Research Saturday 9.1.18
Ep 51 | 9.1.18

ATM hacks on the rise.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now, a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges, for the benefit of societies around the world. Learn more at

Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Marcelle Lee: [00:01:42] Well, I think most people realize, of course, that there's ATMs everywhere.

Dave Bittner: [00:01:46] That's Marcelle Lee. She's a Threat Researcher with LookingGlass Cyber Solutions. The research we're discussing today is titled "ATM hacking: You Don't Have to Pay to Play."

Marcelle Lee: [00:01:57] You really can't go into a convenience store without seeing one. They're in colleges, they're in workplaces sometimes, obviously in banks. They're everywhere. And they're not just owned by banks, but I discovered that you can personally buy an ATM and set it up someplace, and it's a way to make money off of fees and whatnot.

Dave Bittner: [00:02:16] Or set one up in my house for my teenage kids.

Marcelle Lee: [00:02:20] (laughs) I feel like that would backfire on you.

Dave Bittner: [00:02:22] I might as well. I mean, we're already there. Yeah, we've got everything but the cards, so, you know, right now it's just known as "my wallet." (laughs)

Marcelle Lee: [00:02:33] Yeah, so ubiquity is definitely a thing. They are certainly an everyday part of life at this point in time, and I'm sure there's some of us who are old enough to remember the days before ATMs were prevalent.

Dave Bittner: [00:02:45] Yeah.

Marcelle Lee: [00:02:45] You had to actually, like, go to the bank to get money. I'm kind of dating myself by saying this.

Dave Bittner: [00:02:51] No, me too, I mean, it was barbaric, right? You had to actually, you know, talk to the actual human being to get your money. It was crazy times.

Marcelle Lee: [00:02:59] Yes. (laughs).

Dave Bittner: [00:03:00] So, obviously, you know, you have this unattended device that's full of cash, that's certainly going to attract the bad guys. So I suppose ATMs have been a target since they were available.

Marcelle Lee: [00:03:11] Yeah, they have been. Although, interestingly, the ATM hacking was observed much more in Europe, and in parts of South and Central America, than it has been in the US, and I don't know, really, the reason why for that. But we're definitely seeing an uptick on these types of ATM attacks in the States. So, it's on the rise. And, you know, as you saw in the blog post, I had a little screenshot there of a press release that the Secret Service put out about this, just because it is becoming such a concern.

Dave Bittner: [00:03:44] So, let's walk through the various types of attack and who they target. Because not all the attacks are the same, there's some variety here. So, walk us through we're dealing with.

Marcelle Lee: [00:03:53] There are a variety, as you said, and it really ranges from a totally destructive attack, where somebody essentially blows up an ATM machine and just takes the cash out. People have been known to physically remove an ATM from a site and then throw it in the back of their pickup truck, and drive off to some more convenient place to break into it without being observed by other people. That's sort of, like, what I would consider the very low-tech end of the scale.

Marcelle Lee: [00:04:24] But then there's also, certainly, what we would consider more of a logical attack, where you're connecting malware to an ATM, or basically infecting an ATM with malware, and that can be done a couple of different ways. It can be done in person, where you insert a USB, or maybe even a CD, kind of depends on the age of ATM and the malware, of course.

Marcelle Lee: [00:04:49] Or, you also have the skimming. So, the ATM skimming is more--it's going to steal customer information, as opposed to actually stealing cash from the ATM. There's so many different vectors, it's kind of amazing. And they're not that hard, really, any of them, to do. I read a statistic somewhere, that it's ten times more profitable to break into an ATM than it is to, like, physically go into a bank branch and rob it. So, it's probably safer to not have to go in, guns blazing, to a branch.

Dave Bittner: [00:05:25] Right, I suppose it's a nonviolent crime. You don't have to, you know, stick somebody up, and probably also not dealing with an exploding dye pack possibility. Although I have heard that ATMs have mechanisms in them that, if they're physically tampered with, that they can spray the money with dye defensively. Have you run into that in your research?

Marcelle Lee: [00:05:45] You know, I actually haven't come across that at all. You know, what I've found, really, is that ATM machines predominantly are older. They have older operating systems, the hardware itself is old. So that seems like it might be something relatively new that might be found, say, in an urban area where they're probably more likely to be updating things. But yeah, I hadn't come across that but it makes sense.

Dave Bittner: [00:06:09] Yeah. Well, let's talk about the skimmers and dig in here. I think that that's something that we hear about a lot, and it seems as though the sophistication of the skimmers, the ability for them to be disguised, to camouflage, to fit in, has really grown over time.

