[Interview] Muhammad Mudassar Yamin: Most ATMs Attacks Still Use Physical Vectors (Also) Because You Can Easily Buy Skimmers Online

The rise of new and advanced tech tools make everything easier today, including operations and transactions for the financial sector. This means that banks can offer better services to customers, through internet banking, ATMs and other methods.
Security-wise, we can’t help but wonder how vulnerable ATMs are to cyber attacks, considering that they’ve always been an attractive target for attackers.
We were curious to find out Muhammad’s perspective on the hot topic of ATM security and other key issues about financial institutions, security risks or types of frauds.
We’re thrilled to have Muhammad as a speaker at DefCamp#9 and learn from his experience and knowledge in cybersecurity. In his new role as a research fellow at the Norwegian University of Science and Technology, he’s conducting in-depth research on new topics in information security, so there are a lot of interesting things he will share with us.
Regardless of ATMs attacks, Muhammad believes that:

Attackers employ physical attack vectors regularly and install skimming devices on ATMs to collect individual user debit/credit card data. The physical attack vector is relatively easy to exploit as the required skimming devices are easily available on sites like AliExpress.

In most cases, there is no advanced tech knowledge needed to hack an ATM. Malicious actors can have basic or intermediate technical skills and use physical vectors to launch an ATM attack.
For those of you who haven’t heard yet, among the exciting activities happening in the Hacking Village at DefCamp#9, participants can also join the competition “Hack the Bank” in which they can see different approaches and methods for these attacks.
Muhammad talked about the growth of a new attack called jackpotting or “cash-out” in which an attacker can gain physical access to the ATM machine by trying to remove the cash withdrawal limit on ATMs and empty it.

Attackers try to compromise the bank network and install malware on ATMs to collect debit/credit card data and remove cash withdrawal limit restrictions. The cyber attack vector is difficult to exploit compared to physical attack vectors, therefore, in most ATMs security breaches, the aforementioned physical attack vector is used.

Moving to another aspect of the financial industry, we wanted to know what Muhammad thinks about Android-based ATM tech and how widespread it is at the moment. How will this change in the future?
For those who don’t know, the first Android-Based ATM was developed by one of the largest ATM vendors in the world (NCR) and launched in April 2015. Following this, many companies began to introduce Android-based ATMs.

The underlying technology behind Android-based ATMs is the kiosk functionality support introduced in Android 5.0, which is also used in self-service technologies like vending machines, points of sale and customer-specific kiosks.
While no clear stats are available for current OS of running ATMs, the 2018 global OS market share indicates that Android is leading the market with 73.6% market share. So it can be concluded that the majority of ATMs and kiosks running now are Android based. 

With the increase of ATMs attacks, there is no doubt that financial institutions are currently dealing with a lot of challenges when looking to increase their ATM security standards.
Muhammad mentions some of the most important ones that need to be on their radar:

  1. Physical Security – Most ATMs are unattended so any attacker can easily install the skimmer devices on the ATMs.
  2. Patch management – Patches for vulnerabilities and system updates by vendors are not easily available.
  3. Insecure Interfaces – Most ATMs have communication interfaces which are used for maintenance purposes, an attacker can exploit these interfaces.
  4. Vendor security management – ATMs are developed OEMs and maintained by third-party vendors, so it is important to ensure that third-party vendors don’t install any malware on the ATMs.  
  5. Identity Management – The admin/root user accounts on ATMs should be secured.
  6. Transport Layer Security – Cryptographic certificates should be updated regularly to avoid MITM attacks.

We also wanted to know his thoughts on this:
Why is the perception towards how secure Android is as an OS so different in the infosec world versus other sectors that rely heavily on tech?

I can only say that Android OS is free and development for Android is quite easy compared to other platforms, therefore, Android has the largest market share, which means the biggest attack surface for a malicious actor. Therefore, the majority of mobile exploits are developed for Android.

Last, but not least, we were particularly interested in finding out Muhammad’s main infosec topics he’s passionate about that he can share with us.
We discovered that he’s working on a new project along with the research group at Norwegian University of Science and Technology. The team has developed a new type of exercise called “Make it and Break it”.  
How does it work?
“Two teams are challenged to develop a system from given part, then attack each other developed system. We believe that such exercise will introduce secure system design thinking in exercise participants and improve overall system security”, he explained to us.    
Did this boost your curiosity to learn more? Make sure you don’t miss Muhammad’s talk at DefCamp #9 this November!  
He will share interesting findings from a new research paper he’s currently working on. Also, did you get your ticket for the event? There will be so many more awesome speakers on the stage to learn from and attractive hacking activities to experiment with.
Hope to see you in a few weeks!
This interview was made by Ioana Rijnetu. You can get in touch with her on LinkedIn or say hello on Twitter.
DefCamp is powered by Orange Romania and it’s organized by the Association “Research Center for Information Security in Romania” (CCSIR).
DefCamp 2018 is sponsored by Ixia, Keysight Business, SecureWorks and Intralinks as Platinum Partners and it’s supported by IPSX, Bit Sentinel, TAD Group, Enevo, Crowdstrike, CryptoCoin.pro, Siemens, Alef, UiPath, Atos and Kaspersky Lab.

    Related articles​

    DefCamp 2024 highlights: over 2,000 infosec ..

    BY Adina Harabagiu
    DefCamp 2024 wasn’t your average conference. It was two packed days of cybersecurity action, held in ..

    “Bad actors will begin using massive A.I. to ..

    BY Adina Harabagiu
    Edition #14 of DefCamp is just around the corner, and the excitement is building! With less than a week to go,..

    DDoS Protection Solutions by Orange

    BY Adina Harabagiu
    Protect your company’s data against DDoS (Distributed Denial of Service) attacks.