Hacking ATMs

The main articles are:

• ATMs in Russia
• Information security in banks

Types of attacks

• Jackpotting - installation and activation of malware by criminals on an ATM.

2022

In Saratov, severe sentences were passed on gang members who eviscerated ATMs for 12 years

In November 2022, the Saratov Regional Court sentenced two members of the gang of thieves Alexander Ilchenko and Vladimir Romanovich to 17 and 15 years in a maximum security colony, respectively, for stealing money and jewelry. Read more here.

A resident of Perm has been stealing money from ATMs in an unusual way for 10 years

In mid-November 2022, it became known that a resident of Perm has been stealing money from ATMs in an unusual way for 10 years. Details about the crimes committed to the publication Ura.ru told a source in law enforcement agencies.

According to him, for 10 years, about once a year, an unknown robbed ATMs. Sberbank He makes a dig, cuts the bottom from the ATM from below and steals money in the amount of 3 million to 5 million. rubles For 10 years, the damage is about 35 million rubles. The case by mid-November 2022 was never disclosed, the agency's interlocutor said.

A resident of Perm has been stealing money from ATMs for 10 years, making a dig

According to the source, the rapid response team sees an automatic message about the dangers of this or that ATM and arrives at the crime scene, but does not notice any traces of hacking, since everything happens underground. While experts are figuring out what is the matter, the robber is hiding with money.

However, not all criminals manage to successfully steal money from ATMs. For example, a resident of Tomsk, under cover of night in October 2022, decided to saw an ATM mounted in a stop. As soon as he touched the terminal, the siren sounded (it seems that this was obvious to everyone except the robber). The man was nervous, accidentally touched his hand with a grinder and decided that freedom was more expensive than money. He escaped, and 3.9 million rubles did not wait for him at the ATM.

A similar unsuccessful attempt occurred in Novosibirsk. True, the attacker did not come with a grinder, but with a sledgehammer and a mount. He started smashing an ATM to get money out of it. The box of money got a lot, but it was not possible to get the cash out of it. It also failed to escape from the site of the defeat - the guards stopped the villain and pressed the panic button. A couple of minutes later, Rosgvardia arrived.^[1]

Alfa-Bank and other banks stole 60 million rubles due to outdated NCR ATMs

As it became known at the end of October 2022, 60 million rubles were stolen from Alfa Bank and other banks due to outdated ATMs. A criminal case was initiated on the fact of theft on an especially large scale (paragraph "b" of part 4 of article 158 of the Criminal Code of the Russian Federation).

According to Kommersant, the attackers stole money for several days. Criminals deposited fake bills through outdated ATMs of the American company NCR, and then withdrew real money from modern ATMs.

It was possible to detect falsehoods only during collection, while fraudsters continued their fraud even as law enforcement agencies began to conduct an audit.

In other ATMs, the criminals managed to withdraw almost all the money. It was not possible to cash out 75 thousand rubles. - Alfa-Bank turned off the function of accepting banknotes with a face value of 5 thousand rubles at ATMs. Alfa Bank said that they would refuse to comment during the investigation. According to the newspaper, almost all bank accounts and cards were issued on dummies (drops). A similar scam remained undisclosed in 2019 - then about 1.5 million rubles were contributed to the ATMs of MKB, Unicredit Bank and Raiffeisen Bank produced by the same NCR. Five thousandth bills of the "joke bank," which were cashed in other devices.

Alfa-Bank told Kommersant that they would not comment on this issue while an investigation is underway. The newspaper notes that three years ago the bank stated that they did not have old modifications of NCR ATMs.

Due to sanctions, the American firm stopped working in Russia, including servicing ATMs. The software in them is not updated, and this does not provide protection against the introduction of banknotes of the "joke bank" into ATMs, the newspaper notes.^[2]

In the Moscow region, the AI system helped find thieves who had ruined money from ATMs

In early June 2022, it became known about the detention in the Moscow region of suspects who opened payment terminals and ATMs and carried away cassettes with money. The police have identified the attackers, thanks to a modern video analytics system based on. artificial intelligence Judging by the video frames in the plot of the TV channel "Russia 24," ATMs suffered. Sberbank

Employees of the criminal investigation department of the Main Directorate for MINISTRY OF INTERNAL AFFAIRS Russia the Moscow Region, together with colleagues from the Russian MIA Administration for the Leninsky City District, as a result of operational-search measures, detained two men aged 25 and 33, one of whom was previously convicted, suspected of committing a series of thefts.