Marcelle Lee: [00:06:23] Yeah, and the interesting thing about skimmers is you can buy a skimmer. Like, you can go online today and buy a skimmer device. They're not illegal unless you are actually using them in conjunction with some kind of fraud activity. But skimmers are, they're built to just basically fit over the actual skimmer with the ATM. And so, there's really two things, right? There's the legit skimmer, which can either be replaced with a not-legit skimmer, or you can get an overlay that goes over the legit skimmer, and basically is sucking off the information that way.

Marcelle Lee: [00:06:59] So, two things are possible there, and really it just depends. So, if they've actually replaced a skimmer, that's going to be harder to detect, but if it's an overlay, that's where you could tug on it and see, is it loose, does it come off? If the skimmer comes off in your hand, that's probably not an ATM that you want to actually use. And I've been known--and these are on ATMs, of course, gas stations are kind of notorious for this skimming device addition--so pretty much any time I get gas, you can always see me tugging on the thing before I put my card in the slot.

Dave Bittner: [00:07:33] Yeah, I do the same thing. It's become a habit now, and I don't know what I would do if one came off in my hand. I guess I'd find a different gas station.

Marcelle Lee: [00:07:39] Yeah, I would be super excited because it would be awesome for research purposes.

Dave Bittner: [00:07:44] (laughs) Have you found one yet, or so far, so good?

Marcelle Lee: [00:07:47] No, I haven't. But I will say, I went to 7-Eleven one day, and I went to go get cash, because actually I was buying a computer from some guy off of Craigslist or something.

Dave Bittner: [00:07:58] You're just looking for trouble Marcelle.

Marcelle Lee: [00:08:02] (laughs) I know. Anyway, so I was going in to get cash, and the ATM machine was just in the process of rebooting. And I was so excited because I got to watch the whole start-up process, and see the Windows operating system launch in the background, which, that could be a whole nother thing to talk about for sure, like why is it Windows?

Dave Bittner: [00:08:23] Right.

Marcelle Lee: [00:08:24] And then, watching it launch into the scripts that start the actual ATM software and, you know, I'm just standing there watching this in a 7-Eleven with people coming and going, and nobody paid any attention at all. So, that's kind of the thing, you know, with these ATMs, people just, you know, depending on where they're located, nobody's really monitoring what's going on when you're standing in front of them.

Dave Bittner: [00:08:46] Right, and I suspect that that's, if you were looking to gather that intel, you could probably do that just by unplugging the box and plugging it back in. You could watch that whole boot routine.

Marcelle Lee: [00:08:56] Absolutely. Super easy to do.

Dave Bittner: [00:08:58] So, let's talk about some of the logical attacks, some of the malware based attacks, you know, rather than smashing-and-grabbing, or skimmers, or things like that. Take us through what, some of the research that you found, what are people doing on that side of things?

Marcelle Lee: [00:09:12] There's a variety of different ATM malware. At LookingGlass, we did a deep-dive on some malware called "Cutlet Maker," and this was a report that went out to our customers earlier this year, and the blog kind of launched from that. But, Cutlet Maker, it's kind of an amusing piece of malware, and, you know, I say that, obviously, with the caveat that malware is not really amusing, but the GUI interface for this one--I think I have a picture in the blog--and it's, like, you know, a funny little chef saying "Ho-ho-ho! Lets make some cutlets today!"

Marcelle Lee: [00:09:46] So, it turns out that cutlets are, just like we would think of, like, a chicken cutlet, as a dish or whatever. And these are very popular in Russia. But then, after I researched sort of the background of the word, it also turns out that the word "cutlets" in Russian, which is, like, "kotleta." I don't speak Russian, obviously, but it means, like, big wads of cash. So, that explained kind of what cutlets have to do with ATMs. So, that was the connection that I saw.

Marcelle Lee: [00:10:19] And, because of that Russian terminology, it kind of leads me to believe that this might have been built by somebody who was a Russian speaker. So, with the Cutlet Maker, you attach the malware, you connect the malware through USB. So you basically access a USB port, which is pretty much on the front of the ATM, underneath a panel.

Dave Bittner: [00:10:38] Oh, is that right?

Marcelle Lee: [00:10:40] Yeah. It's not hard at all.

Dave Bittner: [00:10:41] So, there's no key you have to unlock the panel, it's just, you can pry it off and there's your USB port?

Marcelle Lee: [00:10:47] Exactly. And even if there is a key, those keys are pretty generic, and if it fits into one ATM, it's going to fit into others. And, I mean, we can talk also about this more, but getting parts and things like that for different ATM machines is very easy. This stuff is for sale everywhere on the Internet, or you can buy yourself your ATM on eBay, or wherever. There's ATMs in, like, online stores. So, it's not hard to, like, if you wanted to practice this at home, or mess around with the different parts, that stuff is available.

