 Hello. I'm an OS and I work in hardware security. I'm an engineer who likes to defend stuff. My blood is blue to the core and I'm not the greatest fan of the offensive side, especially when it becomes a war side like, you know, kill chains, cyber warfare, cyber torpedo, cyber anything war related. So that's my perspective. That's my view on the topic that we're representing today. I've never been in a black hat just the same. The only crime that I like to commit very often and way too often is to put cream into my carbonara and my pizza is something to kill for. I'm an expert on hardware security and engineering. I know stuff about networks as well. Level one, level two communications, not only using TCP IP, but also other protocols. My confidence stops on the higher levels, especially on the web levels, but I'm an expert on the lower levels. I believe that in the context of this talk, that's enough about me. I just know what I'm talking about here. I have to trust me. There's plenty of other resources on ATMs and truly fantastic talks about ATMs. However, they tend to focus on malware, on jackpotting, so basically software side. That's very much not my view. So I will only touch on the subject for completeness, but you have to look elsewhere if you want to find out about malware and jackpotting specifically. I would instead like to focus on some views on how it works, how the ATM attacks works from the view of person who works with the staff day to day. I will only present, so I will be presenting YouTube videos. I would like to present it in a way that is relevant to what I'm talking about instead of just linking you to the videos. It would be much easier for me to get you to my crime lab and just show you around, show you the stuff that we're working on, but you should probably understand this is not possible. So instead, I will just link and show the videos that I know are actually relevant and real. As I mentioned also in the abstract of this talk, this talk of this presentation is not for criminals, so I will not be dropping any zero days. There will be nothing to lead you on how to do ATM attack, how to get money from an ATM. If you want to do this, you have to do your own research. If you want to waste your life on crime, fine by me. However, you will not find it from me. Also, I have European perspective on the topic. The difference between European and American markets is that, especially the US market, the US has a lot more old ADMs, which means the attacks, obviously the US also has a new ADMs, but there's a very, very, very much of the old stuff still hanging around, which means the attacks are less sophisticated because the criminals will go after the long-hugging fruit. They will not be attacking the new ones. They will be attacking the old ones. In Europe, it's quite different because most of the ADMs are failing you or spanking you, so the attacks by definition have to be more sophisticated. And also in the US, you can buy an ATM and do a research on it. In Europe, not so much, so that's just the difference. So again, my perspective is just European perspective on the topic. Who is the stock for then, if not for criminals? My personal goal in life is to have a farm and herd goats, and make goats cheese. However, before that happens, I want to help and bring a change into security of normal people because one of the reasons why I'm working in this field is because ATM crime hurts poorest people the most. So I want to make it more secure for people who want or have to use ATMs for cash. For me, ATMs have very interesting pieces of equipment because they combine a lot of aspects of engineering, security engineering. So you start from physical security. You go through hardware security, window security, network security. Many things that have to fall in place for this device to work properly and in a secure manner. Change happens at the bottom, not at the top. So if you work in an organization or you work in law enforcement and want to help with this, maybe you could try and move yourself into this area that works with ATMs because honestly, the more people work on this, the better. Not many organizations, not many law enforcement groups even have specialized cells that work on this problem. So I think this is what's behind the stock. I want to convince you or maybe just try to push you in the right direction on the ATM research. ATM security is hard because it tends to be kept under wraps by vendors. So many times it's a case of security by obscurity or security by making it someone else's problem basically. I have to say that I'm not a fan of it. It's not saying nearly enough, but this is just a reality in the common practice, especially in the industries that deal with money or secret stuff in general. Normally you cannot get an access to an ATM, much as you cannot get an access to a commercial or financial rate hardware security module. Unless of course you are a criminal, but I will get to that in a second. I know about buying ATMs and I know that some people, even Europe, they have their own ATMs to play with. However, I want to stress out that it's also very important to have an ATM that's connected to an actual network. It's working. The vendor keeps it updated. The operator, you as an operator are also keeping it updated because also in terms of hardware security, many of the problems that researchers are discovering have already been fixed. So I'm not trying to say this to discourage you unless you work for low enforcement or work for an ATM operator. You cannot do this. You can, but you have to be aware that being connected to the network and being connected to the backend is