2017 - Money Makes Money: How To Buy An ATM And What You Can Do With It by Leigh Ann Galloway

yeah okay thank you everyone for coming to see my talk so this is a talk about the journey that I took to buy an ATM not working for a bank or any kind of financial organization at all and I liken it to the opening titles of the French or The Fresh Prince of bel-air which goes and this is a story all about how my life got flipped-turned upside down that just gives you a bit of a taster so for those of you that might know I made a trailer for this security conference and I'm gonna play it for everyone now who hasn't seen it it just gives you a bit of a taster of the kind

of things you're gonna see

[Music] [Music]

and next unknown professional in my own [Music] if you want to learn more about how it automates you you'll have to come and see my talk so let's talk a bit about the benefits both on an ATM here in no particular order on my top five reasons and an ATM one you don't need to go to the bank - it will make you very popular with media 3 the kids will love it you can take it to security conferences you can have their own pyrotechnic display right outside your door so that was just a little intro into how Oh what you can do with an ATM so this starts before I joined the company I'm currently working

out so I work for a company called positive technologies which you may or may not have heard of and this journey to buy an ATM started in February of this year so in February of this year our internal PR representative came up with a brilliant idea for InfoSec 2017 he said I've read an article online that suggests that if you buy components of an ATM from eBay you can construct an ATM sounds like a brilliant idea I quote looks technically possible let's go for it okay so this was before I joined the company so let's talk about me I have no experience in maintaining ATMs I have no experience in acquiring ATMs my only experience of ATMs is withdrawing cash

from an ATM but I do come from an intersect background so I started working in infrastruc ture forensics and then progressed on to working in Incident Response dealing specifically with payment card data breaches so there might be a bit of a tangent there but there's no direct link as such I've also worked in threat Intel as well and I've worked with startup companies to help them develop analytics on top of the kind of products that they have based on my knowledge base so I joined positive in March which was about a month I would say probably the idea the original idea for info sector by this ATM or to see if it was possible to make an ATM started

maybe in December 2016 so I joined in March 2017 and at this point all of our employees working in the London office had started to explore the idea but as you can probably guess it didn't look like it had great legs because as soon as you start looking into the feasibility of doing something like this there's lots of hurdles and this probably tells you a lot about my personality I decided as a new employee I was like no problem we can do this I can make it happen so before we get stuck into the journey of how I bought an a-team I just want to talk a little bit of about the history of ATMs and

cash dispensers so the story goes that John Sheppard Baron went to his bank on a Saturday afternoon and he found that the bank was shots unfortunately and he thought so this was in nineteen about 1965 1966 he thought well that's not very convenient I want to withdraw cash when the bank is not open and lucky enough he owned a company he was sort of an inventor he owned a company which came up with products and manufactured new products it was sort of a small company so he worked on an idea and he brought this idea for the first cash dispenser to Barclays and it took Barclays and John about a year to develop the first cash

dispenser and this was installed in 1967 in Enfield and what this looked like is she went into you still had to go into your bank and they issued you with a voucher a bit like a cheque which allowed you then to insert the voucher into the cash dispenser you then input a four-digit pin and this would give you 10 pounds and this would give you 10 pounds in singular one-pound notes so that was the first cash dispenser and in the same year another two cash dispensers were installed in Europe the first was I'm not sure of the first but they were in Sweden which was by the National Bank in Sweden and another was by the National Bank of Westminster and

at this point everyone was developing ATMs independently so for example the one in Westminster was developed by Chubb which we all know for its locks and sort of door hardware and it wasn't another two years until the u.s. got its first cash dispenser in New York in 1969 then in 1972 Lloyd's installed the first online ATM and that used a magstripe and it was real time actual dispensing and calculating from your accounts so it wasn't I mean in terms of the history really you're looking at a growth between the 60s and 80s there was a huge emergence in terms of ATMs in 1985 link was formed which was a conglomerate of banking networks link is now the largest

network of ATMs in the UK a matrix has formed a year later and then after shortly after that the two networks merged so now we have in circulation or link having circulations 70,000 ATMs in the UK about 75% of the ATMs in the UK are free to use so that's a lot of ATMs and looking at the kind of statistics it doesn't look like cash is going anywhere that fast because in terms of what we do now with ATMs their roles have evolved a lot more we're seeing in places like Asia that people do a lot of their banking in an ATM it has a lot more features than just being able to look at your balance so the role

