By Anuj S.S Mishra, Ph.D. Student, IIM Lucknow and Prof. Arunabha Mukhopadhyay, Faculty IIM Lucknow
A recent report states that two foreign nationals have been arrested for allegedly withdrawing money illegally from six different ATMs (Automatic Teller Machines) in Jaipur. The incident is said to have taken place in July 2021. In the incident, criminals could gain unauthorized access to an ATM using a Raspberry Pi. In a recent development in Delhi, the police have recovered several devices, including a Raspberry Pi Device, from criminals who were involved in hacking ATMs. In a recent string of events, hackers in Kolkata have managed to exploit over 10 ATMs between the dates of May 14th and May 22nd, 2021. Using a black box device similar to a Raspberry Pi, the hackers were able to steal approximately INR 20 million.
The Raspberry Pi has emerged as a prevalent black box in contemporary times. The Raspberry Pi is a cost-effective microcomputer capable of executing many of the same tasks as a standard personal computer. Its accessibility makes it a valuable tool for facilitating education, but it has recently been used for illegal activities. This small, affordable computer allowed the perpetrators to bypass security measures and carry out their illegal activities. The incident has raised concerns about the vulnerability of ATM systems and the need for more robust security measures to prevent such incidents.
The Automatic Teller Machine (ATM) serves as an access point for a financial institution, providing an electronic outlet for customers to conduct small transactions without the need for direct interaction with bank representatives. ATMs offer much convenience to customers by enabling them to efficiently perform self-services such as deposits, cash withdrawals, bill payments, transfers between accounts, and checking the latest transaction and account balance. With each technological boon, however, comes a challenge to safeguard it. Additionally, because ATMs deal primarily with cash, hackers and robbers place a high premium on finding ways to exploit them.
ATMs are typically linked to bank servers via leased lines, characterized by their high-speed connectivity. When a bank requires the establishment of an ATM (Automatic Teller Machine), it typically engages with an ATM manufacturer, such as NCR (National Cash Register), responsible for supplying the machine’s hardware and software components. The majority of banks outsource the responsibility of ATM maintenance, including cash loading, to third-party service providers. Each Automated Teller Machine (ATM) is equipped with a “switch,” a payment transfer engine that enables the ATM software to connect with the interbank network to transmit information and dispense cash as required. The National Payments Corporation of India (NPCI) facilitates the interconnectivity of financial institutions through the National Financial Switch (NFS), the most extensive network of shared automated teller machines in the country.
ATMs are commonly subjected to two types of attacks, namely physical and logical attacks. Physical attacks have become outdated due to the risks involved, including financial and personal hazards to life and property. Physical attacks on ATMs encompass a range of tactics, including using explosives, physically removing the machine from its location or any other form of forceful physical assault. Conversely, the proliferation of technology has led to a notable increase in occurrences of logical attacks. Logical attacks refer to the illicit manipulation of an ATM’s software to extract cash unlawfully. This phenomenon is commonly called an ATM jackpotting attack or cash out. Logical attacks can be classified into two sub-categories: malware-based and black box attacks. Malware-driven assaults involve installing malicious software within the ATM’s computer system or on the ATM’s network. Alternatively, a black box refers to an electronic device that severs the connection between the automated teller machine (ATM) and the bank server, enabling the perpetrator to manipulate the machine by issuing commands. Several prevalent forms of cyber attacks comprise Man-in-the-Middle (MitM) attacks, Data Sniffing attacks, and Skimming with Spoofing attacks. These attacks alter the ATM’s firmware, and numerous instances have recently surfaced in India.
Despite the multifaceted security measures implemented in automated teller machines (ATMs), their exploitation continues to surface in the media. A proposal has been put forth to address the logical attacks on ATMs by implementing a blockchain-based solution. Blockchain technology is commonly regarded as a potential solution for enhancing cybersecurity and ensuring heightened privacy protection. According to scholarly research, the integration of blockchain and IoT has the potential to be a highly impactful innovation with the ability to revolutionize numerous sectors. Automated Teller Machines (ATMs) can be conceptualized as an Internet of Things (IoT), essentially an interconnected device. It is plausible for individual banks to establish a distinct network of branches, ATMs, and other access points interlinked through a peer-to-peer blockchain network. Every individual device within the network possesses the capability to engage in secure communication, facilitate the exchange of value with other devices, and autonomously execute predetermined actions.
With an appropriate consensus and block-building mechanism, the banks can establish their own private permissioned blockchain network for their ATMs and other access points. Implementing a blockchain network would guarantee the dissemination of information across all devices, thereby ensuring operational efficiency and continuous functionality. In the event of a malware-based or black box attack, an ATM may become disconnected from the network, resulting in a cessation of communication with other nodes. The scenario mentioned above would suggest a malfunction at the ATM in question, prompting other nodes within the network to implement security protocols, such as temporarily restricting access to nearby ATMs. Implementing this measure would reduce the potential for financial loss in the event of an attack.