the 11th standard and were residing in an apartment in Delhi. This was their third visit to India and they stayed at the Polo Victory Palace Hotel in Jaipur during the time of the incident. They appear to have been amidst the process of setting up a cybercriminal network in India. Â
The duo started their quest on 14 July, by visiting various ATMs in Jaipur. They selected their targets based on:
Their reconnaissance helped them figure out which ATMs could be targeted. The hackers were not only meticulous about their target selection but also about their appearance. They changed their disguises after every hack, making it difficult to identify them in CCTV footage.
After hacking 6 ATMs in Jaipur, the duo moved to Udaipur and repeated the same process.Â
This hack was an intelligent execution of a Man in the Middle (MITM) attack where the hackers used a device named Raspberry Pi to gain control over the ATM’s server. A man-in-the-middle attack occurs when an attacker positions themselves in the middle of a user and a service provider, while discreetly monitoring or even altering the interaction between them.
Â
Raspberry Pi is a series of small single-board computers (SBCs) developed in the United Kingdom by the Raspberry Pi Foundation in association with Broadcom. It’s an affordable computer of the size of a credit card, developed primarily for educational purposes, to facilitate coding among students and in developing countries.
It can also be used with a television or a computer display and can perform all of the functions of a desktop computer. It uses a regular keyboard and mouse and is currently being utilized in a wide range of fields, including robotics.
In this incident, the felons purchased this device for INR 7,000 from Amazon and modified it into a server. They then visited various ATMs, plugged in the device and replaced the bank’s server port with their own custom server, and connected it to the ATM via Wi-Fi. As a result, the ATM was completely disconnected from the bank’s main server, allowing them to withdraw money without notifying the bank.Â
However, due to a technical glitch, only ATMs working on the old manual system settings could be exploited by this device and this limited the hackers’ potential targets.Â
As mentioned, this hack was possible only on ATMs using old manual system settings thereby highlighting the importance of patching and updating the software regularly.Â
We strongly recommend that banks:
ATM hacking has progressed significantly over time. ATM thieves are no longer merely stealing cash from ATMs; they are now trading ATM details and ATM card information for money, or for various hacking tools such as malwares, databases, accesses, etc. The following are advertisements for ATM-related malware and exploits that have been posted by various threat actors across multiple forums.
Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.
Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.
A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
min read
The Unabated Reign of ATM Hacking: The 2021 Rajasthan ATM Attack and the Proliferation of Novel ATM Hacking Tools and Techniques
ATM hacking, often known as ATM jackpotting, is the illegal withdrawal of cash from automated teller machines by exploiting their physical or technical vulnerabilities. Given how ubiquitous ATMs are, exploiting them is an attractive scheme for criminals across the world.Â
Even before the technological advances of the past decade, criminals have been pilfering ATMs using crafty physical methods such as forking, ATM lock picking, stealing entire ATM machines, etc. However, easy access to technology in recent years have allowed criminals to employ tools such as jackpotting, malware, exploits, etc., to achieve their goals.Â
In this article, we delve into the specifics of the numerous physical and electronic attack vectors used by ATM hackers, highlighting the 2021 Rajasthan ATM hack as an example of the continued proliferation of novel ATM hacking tools and techniques.Â
A typical ATM is composed of two primary components: a cabinet and a safe. The cabinet is the main body of the ATM which contains its main computer. This computer is connected to all the other devices of the ATM, such as network equipment, card readers, keyboards (PIN pads), and cash dispensers. With merely a plastic door secured by a flimsy lock, the cabinet is practically unprotected.Â
Furthermore, most ATM manufacturers utilize the same lock for all ATMs of a particular series, and these keys are readily available on the internet, but attackers can also pick them or drill through the weak plastic. Considering that these plastic cabinets house the cash dispenser and the cash acceptor modules, if they are instead made of steel and concrete, they would be more durable.
Majority of ATMs in the world now run on Microsoft Windows, primarily Windows XP Professional or Windows XP Embedded. Earlier in 2014, 95% of ATMs were still running on Windows XP. According to Wikipedia, a small number of deployments may still be running older versions of the Windows OS, such as Windows NT, Windows CE, or Windows 2000, even though Microsoft currently supports only Windows 8 and Windows 10.