also important. It's very important and it sometimes does change a lot in the research that researchers are presenting. And I'm not trying to discourage you. I'm just trying to make you aware that this is how it works. And sometimes it just may be a waste of time to try to do this, not knowing the full context of where the ATM works and how the ATM operates. Also, ATM security is hard because it's sometimes hard to push for a change word because this is a hardware device. If you have a hardware problem, if a hardware fault of hardware vulnerabilities being detected in an ATM, even though you don't have to replace the whole part, the whole ATM, you still have to make the vendor change something in the factory or the new parts, create a new piece, a new element of the ATM has to be shipped, has to be replaced. It all costs money. So those changes, I mean, first of all, the devices as they are, they are very well designed from the start. However, if there is a problem like this, it will take a very long time for the physical patch to be applied. But that's also true in many other areas of security, right? It's not our role to be manufacturing. It's our role to be in trying to defend stuff, to try to detect stuff. So again, this is not discouraging. This is not me trying to discourage you, but you just have to be aware that there's a lot of lag between detecting a problem. And actually being able to fix it. So in the beginning, there was nothing, but then something happened. And from no space in no time, the universe started and long story short, blah, blah, blah, we have ATMs. I'm saying this because I don't want to bore you about the history of ATMs because you can read up on this. What happened 20, 30, 40 years ago, it doesn't really matter. What matters is that we now have ATMs and we just have to live with them. And this is the only boring statistics that I will show you on this talk. But actually, I think it's very important. Yes, this is from 2018. Obviously, the virus has changed a lot of stuff, but still I think quite surprising that in 2018, 87% of payments in Spain was made in cash. I mean, obviously, there are many reasons behind it. And we know some of some do it from privacy. Some of this is just criminals because obviously the cash is better for crime. So that's not the issue. The issue is that cash is still king and I myself haven't used an ATM since late 2018. Not because I work with ATMs, not because I think they are insecure, unsecured, not secure. I just don't have a use for cash anywhere and virus or not, it's just what it is. But I understand that ATMs and we all have to understand that ATMs are here to stay and they are not going anywhere anytime soon. I think that would be just about enough of rambling and then talking about boring stuff. Let's get to something more interesting. Well, first of all, ATM is much more than just a PC, but at its core it's just a Windows PC. And luckily it's not Windows 98. You probably will be able to find some Windows 98 based ATMs, but not the majority definitely. So yes, Windows PC and a lot of peripherals. Those peripherals in modern ATMs are connected by USB. In the older ones there was like UAD based protocols RS232 or 485 or something else. I will talk about how they communicate a bit later when I will be mentioning jackpotting. However, what's actually inside, right? I was looking for a good diagram or a block chart of what's inside the ATM, but everyone is getting hit wrong. And it's just clouding the issue here. So I just want to talk to you about what's important for us and what's boring. So first the boring part, receipt printer, display, security camera, all the sensors, all the trip switches. This is important, but not as much. I mean, the least important part is the receipt printer, obviously, because you cannot get much from it anyway. To think that matter, the bottom part of the ATM, the bottom part of the ATM is the dispenser, which is getting the cash to you. And sometimes there's a deposit machine, which is getting the cash from you to put into your bank account. And those two, one or two devices represent one angle of attack where the criminals will go after bank's money, bank's operator's money. And sometimes it's between the bank's money and you right at the moment when you want to take your cash. So this is one group of attacks. And the other set of interesting things is the card reader and the pin pad. Those types of attacks go after your card number. And that's what I want to present to you later. A bit of attacking the dispenser, attacking the cash, and a bit of attacking the your card data, basically. But first, I mentioned earlier that it's hard for you to get a hold of an ATM in Europe again, unless you are a criminal. How do criminals get their ATMs then? Well, they just don't mess about. I'm talking here about two types of attacks. One of them is blowing up an ATM and taking it home. I won't spend much time here on this vector because the prevention is very much up to vendors. And honestly newer ATMs are much more protected against those types of attacks than the old ones. But obviously criminals will always go after the low hanging fruit. So yeah, they will just pump the ATM with gas. They will blow it up. The safe will pop open. And if they're lucky, they will get money from the cassettes from the dispenser. Sometimes it works. Most times it doesn't. Sometimes they kill others. Sometimes they kill themselves. But you know, that's criminals for you, right? So that's one way. And yeah, mostly they are after cash. But obviously if you have an ATM open like that, you can take other parts and work them home. And later I will