In the Moscow region, the AI system helped find thieves who had ruined money from ATMs

According to operatives, in the village of Drozhzhino, the attackers squeezed the plastic door at night and illegally entered the grocery store. The men hacked into the information and payment terminal and stole a cassette containing about 300 thousand rubles.

At the scene of the incident, police found a screwdriver, a crowbar and an ax-colun. According to the expert's conclusion, the traces of hands identified on the instruments of the crime coincide with the dactylocartings of the detainees. A criminal case was initiated under Article 158 of the Criminal Code of the Russian Federation "Theft."

With the use of artificial intelligence, we have learned to predict an attempt at robbery: a person bowed incorrectly for a normal client and we already have an alarm signal, since today in such situations AI already assumes that there is an attempt on an ATM, "said Stanislav Kuznetsov, Deputy Chairman of the Board of Sberbank.

The bank noted that with the increase in the number of ATM explosions, Sber learned to use its own approaches to finding intruders. For example, modern ATMs have trackers, tracking sensors, cameras and encryption devices.

2021

Diebold-Nixdorf ATMs reveal vulnerability to black box attacks

On October 25, 2021, Positive Technologies announced that experts Vladimir Kononovich and Alexey Stennikov discovered vulnerabilities in Wincor Cineo ATMs with RM3 and CMD-V5 dispensers (as of October 2021, the Wincor brand belongs to Diebold Nixdorf). The researchers managed to bypass protection against black box attacks and issue cash. Read more here.

Hackers who robbed dozens of ATMs convicted in Russia

At the end of March 2021, the Industrial District Court of the city of Stavropol sentenced Mikhail Grinevich to 16 years in a maximum security colony for organizing a criminal group that hacked into the bank's computer systems and stole funds from ATMs. Grinevich's accomplices received from 6.5 to 9 years in prison, the FSB reports. Read more here.

2020

In the Stavropol Territory, criminals stole more than 13 million rubles. from ATMs

On February 12, 2020, it became known that the Prosecutor's Office of the Stavropol Territory approved the indictment against 9 citizens in the case of 18 episodes of theft of funds from ATMs.

According to investigators, with the help of malware, members of the group hacked into the banking protection system via the Internet, gained access to ATMs and stole money. Thus, they managed to steal funds from 18 ATMs located in the Stavropol Territory. The amount of damage is estimated at more than 13 million rubles.

The attackers were charged under Art. 210 of the Criminal Code of the Russian Federation (management of structural units included in the criminal community and participation in the criminal community), part 3 of Art. 30, paragraphs "a," "b" part 4 of Art. 158 of the Criminal Code of the Russian Federation (attempted theft), part 4 of Art. 158 (18 episodes) of the Criminal Code of the Russian Federation (theft committed by an organized group on an especially large scale). The materials of the criminal case were sent to the Industrial District Court of Stavropol for consideration on the merits^[3].

Three citizens of Ukraine were detained for theft from Sberbank ATMs in 15 cities of Bosnia and Herzegovina

According to the police, in 53 hours the robbers managed to clean the 23 of the Payten ATM in several settlements - in Brchko, Orash, Tuzla, Lukavac, Kladan, Vogosh, Sarajevo, Kiselyak, Kreševo, Hažić, Ilije, Mostar, Chitluk, Zenica, Kakan and, finally, in Bihac. Read more here.

Fraudsters contributed "souvenir bank tickets" to Sberbank ATMs and robbed them for 3 million rubles

On February 10, 2020, it became known that investigators of the Krasnoyarsk Territory completed an investigation into a large theft from a local branch of Sberbank. The attackers were able to steal almost 3 million rubles from the bank by replenishing their accounts through ATMs with souvenir banknotes of 5,000 "takes."

The incident occurred in October 2018. Information security systems of the Krasnoyarsk branch of Sberbank recorded suspicious activity of users of ATMs installed in two stores and an additional bank office. Customers massively contributed cash to the receivers of the devices in the amount of several tens to 150 thousand rubles and immediately withdrew it from accounts - but already in Kurgan.

Criminals replenished their accounts with fake five thousandth bills - "tickets of a bank of souvenirs"

During the investigation, it was found that fraudsters pasted metallised protective strips on toy banknotes, which helped them "deceive" ATMs.