To execute properly, the software must communicate with ATM peripherals such as the card reader, the keyboard, and the cash dispenser. XFS (extensions for financial services), a standard for simplifying and centralizing equipment control, facilitates this communication. XFS is implemented differently by every ATM vendor.
Since most ATM thieves are not particularly tech savvy, they resort to tried-and-tested physical jackpotting methods. To make a quick heist, they primarily use conventional ATM jackpotting techniques, such as shoulder surfing card PINs, brute forcing into the ATM safe, and so on. Some of the common methods include:Â
Lately, ATM thieves have also begun to employ technology to circumvent ATM security systems. Since they lack the technological training and financial resources required to evade ATM security, they turn to threat actors that sell the finished products required to accomplish this. On cybercrime forums and underground markets, there is a burgeoning ecosystem of actors selling numerous software along with detailed video tutorials on how the software can be leveraged to hack an ATM.Â
The most common of these methods are:
The communication between the ATM and the processing servers is either unencrypted or has a low level of encryption. The attacker installs a counterfeit processing centre on the server and delivers fake processor-server responses to the machines, resulting in a cash jackpot.
On 26 July 2021, the Indian SOG (Special Operations Group) arrested two foreign nationals for illegally withdrawing INR 3.2 million from different ATMs in Rajasthan. The two women who were arrested are residents of Uganda and Zambia. The duo used a device known as Raspberry Pi to hack into the ATM server and siphon off money illicitly from six ATMs in Jaipur, across the areas of Mahesh Nagar, Gopalpura, Nehru Place, and Sanganer, from 16—18 July 2021.Â
Prior to this incident, the duo had unsuccessfully attempted to tamper with a Bank of Baroda ATM at Keshavpura. This incident was brought to light by the Manager of Bank of Baroda, Mahesh Nagar, when he lodged an FIR regarding the ATM hack on 16 July.
The two women involved in this crime have been identified as Laura Keith and Nan Tongo Alexander, residents of Zambia and Uganda respectively. Both of them have completed their education up to the 11th standard and were residing in an apartment in Delhi. This was their third visit to India and they stayed at the Polo Victory Palace Hotel in Jaipur during the time of the incident. They appear to have been amidst the process of setting up a cybercriminal network in India. Â
The duo started their quest on 14 July, by visiting various ATMs in Jaipur. They selected their targets based on:
Their reconnaissance helped them figure out which ATMs could be targeted. The hackers were not only meticulous about their target selection but also about their appearance. They changed their disguises after every hack, making it difficult to identify them in CCTV footage.
After hacking 6 ATMs in Jaipur, the duo moved to Udaipur and repeated the same process.Â
This hack was an intelligent execution of a Man in the Middle (MITM) attack where the hackers used a device named Raspberry Pi to gain control over the ATM’s server. A man-in-the-middle attack occurs when an attacker positions themselves in the middle of a user and a service provider, while discreetly monitoring or even altering the interaction between them.
Â
Raspberry Pi is a series of small single-board computers (SBCs) developed in the United Kingdom by the Raspberry Pi Foundation in association with Broadcom. It’s an affordable computer of the size of a credit card, developed primarily for educational purposes, to facilitate coding among students and in developing countries.
It can also be used with a television or a computer display and can perform all of the functions of a desktop computer. It uses a regular keyboard and mouse and is currently being utilized in a wide range of fields, including robotics.
In this incident, the felons purchased this device for INR 7,000 from Amazon and modified it into a server. They then visited various ATMs, plugged in the device and replaced the bank’s server port with their own custom server, and connected it to the ATM via Wi-Fi. As a result, the ATM was completely disconnected from the bank’s main server, allowing them to withdraw money without notifying the bank.Â
However, due to a technical glitch, only ATMs working on the old manual system settings could be exploited by this device and this limited the hackers’ potential targets.Â
As mentioned, this hack was possible only on ATMs using old manual system settings thereby highlighting the importance of patching and updating the software regularly.Â
We strongly recommend that banks:
ATM hacking has progressed significantly over time. ATM thieves are no longer merely stealing cash from ATMs; they are now trading ATM details and ATM card information for money, or for various hacking tools such as malwares, databases, accesses, etc. The following are advertisements for ATM-related malware and exploits that have been posted by various threat actors across multiple forums.