explain why this is important for them. So that's one way, blowing it up. The other way is kind of like hold my beer situation when people just take the initiative and work from home. So yeah, they will just get a digger. They will just get a digger and take it off the wall, load it onto a van and take it home. And usually they get caught. However, if they don't get caught, you know, they will probably go after cash again. They will try to drill the safe, take the money out. But the parts will learn somewhere, right? Eventually they will find a way to people who actually need it. But if all fails, you can just go online and buy stuff from China obviously, because that's where they're made anyway. Big gangs have the money, have the facilities to do this. And this is obviously a big business. So this is why they are doing this. So as I say, if you are a criminal gang who's doing this professionally, you just buy stuff online and have it at your place and you'll be able to work it on a known good part. So there's no way of preventing that. And also last but not least, there's also insider threat where just criminals convince employees one way or the other to do up the documentation or just to take the parts out of the factory. Long story short, criminals have more or less free access to ATM parts. And really there isn't any point in trying to pretend that it isn't. A lot of security about around the DMs relies on stopping secret. The reality is that if you are a researcher, especially independent researcher, you have no way to get this. But if you are a criminal, there's no limit. So we have to assume that criminals get access to an ATM, working ATM. They have either the drive or the whole PC that's running the ATM. If they get a drive, it's most likely full disencrypted. So it's like end of the year out. If you just have a drive, even if it still works, you're not getting anywhere. If you have a Windows PC, you can hack into this. There are plenty of ways to do this. Especially if it happens that the PC that you took was a Windows XP, it's very unlikely. However, again, criminals will go after the low-hanging fruit. So it doesn't matter that you have a million ATMs running Windows 10, but if you have 10 running Windows XP, they have the same cash in them. So they will just go after them. Again, I have to remind you that malware is not my area, so I would just briefly touch on that. But what's interesting for me in this type of attack, which is jackpotting, is the initial attack vector because you have to connect to a USB cable. You have to just find the USB cable, connect to it, and pretend you're on an HD keyboard. And when you have an HD keyboard, you're probably very well aware that from this, depending on the security on the ATM, it's very easy to very hard to upload malware. After you upload your malware, you hook up to a process that's controlling the dispenser, and you have a jackpot. The screen is one of my favorite ATM families, and it's only my favorite family because it references food. That's all there is. I don't like it in particular. I said hook up to a process that controls the dispenser, so here's a short version of it. Again, find yourself a talk about ATM malware, they will be better at this than me. The protocol used to control financial devices is open. It's basically available. You can look it up, you can see all the calls, you can see all the procedures. It's not as simple as just sniffing the USB line and finding the right commands, mostly because they have vendor extensions to it. The devices have to be able to communicate between themselves using this protocol, and the ATM talks to the backend using this protocol. However, different vendors use their own L1 lowest layer of communication. But long story short, if you have the spec which is public, if you have your Windows PC that is running, you can find your software, the part of software that's controlling the dispenser, you can find the right procedure call and develop your malware just like you develop any other malware. Apart from the initial attack vector, it's just or as much as any other malware in terms of developing this and in terms of trying to prevent from this happening. I said USB, I said local attack vector because this is the most common attack vector because it's just the easiest one. Incidentally, a few days ago, Europol has tweeted about a resting gang of criminals who were able to remotely access the ATM and after looking at this, I knew exactly that it was no remote access because when I saw remote access, I was very jumpy because that's something new. Actually, it wasn't a remote access, it was just... Even in the tweet, you can see that the tool they're using, this is just a local tool to cut a hole in the ATM. Get to USB, same MO as every other, almost every other malware. Get to USB, connect to USB, profit. Assuming you have your ATM, you manage to open the safe, which is where the dispenser sits and the dispenser still works. What can you do with it? First of all, you have to marvel its beauty and complexity to quote the famous movie. I love this piece of equipment because it's so well engineered. Obviously, it has to be well engineered, but the mechanical complexity and the number of sensors on it, it's just amazing. I really love this, this is my favorite part of an ATM, however, going back to criminals. The dispenser and its counterpart, which is the deposit machine, this dispenser takes the money out, the deposit, obviously, does it the other way. The attacks are about trapping the cash between the cash cassette at the bottom and yourself. So those devices are being called cash trapping devices. So