Sberbank filed a complaint with the Krasnoyarsk police. He explained that according to the internal rules, "from the moment the funds are credited to the account, the client gets the opportunity to freely dispose of them," so the police considered the fact of laying fakes in the apparatus to be theft on an especially large scale and opened a criminal case under Part 4 of Art. 158 of the Criminal Code.

On suspicion of committing a crime, four people were detained, they were charged with especially large theft. The investigation believes that the organizers of the scam are two brothers, "authoritative in criminal circles immigrants from Georgia."

The scheme for cashing out "takes," according to the publication, has already been worked out in Moscow, St. Petersburg, Yaroslavl, Khabarovsk, Kurgan and several other Russian cities. It is noted that all ATMs used by the attackers were manufactured by NCR and belonged to the old, large-format series.^[4]

2019

A resident of the Khabarovsk Territory stole 90 thousand rubles. using an error in the system of money transfers at ATMs

On December 26, 2019, it became known that a 24-year-old native of Nikolaevsk-on-Amur stole about 90 thousand rubles. from the accounts of 25 people. According to the press service of the Russian MIA Administration for the Khabarovsk Territory, the attacker took advantage of the peculiarities of the functioning of the system for transferring money through ATMs (by the end of December 2019, banks had already closed this "loophole").

The man acted in large shopping centers and shops in different areas of Khabarovsk. He transferred the stolen money to cell phone numbers, and cashed it with a bank card registered in his name. The man spent income from illegal operations on gambling.

Law enforcement agencies became aware of the actions of the criminal in the spring of 2019. The suspect was detained with the participation of fighters of the Russian Guard. During a search at the man's place of residence, SIM cards of several telecom operators and a bank card were found and seized.

A criminal case was initiated against the criminal on the grounds of a crime under Part 3 of Article 158 of the Criminal Code of the Russian Federation ("Theft from a bank account"). The man pleaded guilty in full, wrote a confession and returned the stolen funds.

The court found the young man guilty and sentenced him to five years probation with a probationary period of five years. In addition, he is obliged to pay a fine of 150 thousand rubles.^[5]

Hackers who stole more than 10 million rubles from ATMs of Sberbank and Vozrozhdenie Bank were charged.

On December 13, 2019, it became known that Investigative Committee of Russia (IC) he had charged two with to hackers banks robbery by hacking ATMs. In their "work," the criminals used a specialized one that ON literally forced ATMs to unload money. More. here

Criminals from Nizhny Tagil robbed ATMs using radio interference

On November 14, 2019, it became known that a criminal group consisting of three residents Nizhny Tagil robbed ATMs using radio interference. According to the press service, in the MINISTRY OF INTERNAL AFFAIRS RUSSIAN FEDERATION period from November 2017 to February 2019, attackers stole more than 8 million rubles in this way.

The activities of the group were suppressed by employees of the Main Directorate of the Ministry of Internal Affairs of the Russian Federation for the Sverdlovsk Region with the participation of the Russian Guard in February 2019. As of November 2019, a preliminary investigation has been completed, and the materials of the criminal case have been sent to the Leninsky District Court of Nizhny Tagil.

As it turned out during the investigation, the head of the group is a 46-year-old previously convicted man. He developed a plan according to which one of the accomplices was looking for ATMs located on the first floors of buildings. The attacker checked the presence of a security alarm, studied the possibility of hacking using special equipment, by breaking the floor or by dismantling the walls.

Having confirmed the availability of all the necessary conditions for robbing an ATM, the criminals illegally entered the premises and turned off the alarm. Then, using an electronic device for creating radio interference, they blocked the communication channels of complexes for issuing and receiving money and, using gas welding equipment, cut the side walls of ATMs, and then got the money. During the trial, one of the accomplices monitored the environment and ensured the immediate departure^[6].

Thousands of ATMs in Russia accept toy money due to outdated software

At the end of August 2019, it became known that thousands of ATMs all over Russia accept toy money due to outdated. software Attacks were carried out only on the company's ATMs NCR and only with validators (a device that recognizes banknotes) ABV, HBV and RBV.

A source familiar Kommersant with the situation said that the manufacturer is aware of thefts using the vulnerability in four: banks on August 23, 2019 Unicreditbank , 800 thousand rubles souvenir bills were made to the ATM, earlier incidents occurred in the ICD (565 thousand rubles) and in (122 Raiffeisen Bank thousand rubles). 

