TatütataOctober 2, 2017 8:41 AM

From the paper:

In 2016, we published a non-public paper, ...

[sic] [sic] [sic]

A couple of weeks ago I was having lunch at a restaurant, and in came a technician to service the private ATM which was installed in a wall opening facing the street. It was an interesting (and discreet) insight of the construction of these things, albeit within the limits of my straining eyesight.

The currency compartment was in the lower tier of the machine, and apparently made out of slightly thicker sheet metal as the rest. The lock also seemed to be of a more expensive kind, by a nickel or a dime or so.

The upper part behind the interface panel contained a few boards, which were removed and scattered on a table, and diagnosed with the time-honored technique of swapping and testing. (The technician didn't resort to kicking the tyres, which I take as a sign of experience). One board contained relays and power devices, another one was obviously the brains of the contraption, and the remaining ones were sundry interfaces. I suppose that there are always a number of extra boards floating around service shops, so it wouldn't too difficult to get to them and eventually patch backdoors into them, e.g., onto the relay board itself.

It was so mundane that it was at time slightly shocking, as the contraption had essentially the sophistication of a frigging washing machine. But in retrospect it shouldn't have been.

Among the attack vectors, there is this on p. 15/40:

In more recent reported cases of infections, a mobile phone had been physically installed inside the ATM’s housing. This device received cash withdrawal commands via SMS and then forwarded them to Ploutus.B, thereby minimizing direct physical interaction between the malware operator and the ATM.

Controlling the cash-collecting mule seems to be as much of a challenge as hacking the machines themselves. But do they honestly believe that going through all the trouble of picking a cabinet open and leaving devices inside will pay off? As mentioned elsewhere in the report, a compromised machine would immediately be pulled out and investigated. Unless there was insider complicity...

Quite a few machines work through a cellular modem. Are there fake base station attacks?

Seeing that ATM with its guts spilled made me realise how easy it would be to carve out it out in one swoop of a backhoe. Then there is the technique of injecting a hydrocarbon through an opening (e.g.: with a can of hairspray), and then holding a lighter to it. Several thieves blew their eardrums and more in the process (Darwin award territory), there is however the occasional report of success. In this particular case this would have to be done from within the restaurant, where someone might notice. In any case, such attacks are not scalable and reserved for amateurs.

David RudlingOctober 2, 2017 1:20 PM

Interesting but unsurprising.
From towards the bottom of page 9 of the report:-
"A majority of ATMs installed worldwide still run either Windows XP or Windows XP Embedded. Some of the older ATMs run Windows NT®, Windows CE®, or Windows 2000."
Really tough leading edge software security then.

PetterOctober 2, 2017 1:28 PM

For about 20 years ago there was an incident when the police arrested a guy walking from ATM to ATM making withdraws while carrying a heavy bag.

Some people who tried to withdraw money after him noticed his strange behaviour and that the ATMs was shut down and therefor notified the police.

When he was detained they found him carrying a UPS which fed 220V to an ESDgun which he used to discharge into the ATM at a specific moment while he did a withdraw.
The ATM then shutdown but he managed to cling onto the money although the registration of the withdraw never got completed.

If he used his own card or if any cameras might have captured him I don't know.

Nice attack vector. Poorly executed.

Clive RobinsonOctober 2, 2017 2:04 PM

I guess it needs to be said,

It is alledged that the bank robber Willy Sutton was asked why he robbed banks by a reporter, after a pause he said "I rob banks because that's where the money is". And that gave rise to "Sutton's Law" [1].

Even if not said by Sutton there is a certain logic to the quote. Thus people attack ATMs because that is where the money is probably easiest got at.

After all if ramming a tow truck into an ATM then slinging a chain around it and towing it away like a "bulldogged" stear at a rodeo, then there could be a less dramatic way to get the cash out... Perhaps not filling it full of "gas-n-air" to blow the ATM appart at the seems or one of several other methods.

The lack of subtlety is one of the reasons ATMs are not exactly well built is that the banks have externalised the cost via insurance etc. Further they have realised there is a trade off if they make ATMs more secure then not only will they cost more to make, the damage involved with the ATM geting stolen/opened will be higher, which brings other considerations into play. Like the cost of the loss of life etc if they get sued in court.

Which means you have what is in effect a soft target. From the robbers point of view ATM's are easier than safes, and a lot safer than an old fashioned "stick up".

