00:00
criminals are interested in
00:01
investment and the return on investment
00:03
for an attack like this is much higher
00:04
because you can multiple ATMs
00:06
without leaving your house this is a
00:17
home think of it as
00:19
the ID technician for this crime this is
00:22
just a standard so I'm gonna... going
00:25
to $ from this ATM select
00:28
English, find pin I'm gonna make sure to
00:30
protect my pin I'm gonna do- withdraw
00:33
checking for 40 we have 2x force red $20
00:40
bills I'm gonna request $40 again let's
00:43
see how much money I can get out I'll
00:46
take a now this time in fact if
00:52
you look at my receipt
00:53
it also says $40
00:56
[Music]
01:01
from a criminal point of view one of the
01:03
great things about this attack is that
01:05
the bank has no idea the
01:06
bank told to the ATM in a dispensed two
01:08
bills it has no idea that the attacker
01:10
modified the response and changed it to
01:12
ten bills you see everything from
01:21
embedded XP 7 all the way up to
01:25
more modern variants of Windows so
01:28
you're saying that the most vulnerable
01:29
versions of Windows are on
01:33
thousands of ATM machines yes you have a
01:37
lot of ATMs across the country that
01:39
still run Windows XP so the type of
01:42
vulnerabilities that we
01:43
initially on an ATM are very common ATMs
01:45
are architected a very similar way to a
01:47
home PC in fact it may be
01:50
more vulnerable because of the
01:52
difficulty in ATMs that are
01:54
distributed across the wide geographic
01:55
area most of the ATMs don't have a
01:57
support staff that's standing there and
01:59
if the bank has to send someone out to
02:01
each ATM to install software it
02:03
significantly so they're
02:06
usually very conservative about which
02:07
patches and which software they push out
02:10
this is the receipt printer has the
02:12
standard USB connection in
02:15
Windows just like any other printer you
02:17
could actually print Word documents on
02:18
this the same is true for the save the
02:21
cash dispenser is also just a USB device
02:25
we've our own money and
02:27
stocked it up once the ATM is
02:31
compromised that's a lot
02:32
more complicated an attacker has to know
02:35
how to communicate with the specialized
02:37
devices each vendor has a separate set
02:41
of hardware be
02:42
using every piece of software on an ATM
02:44
has the potential to be a little bit
02:46
different so we create our own custom
02:48
software when we're performing attacks
02:50
the attacker could monitor everything
02:52
that's going on for example the attacker
02:54
can see on the
02:56
screen of the ATM and also observe the
02:59
network traffic the highlighted text
03:00
here is the magnetic data from
03:03
the card you see the 4000.. is... corresponds
03:06
to the $40 that Charles requested a lot
03:08
of people assume that when an ATM
03:10
withdraws process the bank is used to
03:13
yes or no response
03:14
but in reality it tells the ATM how many
03:16
bills to dispense so in the response
03:18
that told the ATM two bills but
03:21
we can modify it as the attacker changed
03:24
that zero to two a10 so that ten bills
03:27
do I need two people do I
03:30
need you extracting cash and some
03:32
attackers sitting in a remote location
03:34
conceivably he could do it
03:37
from right outside the ATM but it makes
03:39
more sense because there's less rest to
03:41
him being compromised if he can send a
03:43
low-cost criminal employee to go pick up
03:47
the cash for this is us
03:51
of the ATM now notice it goes out of
03:53
service
03:54
[Laughter]
03:56
sometimes criminals may not want to put
04:00
a card into the ATM for whatever reason
04:02
and they may just want to dispense money
04:04
it is often referred to in the industry
04:06
as it doesn't even require a
04:08
card David is just going to remotely
04:11
how often they're updated
04:21
often depends on the volume of usage for
04:25
an ATM but an ATM like this can hold
04:27
over $200,000 in fact in certain rare
04:31
instances they can be up to
04:33
a million dollars and it's very
04:35
difficult for banks to to detect this in
04:38
the short run because ATMs don't have a
04:41
precise way of measuring how many bills
04:43
are in the back it's just a counter it's
04:45
really only if the criminals empty the
04:47
ATM completely of cash that the warning
04:49
bells so a lot of the technology
04:52
that is needed to defend against there
04:54
are things that are already on the
04:55
market for example having encrypted
04:57
network connections between the ATM and
05:00
the bank well that's been available for
05:02
for literally decades now is surprising
05:05
how many banks are still using insecure
05:07
network communication when an a team
05:09
like this is compromised it's the
05:11
consumer that pays in the form of
05:13
increased fees
05:14
you
05:18
so this actually of
05:21
Windows Windows something is that common
05:24
for ATMs yes so it's actually even
05:27
common to see XP yeah I mean so when
05:32
you've got something when you've got
05:34
something that a that basically out
05:37
money like this you don't want to mess
05:40
with it