is is changing quite a lot and I don't think it's gonna go anywhere fast so let's talk about how you go about buying an ATM the first thing to do is to identify your market options and for me that was four options so the first is a legal route which should be looking at things like maintainer zuv ATMs looking at banks looking at manufacturers the second option is the gray market so that's when you're looking at marketplaces where you're not exactly sure of the source of the ATM how it's been acquired if it was legal or not it could be a private seller it could just be Abe a black market markets pretty obvious so that could be dark web

or it could be just a marketplace that isn't legal it's obviously illegal and then the fourth option for me was a bit of a wild card that was suggested by our CEO believe it or not which involved a road trip and possible imprisonment for me

okay so let's get stuck into the legal and gray market options so the first thing I did when I was looking at buying an ATM was I looked at all the contacts I have in security and the what I found is that I still had some contacts in the banking industry some of which might be in this room today and so I asked some of those people if they knew how I could obtain an ATM whether it was possible to lease an ATM from them and just to give you some background so with regards to positive technologies we actually carry out ATM assessments regularly but we didn't have an ATM in the UK so we had

ATMs in other locations and it's something we've done before and we've leased ATMs from manufacturers and banks so I thought okay well let me see what I can do maybe someone can help me that I know this led to a few people asking internally whether it was possible to lease an ATM to a third party and of course there's quite a few legal implications with that so it led to a bit of a dead end I also looked at speaking to some of the manufacturers as well which we'll get onto but unfortunately that didn't lead anywhere either so in terms of manufacturers so this is something these are people that you could potentially approach if you have

some contacts or some ways in predominantly there's too many manufacturers in Europe and North America and that's Wincott and NCR in Asia there's also fidgets soon and grg banking and just some statistics around ATMs in general about 80 80 percent of the ATMs in circulation are running some form of Windows XP or Windows Embedded and then there's just a really small percentage that are running different kind of operating systems so let's look at the first option so I explored some options by talking to my contacts and that wasn't very fruitful unfortunately but I looked at eBay because our PR guy said you know this has got to be feasible we've got B to put together some components and find

and find a way to maintain an ATM which I'd like to say is completely different from hacking an ATM or doing any research on an ATM maintaining an ATM is actually quite difficult so I had a look at eBay over a period of time probably about a month so just keep in mind that I joined the company in March of this year InfoSec is in June it's not a particularly long lead time so I was looking at eBay and this popped up so there was a seller who was selling some kind of medical equipment but they happen to have an ATM I thought okay great it looks great there's a couple of issues with this thing the safe is

locked it weighs over 800 kilos and I'm not sure if it works so how do I solve those issues so the first one the safe is locked well I phoned around some friends that I have in security and said you know can you help me open a safe and as it turns out most of my friends were willing to help me open a safe in one way or another the second issue is this thing weighs close to a tongue okay so we're coming into some logistical issues you how do we store it how do we move it it's not you're not if I if I buy this thing I'm not going to get it in the

office the office we have in the UK is in a shared building it's on the third floor so I'm pretty sure it's gonna go straight through the floor I'm not sure it's even gonna get into the lift turns out the lift capacity was 600 kilos okay that's a non-stop but here's here's a great turn of events I happen to live in a warehouse so so fortunately the 800 kilo ATM wasn't going to be too much of a problem now the third issue is this machine I wasn't sure was in a working condition but I was able to do a bit of research and contact the company I obtained their information online and I gave them a call and it turns out that

they have a warehouse of all this equipment they're selling 45 minutes from my and I said can I come and see this thing I want to work with some of our experts I need to do a video chat see if it works Oh looks like it works and they said no problem this was on a Friday afternoon no problem you can come down to the warehouse but we can't receive you today because we're really busy you can come and see us on Monday and they said we're not open on the weekends so no one's gonna buy it we'll reserve it for you I thought my problems are solved at least one of my problems soft

unfortunately come Monday ah this happened so I looked at eBay and them ending their listing had ended and it was really suspicious because the listing had gone as removed and unsold and I was still waiting from the call from this company so I tried calling them back and speaking to a sales representative and no one wanted to take my call so it's all seeming a bit strange right now so I email them and they tell me I'm really sorry but this has been sold on our website which seems really strange because their website looked like it'd been made 15 years ago I said would you be open to a counteroffer and they told me go away so