Russian ATMs did not pass the "joke bank" check

The problem lies in the outdated firmware of the validator. Older equipment does not lend itself to more accurate settings of recognition patterns. As a result, this leads to the refusal to accept money by ATMs.

However, NCR itself, according to the source, does not plan to update the software, but refused to support outdated ATMs. The company supported the idea of ​ ​ the Central Bank, which believes that banks just need to update the fleet of outdated devices.

According to Dmitry Turchenkov, head of the Digital Securities research department, "attackers could make it easier for themselves to test the drawn money by simply buying a validator." For example, the Deposit Insurance Agency (DIA) periodically sells bankrupt bank ATMs at auction.

Restrictions for buyers of such equipment have not been established, the DIA noted. Thus, an ATM model similar to the one attacked was sold by the DIA as part of the property of the Industrial Energy Bank.

According to the Central Bank of the Russian Federation, at the beginning of the year there were more than 200 thousand ATMs in the country, of which 135 thousand were with the function of accepting cash. According to information on the NCR website, 40 thousand devices of the manufacturer have been installed in Russia.^[7]

2018

Hackers actively rob ATMs without using malware

On November 29, 2018, Kaspersky Lab experts shared information that during 2017-2018 they had to investigate a number of strange attacks on Eastern European banks, combined with tools under the code name KoffeyMaker: criminals quickly and almost freely emptied ATMs and were so. It quickly became clear that the attackers made attacks under the general name black box, which were to a large extent "physical."

The attacker opened the ATM, connected the dispenser to his own, to the laptop closed the ATM and left the crime scene, leaving the device inside. Further investigation showed that a laptop with installed drivers for an ATM dispenser and a patched KDIAG utility acted as an "instrument of crime USB "; A GPRS modem was connected to it for remote access. OS The version was Windows most likely used as a version, or XP ME for 7 better compatibility with drivers, - says the publication of Kaspersky Lab.

The ATM dispenser is connected to a computer without the necessary drivers

The use of such "antique" operating systems by cybercriminals is explained very easily: many ATMs still use outdated software, "explained Oleg Galushkin, director of information security at SEQ (formerly SEC Consult Services). - ATMs are generally one of the most vulnerable components of the banking infrastructure, although in theory they should be as secure as possible. As a rule, ATMs are based on ordinary computers based on Windows OS, often outdated versions, to which additional hardware components are connected, including a card reader and a dispenser. It is somewhat easier to open the outer shell of the ATM than the dispenser in which the banknotes are stored. At the same time, attackers often have the opportunity to reconnect the dispenser to foreign equipment - without any consequences and alarms. Ultimately, a combination of such physical and information security flaws makes ATMs easy prey for thieves.

Then the situation developed according to a typical scenario: at the right time, the attacker returned and imitated working with an ATM, and his accomplice - if any - remotely connected to a hidden laptop, launched KDIAG and gave the dispenser a command to issue banknotes. Then the attacker (s) took the money, and then the laptop.

One person could well have implemented the entire operation, but the partnership scheme, in which one participant is a "mule" and works directly with money and an ATM, and the second, for a share of the loot, provides technical support for the operation, is more widespread, the Kaspersky Lab publication says.

As Laboratory experts noted, in general, the principle of robbery KoffeyMaker is similar to the Cutlet Maker described in 2017 (malware for stealing money from ATMs, freely sold in the Darknet), but this time the attackers used almost exclusively legitimate programs for the operation. Only the KDIAG utility has been modified in such a way that now antivirus products detect it as malicious.

The production of intruders can be in the tens of thousands dollars from only one ATM. The only way to protect against such an attack is to use hardware enciphering data in the "dispenser - ATM PC" section. The publication indicates that earlier the same version of this program was used by cybercriminals from the APT group Carbanak.^[8]

Testing NCR, Diebold Nixdorf and GRGBanking ATMs for attacks

On November 14, 2018, Positive Technologies reported that its experts tested ATMs made by NCR, Diebold Nixdorf and GRGBanking and identified potential risks for banks and their customers.

69% of the ATMs examined were vulnerable to the Black Box attack. The attack consists in connecting a special device to the dispenser, programmed to send commands for issuing bills. In some ATM models, it will take the offender 10 minutes to do so, the report said.