what happens is you go to an ATM, you put in your card, you go through the process, you take the card out, the machine is beeping, take your cash, but there's no cash, right? The thingy opens, or it doesn't open. The machine is saying, you know, pick up your cash because you have 30 seconds, blah, blah, gone. In that moment, most likely what has happened is you have been a victim of cash trapping crime fraud. Hardly ever an ATM breaks in a way that they cannot dispense cash. Most likely when it does this, there's some device there that in a way prevented the cash from appearing outside and from you being able to take it. So what I'm showing here, this is one of the simplest cash trapping devices. Because before to develop that, you don't actually need a dispenser. You can just, if you are a good engineer, you can just work it out on your own. But the principle is the same. The cash is coming out from the dispenser. It's not presented to you, so you cannot take it. The dispenser is trying to take it back, but it cannot because it's trapped, right? In a place that's accessible from the outside, from the person who's operating this cash trapping thingy. Now, obviously, there are far more sophisticated attacks than these. And for those, you actually need the dispenser. So that's why I started talking about getting access to ATM parts. Why is it important for big gangs to have access to those parts? Yes, because you can develop a far more sophisticated device that will not be seen from the outside. It also will prevent the ATM from shutting down because the new ATMs, they can detect this kind of stuff happening. So it can detect that the cash didn't come back. So yes, they would trap one transaction, so at least one note. But then they will say, you know, I'm out of service. Like, please fix me. That's why criminals are trying to get access to those devices and do something to be one step ahead. Because if you can only trap one transaction and the ATM is dead, the service team has to come and fix it. And obviously, that's not just towards the time. So how do you reckon this is being addressed? And it's actually very interesting because this is one of the not so many places when machine learning is being used extensively. Because what happens when criminal plans are cash shopping device, they have to do certain things. They may be out of order, they may be out of normal sequence of things that are happening on dispensers. As I said, dispensers, ATMs in general have many sensors. Machine learning can learn to distinguish between normal operation and when something like this happens. So this is my ask to you, actually, if you can be bothered, obviously, because sometimes we just don't care, don't care. But if you can be bothered, if it happens to you, there's usually a number of the ATM you can call, please call them and tell them that this happened. Because this helps to prevent this crime. In the long run, obviously, it will take a lot of models, a lot of data to train the models to recognize this pattern properly. However, it starts from this, that people running the ATMs, they know that something happened and they can correlate the moment that someone called them with all the logs, all the data. So yes, this is how, unless you're working in this industry, this is how you can help. Again, if you can be bothered, please, please, please call them and tell them that this happened. So now let's move to my favorite part, stealing card numbers. When I say it's my favorite, it's obviously not because I like stealing card numbers. I just like the most working on this part because this is the most sneaky crime there is in terms of ATM security. And similar to the cash trapping, sometimes it does affect end users, customers. And what pisses me off is that the poorest people will be hit the most because if you are a single mom, put one bank account, one card, and two kids and having to pay some stuff with cash and then suddenly you find out you cannot use your card because it's been blown because you have been, your card number has been stolen and the bank has actually detected it or you get cash trapping happens to you, which means you will not get your cash but the cash doesn't go instantly into your bank account, pretty much screwed. So that's why it makes me so angry at this type of crime and I'm very, very keen to work on trying to fight it. The other thing about this type of crime is also something that pisses me off like many things piss me off. But this actually, this is important because it's not only the crime itself, but how people will get their card numbers and convert them to cash is what's important. So, and important and easy. So one of the ways they are doing this is they clone your Magstripe, they put it in a different card, they print it, they impose it so it looks legit, and then they will ship it to a country that's predominantly using swipe and signature. So for example, the US, then they will go to a store that's using this type of payment because, you know, they know where to go basically. And they will buy something expensive, semi-expensive, so for example, $1,000 for a laptop and then they will go and sell it for $500. Okay, ex-list or just on the street. That's $500 of cash. So that's one angle. The other angle is obviously using those cards online. And here the problem is that merchants, some merchants, especially the one big merchant that went to space, they're not checking the CVV number. The CVV, the security code that you have at the end of your card number. It's not in plaintext, sold in plaintext on the Magstripe, but it doesn't matter because that mentioned merchant is not checking