All cash machines can be hacked - and XP is to blame - Any cash machine in the world can be easily hacked partly because they still run Windows XP, a leading security company has claimed.
Kaspersky, winner of Computeractive’s past seven antivirus tests, said there are two key security flaws in the cash machines it examined. One is that they continue to run Windows XP, which hasn’t been safe since April 2014, when Microsoft ended support for it. The company will no longer fix security flaws in XP, making it easier for cyber-criminals to hack.
The other threat concerns the software cash machines use to contact banks when customers make a request for money. Kaspersky said that machines use an old communication standard called XFS, which doesn’t require authorisation for the commands it sends.
This means that hackers can use malware to track transactions, obtain information – including PINs – and even force a machine to give away all its money.
Olga Kochetova, security expert at Kaspersky, said that banks don’t take the threat seriously because of a “long-time misbelief that cybercriminals are only interested in cyber-attacks against internet banking”.
She added that hackers are increasingly targeting cash machines because it “shortens their route to real money”.
The combination of these two vulnerabilities has led to hackers changing tactics. Previously, their main form of attack was to attach a card skimmer to a cash machine – a device that steals PINs and data from the magnetic strip on the back of bank cards.
Malware attacks on cash machines began in 2009 with the emergence of the Backdoor.Win32.Skimmer virus, which let hackers withdraw all the money in a machine.
Built to infect cash machines in Russia and Ukraine, it has led to a wave of attacks worldwide. The threat is now so serious that in April Europol’s European Cybercrime Centre and security company Trend Micro jointly published the report ‘ATM Malware on the Rise’. It contained advice on protecting cash machines, and was sent to “law-enforcement authorities, financial institutions and the IT security industry”.
Stay Safe from Cash-Machine Scams
1 Hidden cameras
Scammers use hidden cameras to record your PIN. These are often placed inside a panel above a cash machine, or in a fake stand of leaflets next to it. Look out for small colour variations between panels.
Scammers use hidden cameras to record your PIN. These are often placed inside a panel above a cash machine, or in a fake stand of leaflets next to it. Look out for small colour variations between panels.
2 Card gets stuck
Criminals sometimes use ‘card-trap’ devices that jam a card into machines, making it impossible to remove. Once you’ve given up, they remove the trap and take your card. If your card gets stuck, or is swallowed, cancel it immediately by phoning your bank.
Criminals sometimes use ‘card-trap’ devices that jam a card into machines, making it impossible to remove. Once you’ve given up, they remove the trap and take your card. If your card gets stuck, or is swallowed, cancel it immediately by phoning your bank.
3 Distraction scams
This is a more lo-tech tactic. A member of the public will distract you while you’re withdrawing money, giving them or an accomplice the opportunity to snatch your cash.
This is a more lo-tech tactic. A member of the public will distract you while you’re withdrawing money, giving them or an accomplice the opportunity to snatch your cash.
4 Card skimmers
Skimmers are devices that record your card details. Always check for signs of tampering near the card slot, such as sticky residue, tape or scratches.
Skimmers are devices that record your card details. Always check for signs of tampering near the card slot, such as sticky residue, tape or scratches.