Most ATMs (85%) are not sufficiently protected from attacks at the network level, in particular from the substitution of the processing center, which allows you to intervene in the process of confirming a transaction and fake a response from the center - approve any request for cash withdrawals or increase the number of bills issued. The study also provides examples of attacks on network devices - GSM modems to which ATMs are connected: as a result, you can develop an attack on other ATMs of the network and even on the internal network of the bank.

It is noted that 92% of ATMs are vulnerable to attacks related to the lack of encryption of a rigid disk. So, an attacker can connect to the hard drive of an ATM directly - and if the contents of the disk are not encrypted, write a malicious program to it and disable any means of protection. As a result, the offender will gain control of the dispenser.

In 76% of ATMs, an attack "Exit from kiosk mode" is possible. It involves bypassing the restrictions set for an ordinary user and executing commands in the OS of the ATM. According to experts, it will take an attacker 15 minutes to carry out such an attack, and even less with careful preparation and use of automation.

During the security analysis, it turned out that in most ATMs you can freely connect third-party devices. This allows an attacker to connect a keyboard or other device that simulates user input. In most cases, ATMs were not prohibited from using some common keyboard shortcuts to gain access to OS functions, and local security policies were configured incorrectly or completely absent. 88% of ATMs managed to bypass the installed solutions of the Application Control class due to an incorrect approach to the formation of a list of trusted applications or due to vulnerabilities, including zero day, in the code of the security tools themselves. "

First of all, logical attacks on ATMs are aimed at their owners, but may affect the bank's customers. When analyzing the security of ATMs, we identify vulnerabilities associated with the possibility of network attacks, configuration and security errors ON , and insufficient protection of peripheral devices. All these shortcomings allow attackers to steal money from an ATM or intercept data payment cards customers. To reduce the risk of attacks, attention should be paid to the physical protection of the service area, it is necessary to register and monitor security events both at the to infrastructure ATM itself, which will allow you to respond to emerging threats in time. In addition, it is important to regularly analyze the security of ATMs in order to timely identify and eliminate existing vulnerabilities.

Vulnerability in ATMs led to massive stuffing of fake bills

In early September 2018, it became known about the massive stuffing of fake banknotes with a face value of 5 thousand rubles into ATMs. The problem is related to the vulnerability of outdated equipment.

As employees of two large banks told Vedomosti, the manufacturer of ATMs NCR warned Russian customers that fraudsters began to actively cash out fake banknotes through ATMs with old devices for checking bills.

A large manufacturer of ATMs NCR reported a massive stuffing of fake banknotes with a face value of five thousand rubles

The interlocutors of the publication found it difficult to assess the damage, since not all ATMs have been collected yet, but it is already clear that we are talking about several million rubles of losses per bank.

According to the newspaper, vulnerable ATMs need to reconfigure the software, but this takes some time, and until then, many banks, on the advice of NCR, chose not to temporarily accept five thousand banknotes into vulnerable ATMs.

The representative of the Moscow Credit Bank (MKB) Andrei Strom told Vedomosti that less than 5% of their ATMs were exposed to vulnerabilities. At the same time, he did not specify whether the reception of five thousandth bills is limited. Alfa-Bank after warning NCR stopped accepting such bills in all 18 ATMs of the old model (0.5% of the network). Sberbank said that the credit institution did not impose any massive restrictions on accepting bills at the bank's ATMs.

In order not to become a victim of fraudsters, citizens are advised to withdraw large amounts of money at bank branches, and not at ATMs.

Sources of the publication in banks note that it will be very difficult to find fraudsters. Since the bills entered into the ATM are mixed, and it is impossible to track who contributed the real and who the fake money.

Earlier, the Central Bank published statistics on fake banknotes for the second quarter of 2018. In total, the regulator discovered 9415 fake banknotes, 16 of them were counterfeiting new banknotes with a face value of 2000 rubles.^[9]

2017

The volume of illegal transactions with ATMs and terminals decreased to 230 million rubles

According to statistics from 2017, the interest of fraudsters in attacks on ATMs and terminals is declining. Thus, the volume of illegal operations with them decreased by a third to 230.7 million rubles. And the damage from the actions of fraudsters amounted to 42 million rubles.

According to FinCERT, several ways to hack ATMs are mainly used: connecting devices to devices that allow them to be controlled, remote control after infection with a virus and physical impact on them (for example, explosion).

