Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Video of Kid Eating Squid |
| Cell Phone Surveillance System »
October 31, 2011
Another ATM Theft Tactic
This brazen tactic is from Malaysia. Robbers sabotage the machines, and then report the damage to the bank. When the banks send repair technicians to open and repair the machines, the robbers take the money at gunpoint.
It's hardly a technology-related attack. But from what I know about ATMs, the security of the money safe inside the machine is separate from the security of the rest of the machine. So it seems that the repair technicians might be given access to only the machine but not the safe inside.
Posted on October 31, 2011 at 8:18 AM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
" But from what I know about ATM machines"
I thought the interesting security-related angle was how much information The Star can publish about someone wanted by the police. A MyKad number is similar to a social security number in the US. Can you imagine publishing someone's social security number because the local fuzz would like to have a chat?
The ATMs I know has some _closed_ containers with the money (imagine, the company who replaces the empty ones with the full ones has also be handled somehow...), so maybe those were stolen...
BTW, it happens in the past that the containers were misplaced and lucky ones get more money (bigger values) till someone gets less and reported to the bank...
From what I know of ATMs, at least around here, the vault is harder to saw into, but when you have a key you seem to have a key for the whole machine. Or, maybe they have terrible security and give every service guy all the keys?
OTOH, why bother with service guys? The armored car that picks up the money does a terrible job of having perimeter security. Routinely see a lone guy with his head in the machine for a long time, and another guy in the truck with poor visibility. I can tell for sure, as I've scared them by "sneaking up" (walking by in a dense city) and they didn't see me until I was past them. I could rob a lot of ATM service people with a wrench.
Tangential: Or you can just keep your ears open. Not too long ago I am eating dinner not far from a little ATM kiosk, and the service guy calls home base for the access code. It was random, but they sent it in voice over the speakerphone of a PTT phone. I wrote it down. And watched what the guy did to the machine (could see the screen also). He did not, for example, change the passcode before leaving. It appears I could have used his code and run a bunch of dispense-money tests if I wanted to.
I can imagine they would have access to the money vault as one of the primary repairs they would have to do is deal with a paper jam, or in this case, a money jam.
This kind of proves a point though. No matter how fancy a system you have it can still be open to low tech and people based attacked.
Even if the money container is separate can't they just pull the safe and crack it later? I admit not knowing enough about ATM security on a physical level.
From a former ATM tech -- the most dramatic ATM theft I know of ( I had to reconfigure the replacement machine, btw ) involved breaking in through the roof of a supermarket and hoisting the ATM out, impressive even for a lightweight version (maybe 50kgs total) -- guys hitch them up to their pickups often enough, or use excavating machines and once you have the machine it's a matter of time to break in to the safe. I would place the risk of hitting the machine about equal to a bank holdup, given the usual alarms and security cameras. The armored truck guys do carry weapons and have some level of interlocking security with other assets, so I wouldn't take a chance with them. Not that the guard would survive an attack, but the perp needs to evade detection for quite a distance in a public space. Yes, handling 80K in cash was very exciting in certain neighborhoods, but you learn to keep an eye out for idiot crooks and keep the doors locked behind you. The malaysian guys are probably all but busted at this point. I would look to inside collaboration with the techs as an avenue to investigate, as well.
I thought the money came in sealed cassettes, at least with the newer ATMs. I imagine these cassettes have a self-contained cash dispenser, bill counter, battery power source, onboard circuitry plus security features such as audit trail, dye degradation, GPS and location transponder. The delivery personnel never see the actual notes and thus have no temptation to short the cassette a note or two.
In my recollection they have something similar for payphones and parking meters, when the coins are collected. The coin box has a shutter which closes as soon as you start to pull it out, which can only be opened with a key (the meter maids don't have it) or by docking it upside-down into a special bin, which somehow authenticates with the coin box and dumps the coins.
How I would approach an ATM target, barring the ability to do a completely network-based intrusion (or insider pre-loaded features, which has been done), would be to examine the internal controls of the machine with a combination of physical access and electronic sabotage. The simpler ATMs will most likely have an exposed interface to the money safe -> connect -> play the "dispense $20" message again and again. With some models, all you need for access to the machine's innards is a simple wafer key to open the fascia.
The more advanced models have locked panels with high-security keys, tamper alarms and NCR is even claiming to use encrypted USB for their internal network bus. However, unless every processing component involved in approving a dispense command is protected at the same level as the cash itself, there is some degree of vulnerability with electronic manipulation, to insider service techs at least if not to an external adversary.
I recall hearing of a very similar tactic. The attacker would attempt to use the machine, but tell the clerk the machine was broken. The clerk would call the service guys. Then, before the service guys would show up, the attackers would appear in a uniform and just take the equipment. The clerk, who was expecting service people to come out, would just happily let them run off with the entire machine. That would leave the attackers as much time as they needed to crack open the machine with various noisy cutting equipment.
