ATM Attacks Cash-In on Vulnerable E-Life

By Matthew Hines  |  Posted 2009-06-06 Print this article Print

Thursday's report of hacked ATMs loaded with credential-skimming malware applications discovered in Eastern Europe received a lot of attention, and rightfully so, because who among us does not use the devices?

And it's always interesting and somehow shocking to hear of such attacks that target some of the more mundane machines we've embedded in our lives that we don't necessarily consider proper "computers" - mostly because they don't offer the array of functions that we've come to associate with our traditional hardware and laptops, and more recently with our handheld gadgets.

I mean, when I look at an ATM, I know that it's a computer, but it's not a "computer," it's just a dumb terminal that performs a simple set of instructions over and over again connected to a network, like a gas pump or a bus pass kiosk or whatever. It belongs to somebody else, and is therein their problem to manage.

These aren't strategic assets that we've needed to worry about in terms of electronic attack, at least not as end users. There have been far more reports of people smashing cars into ATMs to crack them open, or simply picking them up and stealing the entire machines altogether than we've heard instances of electronic campaigns that seek to infect them.

At the same time, we've learned to become suspicious of nearly every form of electronic content flowing through these dynamic, powerful little computing devices that we carry with us everywhere. And also the big systems that we use at work. Devices that we rarely let out of our sight - which we worry about plugging nearly anything into - that many of us have attempted to manage far more wisely in recent years and employ and range of products to protect from attack.

Items for which direct physical access - unlike ATMs - is not really an issue that we need to worry about, at least not compared to the litany of electronic threats that they face.

But in a lot of ways that really doesn't make sense. An ATM is essentially a public facility, to which access is universally available to anyone, anytime, unless they can't somehow get their hands on an ATM card, which means that they're pretty desperate, at least in the developed world.

We've seen some frightening research regarding how vulnerable some of these unmanned kiosk/terminal type devices are to attackers who desire to break into them to upload code that is meant to wreak some form of havoc.

From e-voting machines that can be opened with master keys available on eBay, to the rumor that TJX Companies originally got hosed by a data entry device used to screen job applicants' most basic information, there's some pretty scary evidence pointing to the types of chaos these types of terminal-based attacks might be able to deliver. And these devices pretty much all have a fixed local position, allowing for more precise application of social engineering in potential campaigns.

The notion that attacks are driving down to the silicon level, and that every manner of sophisticated computing device is a ripe target for a range of both electronic and physical threats is something that we've come to associate closely with both our personal and business computing and communications devices. Regulators and legislators are clearly coming around to the idea that we need to do a better job of protecting highly critical assets, like our government systems, and properties including the national electric power grid itself.

But we must also more openly recognize the need to adopt a similar perspective regarding any thing that runs a computer, no matter how simple and commonplace, no matter how ubiquitous, especially anything that can be connected with our personal information, and to networks, from ATMs to even our cars.

Not that it should stop us from using them as much as we do, if not more. It's just out there now.

As we've talked about for so long, computers have become embedded in nearly every corner of our life.

So has the threat.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel