Incident: ATM Software Vulnerability Allows Hackers to Dispense Cash.

Published Date: 2017-07-25

Postmortem Analysis
Timeline 1. The software failure incident of cyber criminals remotely attacking cash machines in more than a dozen countries across Europe was reported in the article published on 2017-07-25 [61305]. 2. Estimation: The incident of cyber criminals remotely attacking cash machines in Europe was reported in the article published on 2017-07-25. Since the article does not provide a specific date for the incident, we can estimate that the incident likely occurred sometime before July 2017.
System 1. Windows XP operating system 2. NCR ATM machines 3. SWIFT messaging system at Bangladesh's central bank
Responsible Organization 1. Cyber criminals were responsible for causing the software failure incident reported in the news article [61305].
Impacted Organization 1. Individuals who used the compromised ATMs and had their card details collected and money dispensed without their knowledge [61305].
Software Causes 1. Lack of proper security measures in the ATM software, allowing attackers to easily hack into the system and collect card data [61305].
Non-software Causes 1. Lack of physical security measures on ATMs, allowing attackers to easily access USB ports by drilling holes in the machines [61305]. 2. Insufficient security defenses and recommendations provided by ATM manufacturers and deployers, leading to vulnerabilities in the ATM infrastructure [61305]. 3. Remote attacks on cash machines due to cyber criminals exploiting weaknesses in bank networks, allowing them to remotely infect ATMs and force them to dispense cash [61305].
Impacts 1. The software failure incident led to cyber criminals remotely attacking cash machines in more than a dozen countries across Europe, resulting in significant financial losses [Article 61305]. 2. The incident involved a February 2016 attack on servers at Bangladesh's central bank that controlled access to the SWIFT messaging system, resulting in a digital heist of more than $81 million [Article 61305]. 3. The software failure incident also led to ATM hacks in Taiwan and Thailand, where millions of dollars were stolen from banks [Article 61305]. 4. The cyber criminals used malicious software to force ATMs to dispense cash, leading to financial losses for the affected banks [Article 61305].
Preventions 1. Implementing regular software updates and security patches to ensure the ATM operating system (Windows XP) is up to date and protected against known vulnerabilities [61305]. 2. Enhancing physical security measures for ATMs to prevent unauthorized access to USB ports and other vulnerable areas that could be exploited by attackers [61305]. 3. Utilizing advanced security technologies such as encryption and multi-factor authentication to protect sensitive data stored on the ATM and transmitted across the network [61305]. 4. Conducting regular security audits and penetration testing to identify and address potential weaknesses in the ATM network and software infrastructure [61305]. 5. Collaborating with cybersecurity experts and industry organizations to stay informed about emerging threats and best practices for ATM security [61305].
Fixes 1. Implementing regular software updates and security patches to ensure the ATM operating systems are up to date and protected against known vulnerabilities [61305]. 2. Enhancing physical security measures for ATMs to prevent unauthorized access to USB ports and other vulnerable areas of the machines [61305]. 3. Utilizing advanced encryption techniques to secure card data and prevent unauthorized collection by malware installed on the ATM systems [61305]. 4. Increasing monitoring and surveillance capabilities, such as security cameras, to detect and deter potential attacks on ATMs [61305].
References 1. Security expert from Positive Technologies 2. Leigh-Anne Galloway, a security expert with Positive Technologies 3. NCR spokesperson 4. Russian cyber security firm Group IB 5. Dmitry Volkov, head of threat intelligence with Group IB [61305]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to ATM hacks has happened again at the same organization. Last year, cyber criminals remotely attacked cash machines in more than a dozen countries across Europe, including incidents where hackers remotely infected ATMs to dispense cash. This type of attack has been reported in multiple incidents involving the same organization's ATMs [61305]. (b) The software failure incident related to ATM hacks has also happened at multiple organizations. The article mentions incidents in Taiwan and Thailand where hackers remotely infected ATMs to dispense cash, leading to significant financial losses. Additionally, cyber criminals have been targeting bank networks to gain access to ATMs and electronic payment networks, indicating a broader trend of such attacks across different organizations [61305].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase is evident in the article where it discusses how most cash machines are essentially Windows XP computers attached to a safe, making them vulnerable to hacking by drilling a hole in the front to access a USB port [61305]. (b) The software failure incident related to the operation phase is highlighted in the article where cyber criminals remotely attacked cash machines in more than a dozen countries across Europe by using malicious software that forces machines to dispense cash, leading to significant financial losses [61305].
Boundary (Internal/External) within_system (a) within_system: The software failure incident described in the articles is primarily within the system. The failure occurred due to vulnerabilities within the ATM software itself, allowing attackers to hack into the machines by drilling a hole in the front to access a USB port and potentially install malware to collect card data [61305]. The incident involved exploiting weaknesses in the Windows XP operating system used in the ATMs, indicating an internal system vulnerability that was targeted by cybercriminals.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: The software failure incident in this case is related to the vulnerability of cash machines, which are essentially Windows XP computers attached to a safe. Attackers can exploit this setup by drilling a hole in the front of the machine to access a USB port, allowing them to dispense money and potentially collect card details. This vulnerability in the design of the cash machines is a non-human factor that contributes to the failure [61305]. (b) The software failure incident occurring due to human actions: The software failure incident also involves human actions, as hackers are actively exploiting the vulnerabilities in the cash machines to remotely attack them and force the machines to dispense cash. These cyber criminals are using malicious software to manipulate the ATMs, leading to financial losses in various countries. The actions of these hackers represent a human factor contributing to the software failure incident [61305].