Social engineering at its best.
I haven't seen any of those ATM's locally. The ATM's I've seen store cash in a vault of some kind. The armored car pulls up, the guy loads cash into a bag, walks to the ATM, unlocks it with a key (sometimes magnetic key), and loads it. Some cars have guys with what looks like automatic weapons & some just have two people altogether.
Steven Hoober's depiction of how easy a target they are is quite accurate & the distance from cover to target can be as little as 3 yards in a spot invisible to the driver in MANY ATM locations. Odd enough, the guy whose car was protected by heavily armed guys was more vulnerable than the other guy, due to more hiding spots. I really don't see why so few attacks have occurred.
One observation is that one of the easier ways to steal from an ATM is to own the ATM, and a bank. There is a case from the 2000-2003 period where someone did exactly that in New York, and by compromising the ATM had access to both mag stripe and PIN info. The take was $3.5M from 21,000 accounts. There doesn't seem to be much information on the net.
The original indictment is here:
It looks like post-trial sentencing was in 2008. There is a Yahoo! story with details from the trial evidence:
The guy mentioning paper jams has it right, at least so far as I know from servicing several types of ATM back in the 80s. There is indeed a safe that the money cassettes go into that is separate from other parts of the machine, but if you have a jam right at the cassette there's nothing for it but to open that safe so you can get at the problem.
The problem at its most basic is that roles of various people involved with the ATM are blurred. Ideally, one person would handle the electronic side, another the mechanics of it, and a third would work with the money. In this model, a privilege-escalation attack of the sort described in the article would not work.
But, of course, it's easier and cheaper to have any technician be able to fill any of these roles at any time. And, unlike with computers, a human cannot "just stop" being a physical role in that sense. The ATM companies see the risk (it's easier to compromise the ATM) as being of less account than the cost savings (one or two technicians as opposed to 5-8.)
I saw something about a vending machine cash bag where it is automatically locked when withdrawn from the machine so the cash collectors cant steal from it. It can only be opened/reset by someone back at head office with a key. Also you cant put it back into the vending machine either.
"One observation is that one of the easier ways to steal ... is to own ... a bank. " (c) Z.Lozinski
"One observation is that one of the easier ways to steal ... is to own ... a bank. "
Clever editing. It is a very serious point thought.
One of the lessons of the Frljuckic case is that the security model for ATMs had not really considered the possibility that the bank that owned the ATM network might be actively hostile. Frljuckic bought a company with a banking license to operate a small ATM network in the NYC area.
A similar problem has arisen in the telecommunications industry, where all telcos are considered trusted. This worked fine when there was a single government-backed telco per country. When you can have a couple of hundred MVNOs per country it doesn't work so well. Can you trust inter-carrier billing records? Do operators mis-route SMS for profit? It is not the large operators that are the problem, but small MVNOs.
ISBN 0292706383, The Best Way to Rob a Bank is to Own One by William K. Black, a veteran of bank regulation.
From a former ATM designer - there can be several security levels, depending on whether the person is a bank employee, a third-party service person (replacing cash cassettes), or a repair tech. As said, the repair techs need access to the safe/security container in order to repair the bill-feeding mechanisms. Repair techs are bonded and CBC'd but they aren't armed security guards. But all 3 have some level of access to the inside of the safe, enough that getting to the cash would not be difficult.
The cash cassette system (which eases third-party servicing) is not physically secure - the cassettes just keep the money in machine-deliverable form, with very limited phsical integrity. That's why most third-party service companies are also armoured-car services.
The safes are typically not more than TL-15, which is all that the insurance company requires. They can be opened with conventional tools and equipment with no difficulty - it just takes time, electricity and noise. I've opened a TL-15 ATM safe which was locked and re-locked in about 6 hours, using only conventional tools and without damaging the contents.
Best heist story - the ATM which was located in a double-door lobby at a bank branch in Mountpottinger, Northern Ireland. A member of a paramilitary organization did a simple stay-behind on Friday afternoon and let all his buddies into the lobby and so imnto the back room, later in the evening. They had 48 hours to have at the through-the-wall ATM, undisturbed, and they brought some tools with them. Didn't get a penny out of it. As the guy who designed the safe - it made my day.
Thanks for the information. I figured that the repairman would have some level of access. I know in some ATM's the cash is visible just opening part of the ATM, others are a bit trickier. I would be willing to bet the guys that failed the Irish bank job were amateurs.
With the recent Black Hat presentations, I wonder how long it will be before someone starts simplifying the process by doing software level attacks on the ATM. Might even manage to rob a few over time using that technique if the bank can't figure out what's going on.
Most interesting was the use of the verb 'banking' to describe the taking of money
that did not belong to them at gunpoint, as in "banking spree". A reflection of the public's experience?
The most interesting thing was reading the other articles on the "Star" website. Who knew runaway maids were such a big issue?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.