
How is an ATM secure? - laurent123456
http://security.stackexchange.com/q/32917/1873
======
GFischer
I wouldn't say ATMs are secure, they're regularly stolen here in Uruguay, and
in Argentina as well (just 3 days ago they stole 1 million from one (1), and
one was stolen today here in Uruguay ).

They're regularly lifted and carried away here in Uruguay, one police officer
said:

 _""ATMs are still being stuck to the ground with glue," said one visibly
angry commissioner yesterday morning (March 22nd), investigating the unusual
theft of yet another ATM, which was completely lifted by thieves, who took it
"like a bag of brownies". This time, they "lifted" the cashier that was
installed in 4896 between Ariel and February 28 streets, just two blocks from
the Sayago mall , and took it away after opening the glass door with a
magnetic card."_

Plus, they're error-prone, I've been victim of such an error several times
(the ATM failed to give me the money but withdrew from my account, which
SHOULD NEVER HAPPEN), in one of the cases I never got my money back (from Bank
Boston Uruguay, which is now Banco Itaú). I'm of a mind that, for small
amounts of money, you're better off having it "under the mattress" that in a
bank (see: Cyprus, unresponsive banks, etc...). We've had a Cyprus-like bank
freeze here in Uruguay, and much worse than Cyprus in Argentina (they forcibly
turned their dollars into worthless pesos a few years ago (3) ).

(1) <http://www.ambito.com/noticia.asp?id=680399> (in Spanish)

(2) [http://www.lr21.com.uy/justicia/25139-otro-cajero-
automatico...](http://www.lr21.com.uy/justicia/25139-otro-cajero-automatico-
volo-en-la-madrugada) (in Spanish)

(3) <http://en.wikipedia.org/wiki/Corralito> (in English)

Edit: by the way, the faulty ATM in my case was an (old) Diebold machine. So
you can imagine I wouldn't trust one with my vote either :P , though I sadly
do have to trust them with my money. (fortunately, voting is still manual in
Uruguay).

~~~
joecurry
I'm guessing LoJack hasn't moved into that market yet?

~~~
GFischer
Actually, they do have a sales office here in Uruguay (I think Argentina as
well), but they mainly cater to high-end cars (which are stolen and shipped to
Paraguay regularly).

Banks aren't very well managed here (at least from what I've seen from the IT
side), so they're probably skimping on the security.

Edit: Along the same track, I wanted to comment on one of the points made on
StackExchange by Kaz:

 _Today's ATMs may be more secure than yesterday's ATM's, but the track record
has been spotty.

fake ATMs have been set up by criminals and used to duplicate bank cards and
collect PINs. This takes advantage of the fact that whereas ATMs authenticate
users via cards and PINs, users simply trust that ATMs are real by their
visual appearance and bank logos._

 _genuine ATMs have been outfitted with criminal equipment to collect PINs, in
response to which ATMs had to incorporate new physical measures._

A band did this recently, but only managed to steal U$ 20.000 before being
spotted. They installed skimmers on 5 ATMs on popular places.

Another guy managed to steal U$ 450.000, but was captured (news in Spanish).

<http://www.montevideo.com.uy/notnoticias_133463_1.html>

An example from Brazil (in Spanish, but with very clear pictures):

[http://www.taringa.net/posts/offtopic/4349623/Estafa-en-
Caje...](http://www.taringa.net/posts/offtopic/4349623/Estafa-en-Cajeros-
Automaticos.html)

 _ATMs have been simply ripped out and hauled away by criminals._

This happens a lot here, as mentioned.

 _ATMs are open 24 hours a day and in deserted areas, creating opportunities
for criminals to coerce victims into extracting cash. Prior to the ATM, it was
not possible to kidnap someone at knifepoint and take them to a bank and 3 in
the morning in a seedy part of town._

This is scarily common (that is, it happens often enough not to make the
headlines) in Argentina, and has happened several times in Uruguay.