for it anyway. Neither is checking for a name or address, but that's a different thing. Also, I buy a lot of car parts from the US and I know that many merchants there, when I'm doing this online, they will just ask for my card number, expiry date, name and address, which they check or not. Why are you doing this? Why are you doing this? Stop doing this because you are living crime. You're just making it easier for them. But anyway, that's a rant and this won't change anytime soon. However, how do they actually do this? So because this is a Magstripe, so you just have to recall the Magstripe and then decode it. There's no encryption on the card number and expiry date anyway. I like to call it a lame attack because it's not as popular as it was some years back. Basically, what happens, you put the reader, the magnetic head, the reading magnetic head in the path of the Magstripe. So in this case, this reader is being put on the fascia. So on the outside part of the ATM, which is why it was sort of easy to detect it by wiggling parts, seeing if something falls off. And obviously, always accompanied to this reader is a camera somewhere that has visibility on the pin pad. So they correlate, the criminals correlate the data, the time data from the card reader and the time data from the camera. They have the card number and the pin. On this still, you can see how it actually looks inside and the pattern is always the same. So we have your magnetic head here and then you have three elements that always present. So there's a magnetic card decoder. You have the controller, which is usually at mega 32 and you have a flash storage. Flash storage is like gigabytes. Basically, in terms of card numbers, it's unlimited storage. So that was before. Nowadays criminals have moved to something more vicious, I would say. They moved to deep insets. So basically, this whole contraption is being put inside the ATM and the brutal reality is that you as an ATM user have no way of detecting it. The ATM operators, the ATM inventors do have methods against this. And nowadays, they do work, actually. But you as a user have no chance. So this is, as with the other videos, I will obviously link it in the show notes. However, I just want to show the stills from it as the whole newscast is pretty boring. The two important stills is this one. Just show you how the shape has been worked out and you still have the same elements that you had before. On the previous one, you have your magnetic head reader. You have your battery. The battery lasts maybe one, two days. And again, on the PCB, which you don't see it as a PCB, but there's a PCB there that's a magnetic head, magnetic stripe decoder, the controller, and the flash storage. Again, flash storage is like unlimited, pretty much. And on the other one, on the second one, you can see how thin it is. The card is 0.7 millimeters. It's thinner. So they are managing to put all the electronics, the battery, the card, the magnetic head reader on this piece of metal. And the whole thing is actually thinner than the card. So they just have to come in, snap it in, put it inside. And obviously, after some time, they have to take it out. So it's like a two-way operation, but it's the same as with the outside one. So it's no different. How do you actually make this? You know, because the shape is quite complex. And this is where I'm coming back to availability of those parts. I don't think anyone would just go and blow up ATM or take it with a digger to get the card reader because you can just buy them on eBay. And that's the reality. You need the card reader to work out the shape, work out where the things touch, right? You have to work out the actual depth of the device. You cannot do this without having access to a card reader. And again, some would assume that because this is a secret ATM part, you shouldn't be able to have access to it. But as I talked before, many times on this talk, they do. And they actually, they are quite sophisticated in working out those details on those deep insets. So long story short, this is the most advanced hardware attack on an ATM. However, similarly to detecting cash trapping, again, machine learning helps. There are ways to detect those skimmers in time before they actually are being used. So even, you know, even if they managed to put it in because preventing that would require hardware change, however, the ATM would shut down. And this will be a loss to the operator, but obviously saves a lot of trouble to the customer. So, yeah, we are getting better at this. The vendors are getting better at this, but this is still the most, I would say, sophisticated method of attack on the card data. So that's basically all the time I have been allocated for this topic for my talk today. But I did manage to cover the two most interesting things, two most interesting things for me, which is the cash trapping and the card numbers, steering and deep insets. My goal was to try and show you how the problems that you have to work with or against when you're working on ATM security or basically people's security. It's quite similar to any other law enforcement work, but in many respects it's different, but it's also information security. I treated as information security because it crosses many fields, however, at the end of the day we are trying to protect something. And again, not wanting to be cheesy and, you know, playing on emotions, but for me this is trying to help other people and this is trying to make the world a little bit better anyway I can. Thank you very much for watching me. Thank you very much for staying with me for those 40 minutes and yeah, see you around.