Marcelle Lee: [00:11:22] So anyway, once you plug a, basically, a USB hub into that port. And then, to that you're going to attach a keyboard, because you need a keyboard for this, and then a thumb drive with the malware on it. And that's what starts the infection process. So, you launch the malware and it comes up with this GUI screen.

Marcelle Lee: [00:11:45] And there's three pieces of separate malware, or software, that you need to use together. So, there's the Cutlet Maker executable, and then there's something called "Codecalc," which is literally just a code generator. And then, another program called "Stimulator," which basically tells you what's in each of the cassettes in the ATM machine. So, the cassette is where the cash sits. So, it'll tell you, you know, there's four cassettes and each cassette has X amount of dollars in it, or the one we were looking at actually referenced rubles, not dollars, so I guess it just depends on where you are, of course.

Dave Bittner: [00:12:26] Right.

Marcelle Lee: [00:12:26] So, once you launch the GUI interface, and you enter the code based on this code calculator--it's almost like a token kind of thing--and then you check to see what's available to that Stimulator program, and then you hit a button that dispenses the cash. So, it's relatively simple, and it happens fairly quickly too.

Marcelle Lee: [00:12:46] So, that particular malware was built for Wincor Nixdorf ATM machines, and most ATM malware is geared towards a specific manufacturer, just because you have to kind of know, like, how it operates, and just, like, the cassette configuration, and all that.

Dave Bittner: [00:13:04] Now, have they patched that? Do the manufacturers keep up with these sorts of things?

Marcelle Lee: [00:13:08] In the research I did, it would appear the answer would be no. And there's many reasons for that. There are so many ATM machines, as we've already discussed. I had a number somewhere that, like, three million ATM machines?

Dave Bittner: [00:13:22] Yeah, I think that's right.

Marcelle Lee: [00:13:24] So, there really isn't a lot of benefit for, say, a financial institution to update an ATM versus the cost involved with doing so. They're not typically networked in a way that makes it easy to just push out a patch, or an update or something. Somebody is going to basically have to physically visit that ATM, so just in terms of scaling that, some tech has to go out every single ATM. That's going to take a long time, and it's not even just maybe doing a patch or an update. A lot of these machines are running really, really old operating systems, so you really would have to do a total revamp.

Marcelle Lee: [00:14:05] And then, is the actual ATM software going to work? Maybe, maybe not. So, it's a pretty big undertaking to actually do those kind of, like, updates or patches, which is why the malware continues to be used, because nobody's really preventing it.

Dave Bittner: [00:14:22] And so, it's a numbers game for the banks where it's, I guess, the frequency of these machines being hit and being emptied out is low enough that it costs them less to just let that happen, rather than having to go out and update and patch millions of machines.

Marcelle Lee: [00:14:38] Exactly. And, you know, maybe we'll see that reverse if we are having more ATM attacks happening right here in the States. But I don't know. You know, it's hard to predict which way that would go. But it is an interesting thing. I read somewhere, ninety-five percent of all the ATMs were running Windows XP. And this is as of, I think it was like 2014, 2015. It's hard to find, like, super current stats on ATMs, but most of the research I had come across was from a couple of years ago. But yeah, Windows XP, as we know, is not supported at all and extremely vulnerable to all sorts of things. It's a big issue.

Dave Bittner: [00:15:17] Yeah, it's interesting situation. Like, my initial thoughts are, well, why would they be allowing this to happen? But I guess, as we said, if there's that many machines out there and they're not easy to update, I guess it's a matter of slowly, over time, these machines being replaced. I mean, is there a push for newer machines to be, are there newer machines out there that can be accessed remotely as the inventory of machines out there get replaced?

Marcelle Lee: [00:15:43] I've not actually seen that yet, because just the idea of networking an ATM like that also has its own issues, right? Because then you're looking at more network-type attacks coming in. Whereas now, because of how they're configured, you can't really access an ATM easily by the network. So, that's kind of like, you know, which is going to be the better option? If you make them networked so they're easily accessible for updates and stuff, are you just opening, like, a new vector for infection that people can come up with attacks to do things that way?

Dave Bittner: [00:16:19] Right. Now, is there any sense that the banks are worried about this? I mean, I can imagine there's, if I got my card skimmed at my local bank, that would certainly hurt what I thought of that organization and, you know, are they out there trying to prevent that reputational damage?

Marcelle Lee: [00:16:36] I don't think that it's really viewed as a reputational issue, at least not here in the States. And even if your credit card gets skimmed or whatever, like, I feel like it's such a common thing these days that nobody would, like, I don't know. It happens to me so many times, like, I'm kind of immune to it. Well, not immune, but inured to it, I guess, is the word I'm looking for.

Marcelle Lee: [00:16:57] But even so, if my card gets hacked someplace, I'm not going to blame my bank. I'm going to blame, like, wherever it happened, and chances are I might not even know where it happened, so it's just more of like a nuisance that you deal with and move on.