Example from January (in Spanish), it only makes for a footnote in the Crime
News section:

[http://www.clarin.com/policiales/secuestran-Liniers-
llevan-r...](http://www.clarin.com/policiales/secuestran-Liniers-llevan-
recorrer-cajeros_0_843515721.html)

 _As a general observation, new security measures introduced in banking
usually tend to be designed to protect the banks from liability, rather than
the safety of customers or their capital._

------
kijin
A lot of ATMs are actually Windows PCs with a full-screen banking app, and
those apps can and do crash from time to time.

A few weeks ago I came across a donation kiosk for a charity, installed in the
cafeteria of a newly built highway service station. The donation app had
apparently crashed, leaving the machine with vanilla Windows 7. Some kids
managed to start MS Paint and were busily drawing squiggles on the
touchscreen. If you started IE instead and visited a website with a drive-by
download, you could have easily installed a backdoor on it.

------
klapinat0r
As Tom Leek points out, it's not safe, it's about reacting to tampering.

Nothing is inherently safe, so the key is to have the money inside rendered
useless.

Be it broken-glass, seals, radio/gps, there are probably many other ways of
detecting non-normal use (given ATMs is usually bolted). Add that to the fact
that it's incredibly risky and difficult to physically remove.

What you would end up with would be useless or marked money.

So, it's not 100% secure, but it is a futile target.

Off topic: You can compare this to cryptography. Given an attacker has
(physical) access and knows your system, it should still be impossible to
crack.

------
jboggan
They aren't secure, at all. For example, most NCR ATMs can be physically
opened with one of three keys that are easily available online. Many
(especially at non-national banks) are running XP and only sporadically
patched, if at all. Most NCR machines have a default admin password (one for
Aptra Edge and one for Aptra Advance). Once you are in you can do whatever you
want, from changing the XML for the greeting screens ("FEED ME A STRAY CAT")
to replacing the animations and movies with whatever you like.

The parameters controlling what is locally allowable on the machine can be
changed by editing the right config file - is $500 going to be the maximum
allowable withdrawal or $50,000? If you know your way around the actual
machine configuration and the operator panel you can do fun things like tell
the machine it is full of $1 dollar bills when it's actually full of $20s -
you just have to know what the opacity value is for the bill scanner.

The only factor here is physical security to the electronic components, which
is exceedingly poor. The interior safes are very strong even once you've
opened the external cabinet, so you won't be physically taking the money out
very easily. Except for Triton machines, those things are ridiculously flimsy.

------
bargl
There was a guy who did a hack on them a while ago. I think I saw it up here
but I don't remember the link. A quick search brought this up
<http://www.youtube.com/watch?v=XmR0yvBTbTc>.

I think that goes to show that some ATMs are less secure than we'd like.

------
pimeys
This question reminds me of one morning when I went to work, I saw an ATM in
this condition at the subway station:

[http://commons.wikimedia.org/wiki/File:Distributeur_billets_...](http://commons.wikimedia.org/wiki/File:Distributeur_billets_attaqué_01.JPG)

So no, they're not always secure.

~~~
meepmorp
Doesn't the image title say that it's a ticket machine, rather than an ATM? My
French is terrible, so I'm quite possibly wrong.

~~~
cpa
The french title actually says that's it is an ATM ("billet" means bank note
in french)

~~~
meepmorp
It does mean bank note. It also means ticket, as in plane or train ticket. And
the linked picture doesn't really look like an ATM.

~~~
cpa
That's true and I'm pretty stupid (and french) :(

------
ivanhoe
They are not just safe, they are also great for gaming
[http://www.break.com/index/hack-an-atm-play-angry-
birds-2419...](http://www.break.com/index/hack-an-atm-play-angry-
birds-2419069/)

------
ehmuidifici
Hahaha, bomb-proof-safe? Not in Brazil, which thieves are using TNT to explode
ATMs and get the money.

------
quarton
The phone line would be a method of accessing the machine, with weak physical
protection. It can be accessed out of sight of surveillance.