The attention of the attackers switched to CNP-transactions (English Card not present transaction), in which the card holder may not be physically present during and at the place of payment. The volume of the latter is insignificant (by about 1.5%), but increased, amounting to 726.4 million rubles.^[10]

Trend Micro and Europol reveal how ATMs are broken

The company's specialists, Trend Micro as well as employees of the European cyber crime Cybercrime Center (EC3), presented a joint report entitled "Cashing in on ATM Malware." The report analyzes both physical and network attacks on ATMs using malware, and also tells where such malware is created^{[11][12][13][14]}

According to researchers, malware for ATMs has evolved significantly in recent years. So, attackers no longer need to have physical access to the device in order to infect it, they can carry out remote network attacks using the bank's corporate network for this. The report provides examples of recent attacks in which attackers used a banking network to steal money and credit card data from ATMs, despite its segmentation. The researchers note that such attacks not only jeopardize users' personal data and the security of large sums of money, but also lead to financial institutions violating PCI security standards.

Previously, the main way to infect ATMs was mainly physical hacking: attackers had to gain direct access to the device and download malicious software to it using USB or CD. Despite the fact that this scheme is still in use today, attackers have found a new entry point: the network. This is also facilitated by the fact that hundreds of thousands of ATMs run on operating systems that no longer receive updates to fix vulnerabilities or for which patches will soon stop being released.

For example, in July 2016, 41 ATMs in 22 branches of the Taiwanese First Commercial Bank were subjected to a cyber attack, as a result of which the attackers managed to steal about 2.5 million dollars USA (80 million new Taiwan dollars). During the investigation, it turned out that in order to implement the robbery, the hackers had previously carried out a rather complex network attack.

2016

Drill is a new tool for ATM hackers

At the end of October 2016, Deputy Chairman of Sberbank Stanislav Kuznetsov announced a new way to steal money from ATMs.

The crime is called a drilled box, when a hole is drilled in an ATM of only a certain brand, a bus is connected, and money is paid instantly through this bus. The manufacturer was immediately informed that this was easy and quick to do, but there was no reaction from him, "Kuznetsov said, TASS reports the Russian Information Agency.

According to the deputy chairman of Sberbank, the tendency to use this method of theft appeared literally four to five months ago. At the same time, information security experts note that this is a long-known method of fraud, which combines mechanical and computer hacking.

I believe that Sberbank got excited with the new term drilled box and in vain "shook up" the market with supposedly some new type of threat. This is a problem known a couple of years ago related to the connection of a fraudulent device to the control unit of an ATM dispenser (device for a currency dispenser), the so-called Black Box, which, bypassing the ATM system unit, gives a direct command to the dispenser to issue money from cassettes, without any card transactions, - explained to TAdviser Director of Electronic Business Monitoring at Alfa-Bank Alexei Golenishchev.

He added that access to the control bus of the dispenser can be obtained not only by drilling holes in the ATM panel, but also in other ways: for example, by opening the service area of ​ ​ the ATM (opening the door, etc.). Therefore, the problem needs to be solved comprehensively, and not from a specific type of "attack," Golenishchev believes. "The problem is solved by encrypting the data/data link from the ATM system unit to the dispenser. There are such solutions, and they really should be demanded from manufacturers, "he explained.

Positive Technologies, which specializes in information security, also confirms that such a technique is not new.

The first mention of the use of a drill to penetrate the cabinet area of ​ ​ an ATM dates back to 2013 (before that, the drill was simply used to fill the ATM with gas and blow up). However, interest in logical attacks on ATMs again attracted the attention of cybercriminals to this scenario, "says Timur Yunusov, head of the banking system security department at Positive Technologies, to TAdviser.

According to him, there are several of the most popular methods of logical attacks on ATMs:

• connect to a device that issues bills (dispenser) and directly send commands to issue money. The latest ATM models are more or less protected from such attacks.

• connect to the card reader and quietly remove card data for the subsequent manufacture of duplicate cards

• exploit the disadvantages of network settings to intercept data going to the bank. Thus, you can both remove card data and force the ATM to issue money from any card without even changing the balance on it.

• connect to the system unit, bypass the means of protection and install a malware that will perform the same manipulations: save card data or issue money "on command."

About ATMs of which manufacturer complained in Sberbank, the press service of the company does not comment. In other financial and credit institutions, they also do not talk about it. According to a source in one of the banks, it is not profitable for anyone to disclose this information: "Since craftsmen will immediately begin to study ATMs and drill them."