Dave Bittner: [00:17:12] I mean, it's an interesting thing. You're right that, I think, people tend not to blame the bank. I find myself, very often, you know, using analogies when it comes to a lot of this malware, using analogies related to the medical system. And I think, even if I get a flu shot, if I get the flu, I don't really blame my doctor. You know, like, we all just kind of say, well, you know, maybe I decreased the odds of myself getting the flu, but if I get the flu, well, sometimes you get the flu.

Dave Bittner: [00:17:44] And I feel like, perhaps that's where we are when it comes to these card breaches, or getting your credit card stolen, that we're all out there, and if you're using it, there's odds that someone might get it sooner or later, and that's just one of those annoyances of modern life, I suppose.

Marcelle Lee: [00:18:01] Yeah, absolutely. The part that gives me pause, as a consumer, is that, obviously, there's a cost associated with all this loss, and the banking industry is not probably going to be absorbing that cost, right? It gets passed on to the consumer, in terms of increased fees, and things like that.

Dave Bittner: [00:18:19] Right.

Marcelle Lee: [00:18:20] So, ultimately it does kind of hit our bottom line. But, it's like the cyber thing, and nobody's, like, really at fault, it feels like, except for some mystery hackers someplace that, you know, nobody actually knows who it is.

Dave Bittner: [00:18:35] Yeah. I do find it a little frustrating when, for example, like, the gas stations don't have the chip-and-PIN technology yet. So, if there's someone that I interact with all the time, like, I would love to use the payment system on my phone. Something like Apple Pay, which has an encrypted token, so that's more secure than swiping my card. I would love the option to do that. But you have gas stations, for example, here in the United States, seem to be lagging behind. They say, oh, it's coming, it's coming, but, in the meantime, you know, we're getting, it's not as safe as it could be, even with the technology that's available.

Marcelle Lee: [00:19:11] Yeah, it's, I don't know, I feel like we're very backwards here in the States, and I don't know if it's just pushback because of the cost of having to retrofit or replace things. But if anybody's been to Europe in the past few years, it's like they've been doing chip-and-PIN for a while. It's nothing new over there. In fact, if you turned up with a credit card that doesn't have a chip, then they're not always quite sure what to do with it, I discovered.

Dave Bittner: [00:19:34] Oh, interesting.

Marcelle Lee: [00:19:35] Yeah, so it is much more secure, and, I mean, personally, I use the mobile payment app on my phone wherever I can, and I always wish it was more available. Like you said, like, at a gas station would be awesome. But yeah, it's just not prevalent at all.

Dave Bittner: [00:19:52] Do you have any general advice for folks, you know, both on the banking side of things and the consumer side of things? You know, what are the ways, I'm sure we all interact with these machines fairly regularly. Are there any of these general hygiene tips that you have, ways that we can reduce the chances of us falling victim to these?

Marcelle Lee: [00:20:11] Well, yes, and more from the consumer side of things. And this is really just sort of ATM safety in general, right? But if you're frequenting an ATM that's actually at a bank, or some financial institution, it's a well-lit ATM, it's got video cameras, all that good stuff. It's less likely that that particular ATM is going to be, you know, have malicious activity going on.

Marcelle Lee: [00:20:36] Actually it's kind of funny, I was just thinking this morning, in downtown Annapolis, this is not there anymore, but years ago there used to be an ATM machine that was literally in the wall in an alleyway off of Main Street, if you're familiar with downtown Annapolis and how that's set up. And so, I don't know who thought to put an ATM machine in an alley, but that would be a perfect place to use some malware.

Dave Bittner: [00:21:01] (laughs) Right, right.

Marcelle Lee: [00:21:01] So yeah, it's just, you know, it's the same kind of tips for any kind of ATM safety, and just the simple things like tugging on that skimmer to see if it comes off. And then just being vigilant about watching your card transactions. A lot of people don't even pay attention, so they might not notice if there has been some malicious activity on their accounts.

Dave Bittner: [00:21:23] Yeah. Covering yourself when you punch in your PIN so people can't look over your shoulder.

Marcelle Lee: [00:21:28] Yes, absolutely. And those are pretty standard things. But yes, that would be my advice. And I don't really have advice for banks, other then consider using not a Windows operating system in your ATM machines. Just a thought.

Dave Bittner: [00:21:45] Our thanks to Marcelle Lee from LookingGlass Cyber Solutions for joining us. The research we discuss today is titled "ATM Hacking: You Don't Have to Pay to Play." It's on the LookingGlass website, in the blog section.

Dave Bittner: [00:21:59] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at

Dave Bittner: [00:22:07] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:22:15] The CyberWire Research Saturday is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.