Dimension (Hardware/Software) hardware, software (a) The software failure incident occurring due to hardware: - The article reports on a software failure incident related to cash machines being vulnerable to hacking due to hardware-related factors. Most cash machines are described as essentially Windows XP computers attached to a safe, making them susceptible to attacks where attackers can drill a hole in the front to access a USB cable and dispense money [61305]. (b) The software failure incident occurring due to software: - The software failure incident in the articles is primarily attributed to software vulnerabilities that allow hackers to remotely attack cash machines and force them to dispense cash. Cyber criminals are reported to be using malicious software to exploit these vulnerabilities and carry out heists across Europe, Taiwan, and Thailand [61305].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident described in the articles is malicious in nature. Cyber criminals have remotely attacked cash machines in multiple countries across Europe by using malicious software to force the machines to dispense cash, resulting in significant financial losses. These attacks involve hacking into the ATM systems and manipulating them to spit out cash, which is then collected by organized teams of individuals. The attackers have evolved from stealing payment card numbers to conducting more lucrative hacks on bank networks, gaining access to ATM machines and electronic payment networks [61305].
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incident related to the ATM hacks can be attributed to poor decisions made in the design and security of the cash machines. The article highlights that most cash machines are essentially Windows XP computers attached to a safe, making them vulnerable to attacks. The security expert from Positive Technologies demonstrated how easy it is to hack into an ATM by drilling a hole in the front to access a USB port, allowing attackers to dispense money and collect card details [61305]. Additionally, the article mentions that cyber criminals have remotely attacked cash machines in multiple countries across Europe, indicating a lack of robust security measures in place to prevent such attacks.
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident related to development incompetence is evident in the article where it is mentioned that most cash machines are essentially Windows XP computers attached to a safe, making them vulnerable to hacking. The security expert from Positive Technologies demonstrated how easy it is to hack an ATM by drilling a hole in the front to access a USB port, allowing attackers to dispense money and collect card details [61305]. (b) The software failure incident related to accidental factors is highlighted in the article where cyber criminals remotely attacked cash machines in more than a dozen countries across Europe by using malicious software that forces the machines to dispense cash. This type of attack was not intentional but rather a result of hackers exploiting vulnerabilities in the ATM systems [61305].
Duration permanent (a) The software failure incident described in the articles is more of a permanent nature. The vulnerability in the cash machines, which allows attackers to hack into the ATMs and dispense money, is a fundamental flaw in the design and security of the machines. This flaw is not limited to specific circumstances but exists as a systemic issue in the way the ATMs are set up, making them easy targets for cybercriminals [61305]. The fact that cybercriminals have been able to remotely attack cash machines in multiple countries across Europe and that the attacks are expected to continue indicates a persistent and ongoing vulnerability in the software and security systems of these ATMs, making the failure more permanent in nature.
Behaviour value, other (a) crash: The software failure incident described in the articles does not specifically mention a crash where the system loses state and does not perform any of its intended functions. (b) omission: The incident does not involve the system omitting to perform its intended functions at an instance(s). (c) timing: The incident does not relate to the system performing its intended functions correctly but too late or too early. (d) value: The software failure incident involves the system performing its intended functions incorrectly. The incident describes how attackers can hack into ATMs, collect card details, and dispense money without authorization, indicating a failure in the system's intended function of securely processing transactions [61305]. (e) byzantine: The incident does not involve the system behaving erroneously with inconsistent responses and interactions. (f) other: The behavior of the software failure incident can be categorized as a security vulnerability exploit. Attackers can drill a hole in the ATM, access a USB port, and inject malware to collect card data and dispense money without authorization, highlighting a security flaw in the system [61305].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, non-human (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident described in the articles involved cyber criminals remotely attacking cash machines in multiple countries across Europe. These criminals used malicious software to force the ATMs to dispense cash, resulting in significant financial losses. For example, in a February 2016 attack on servers at Bangladesh's central bank, cyber criminals were able to steal over $81 million in one of the biggest digital heists on record. Additionally, there were other reported incidents where money was stolen from banks in Taiwan and Thailand through similar ATM hacks, with substantial amounts being taken [61305].
Domain finance (a) The failed system in the article is related to the finance industry, specifically the ATM machines used for dispensing cash [61305]. The incident involves cyber criminals remotely attacking cash machines in multiple countries to steal money, highlighting the vulnerability of these systems in the financial sector.

Sources

Back to List