So like it or not those "vulnerable" ATMs may well be saving lives.

[1] Although the naming of “Sutton's Law” was inspired by the supposed "well-known" quote Willie Sutton disclaimed credit for the saying. He said in a book "The irony of using a bank robber's maxim as an instrument for teaching medicine is compounded, I will now confess, by the fact that I never said it".

NinjaOctober 2, 2017 5:02 PM

Newbies. Here the criminals just blow up the ATMs and get the money.

It's true but I jest. I just can't understand why the banking system in the US is so archaic in many ways. We have been using chips on an underdeveloped country for at least 5 years before the US adopted them.

On the explosive note, there are now measures to counter such tactics, they spread some sort of ink that taints the bills permanently but even then the crooks devise smarter tactics such as carrying the ATMs (if not fixed) to another place and using acetylene torches to break them open (to which banks added GPS on those units and the criminals started using Faraday cages etc etc etc in an endless cat and mouse game).

Clive RobinsonOctober 2, 2017 6:20 PM

@ Ninja,

... in an endless cat and mouse game

Yes although the military expression would be "ECM / ECCM"

The thing is "ratcheting up" usually get into a "law of diminishing returns" where each step is but a fraction of the one before.

What is making this different is one side has not invested in playing at the level of those they are defending against. As almost always happens with banks they only raise the security bar by small increments with the result the attackers can stay in the game. We saw this behaviour with online banking fraud in the late 90's and into this century. To a certain extent it's not stopped because although the banks have stepped up and have closed the gap with the likes of 2FA attackers have become so well funded that they are still getting sufficient advantage. Further the advent of smart phones has brought a third party into the game kicking of a different technology path to use for attacks.

Without appearing pessimistic the banks are not only slow to step up, they don't appear to think how new technology changes the dynamic and thus they appear stuck well behind the technology curve whilst the attackers appear to be ridding well ahead of them. Interestingly though the attackers do not appear to be at the leading edge, in most cases they are still picking the "low hanging fruit". Thus the speed the attackers respond to change suggests in a few respects either they are very agile or that some are keeping attacks in reserve or even stock piled. The limiting factor appears as is often the case the "laundering" aspects of the gains they make.

HermanOctober 2, 2017 10:55 PM

Long ago, people robbed the Widows and Orphans boxes in the churches, then gas meters, then pay phones, then parking meters, now ATMs.

Unfortunately I think the gas meters of the Victorian age may have been more valuable targets than ATMs today.

nameOctober 5, 2017 7:02 PM

How common is it for your replacement ATM card to come in the mail without a preset PIN, instead they ask you to choose one?

EvilKiruOctober 6, 2017 6:19 PM

@name: It's common if your financial institution changed credit card types (for example, switching from Visa to MC), if they changed their card processing provider, or if you reported fraudulent activity on your card. I can't recall any other times I've needed to choose a new PIN for a replacement card.

LurkerOctober 8, 2017 7:42 AM


Some time in the middle of last decade I read in the tech press that support for OS/2 was ending at that end of that year. (That surprised me as I had presumed support had ended long before.) The article I read stated that many (most?) ATM's in the U.S. were running OS/2, which presumably would need to be replaced by something else.

I find it truly frightening that that something else turned out to be Microsoft software.

EvilKiruOctober 9, 2017 8:29 PM

@Lurker: People continue to use OS/2 on production servers even today. Not IBM's OS/2, though. It's current brand name is eCommStation (, marketed by Serenity Systems and Mandat BV (

It's currently rumored that an older OS/2 licensee is about to release an OS/2, eCS/2, and DOS-compatible OS called Arca OS 5 "soon":

I myself gave up on OS/2 when the 13 year old Gateway computer I ran it on died about 10 years ago and I couldn't get it to install it on any modern (circa 2007) computer.

CallMeLateForSupperOctober 10, 2017 8:37 AM


"I myself gave up on OS/2 when [...] I couldn't get it to install it on any modern (circa 2007) computer."

Interesting. 2007 was the very year I installed eComstation on a new "Deskrocket" I had just built (w/ Asus P5B mobo). That PC complemented my Pentium 1 box which ran OS/2 "Warp" v3 (OS/2 v3 did not support networking nor USB). I still use each of these systems.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.