Positive Technologies believes that theoretically this can be done with an ATM from any manufacturer. According to Timur Yunusov, at any ATMs the cabinet area is always very poorly protected - by and large it is an ordinary door made of fragile metal and plastic.

The most popular ATM manufacturers are NCR, Diebold Nixdorf, Wincor Nixdorf. Each vendor has 2 − 3 most popular models. Each of them can theoretically apply this or that attack, it all depends on the model, security settings, shortcomings of a specific assembly and the human factor, - Timur Yunusov believes.

Knowing exactly where to drill, where to bring the wires and what to eventually connect to is a kind of neurosurgical operation that requires practice, the expert believes.

Experts predict an increase in the number of attacks on ATMs in the Russian Federation by 30%

The number of hacker attacks on both banks and ATMs in Russia will grow by 30% in 2017. This forecast is given in a study published by Positive Technologies.

According to FinCERT, in the period from June 2015 to May 2016, 17 cases were recorded in Russia related to unauthorized access to ATM software and a subsequent attempt to steal funds. During the attacks, attackers attempted to steal funds worth more than 100 million rubles, said Positive Technologies analyst Vadim Solovyov.

As indicated in the study, the number of logical attacks on ATMs using malware in Europe in 2016 increased by 287% compared to the previous year. For example, the damage from theft using only one GreenDispenser malware in Eastern Europe in 2015-2016 amounted to about $180 thousand. As Solovyov noted, currently there are no cases of infection of ATMs in Russia with GreenDispenser malware, but a similar ATM device allows attackers to use the same malware in campaigns around the world.

In particular, GreenDispenser, which was used in attacks on ATMs in Mexico in 2015, was spotted in Europe some time later. As Solovyov explained, it is more convenient for attackers to switch from one country to other regions where they are not yet ready to repel such attacks.

According to the expert, the criminals gained access to the service area of ​ ​ the ATM and installed the GreenDispenser malware. Then special people, the so-called drops, used a Trojan to withdraw money from an ATM. Since GreenDispenser is designed only for issuing funds, and not theft of bank card data, a message was displayed on the ATM screen stating that the device is temporarily not working in order to prevent the issuance of money to ordinary bank card holders.

In order to withdraw money from the ATM, the drop had to enter two -codes PIN established by the developers. trojan After that, he gained access to the malware management interface, where the cash dispensing function is available. Having successfully emptied the ATM, the drop removed GreenDispenser from the system.

Such attacks can take on a massive character, experts warn. When developing financial applications on the Microsoft Windows platform, a special Extension for Financial Services standard is used for the compatibility of ATM equipment software with various devices, which is used by all major ATM manufacturers.

Central Bank spoke about a wireless way to steal money through ATMs

On March 17, 2017, the Central Bank of the Russian Federation talked about a new way to steal money through ATMs. We are talking about a remote method.

We always, when we talked about skimming, noted that an attacker should put something on an ATM, now a new technology has appeared, wireless, - reports TASS Information Agency of Russia with reference to the deputy head of the main department of security and information protection of the Bank of Russia Artem Sychev.

According to him, the novelty is that attackers place devices not on the ATM itself, but next to it, and use equipment to steal funds from bank cards. At the same time, movement sensors protecting ATMs, autopsies, etc., do not work.

Attackers learned to steal money from bank cards without installing equipment on the ATM itself

Artem Sychev did not explain whether the technology applies to all ATMs or only to individual models. He also did not name the amount of funds that the attackers stole from the accounts of bank customers in such a wireless way.

Sychev stressed that banks included in the  Center for Monitoring and Responding to Computer Attacks in the Credit and Financial Sector (FinCERT) informed banks about a new method of fraud.

  Adney Sychev spoke about the wireless method of theft of funds from bank cards through ATMs invented by fraudsters at the XIX All-Russian Banking Conference. There, a representative of the Bank of Russia said that the regulator received information from Interpol about the large volume of compromised cards of customers of Russian banks.^[15]

The representative of the Central Bank found it difficult to name the number of "highlighted" cards, but noted that the amount of information on these cards takes almost 500 MB.

Most likely, this is the result of skimming in Europe. These are the cards that were used when traveling abroad . Rather, it is Southern Europe - Bulgaria, Romania and the like. The information came from Romanian colleagues, - said Sychev.

See also

• Bank card and payment fraud

Notes