it wasn't looking too good for me at this point and obviously I'd built my hopes up and I built everyone's hopes up internally I thought what am I gonna do okay so at this point I decided the best thing to consider are my black market options yes as a security professional I did consider this so I phoned a few friends and asked them if they knew of any ways that I could acquire an ATM legally or illegally unfortunately or fortunately no one could help me so that was the end of that matter but you yourself might know some dodgy a friend it was at this point that the wild card option emerged it starts with this email

from a colleague who says I have an idea don't worry we're used to buying ATMs in Moscow I know that we can buy an ATM for a thousand pounds and curry it from Moscow to London in about seven days all we need to do is clearly indicated in the diagram is to take the PC and dismantle it from the dispenser it looks so simple right brilliant idea let me know if this is okay as soon as possible well this sounded mad and it gets more interesting shortly after that our CEO said well that's ridiculous we'll just extend extend the lease of an ATM we have in Moscow and you can drive it from Moscow yourself the problem with

this idea is that in order to cross over from Russia into Europe it would require having the ATM probably in all individual components and leaving a rather large deposit at the border we could potentially stay at the border itself for a week or longer and I'm a British national and I didn't really fancy my chances dealing with employees working at the border so I threw that idea out or should we say that went to the dogs very quickly so let's talk about how I legally obtained an ATM as it turns out it's much easier to buy an ATM legally than it is illegally but here are some things that you will need to do you're going to need to verify

yourself as a legitimate company with good reasons to buy an ATM you need to have a very very good backstory in my case my backstory was pretty close to the truth I spoke to to maintain errs in the UK one was testing they are a maintainer and deployer in UK in the UK in Europe and another was SP C international there are a couple of others but Tess Lincoln s BC International are the largest I phoned up Tess link and I spoke to a wonderful lady who said to me I've worked here for five years and never in that entire time have I ever had anyone inquire about buying a single ATM in your circumstances so she had some

doubts about me but no problem I told her we're a security company there's nothing to be worried about we just won an ATM for security testing purposes we already have ATMs in other locations in the world we just want one in the UK and she said okay that sounds interesting but I'll need to check you out so I had to send her some further information to verify our company but I will say this is something that you could easily do you can set yourself up as a limited company you can have a story and in fact when I spoke to SPC in international they didn't even ask me why I wanted an ATM they immediately gave me the costs

associated with all the models I inquired about so you might not even need a backstory but it's just worth knowing is come with a good backstory because someone might ask you what you want with this thing and of course they're not used to selling ATMs to individuals they used to selling ATMs on bulk to financial institutions another thing you need to do is you need to factor in the lead time so most of these companies will know when they're having certain units shipped in but it might take several months so in my case I had a very specific deadline of June and I to get the ATM as soon as possible so that we could see a if it was working

what other work we needed to do on it and to set it up for a demonstration purposes our info saying the other thing to consider in lead time is depending on the kind of model you're looking for so there's three different options you have you can buy an ATM that's brand new and this is going to cost you somewhere upwards of twenty thousand pounds it's not the kind of money I have or our company's willing to spend on an ATM so the other two options are you can buy a tested model which is what we went for and this just means that it probably mostly works or you can buy a completely refurbished model so that means they've

refurbished every aspect of the machine and if you go for a refurbished model then you have to factor in lead time it's going to go into a factory and they're going to refurbish every aspect of it as it happened buying an even a tested machine they had to do quite a lot of work on it you also really need to know your ATMs because even if you have a specific model in mind and I would suggest going for a freestanding model unless you have a specific machine in mind with a specific configuration you could be lumped with some dinosaur one of the first things that I was quoted on was a machine which was like

Pentium 2 so not too much good for us so you just need to be aware of what kind of things you want and are necessary to run the machine and then lastly you need to think about the logistics and I will emphasize that all of this buying an ATM is is completely feasible I did it in a relatively short period of time I'm confident anyone else could do it but the logistics of buying and owning and storing and moving this thing oh just an absolute nightmare it's gonna way most models weigh upwards of 600 kilos you're going to find it really hard to find a career to move this thing because guess what some of the security is making it

movable believe it or not so you need to factor in how you're going to power this thing as well your best options in terms of storage are things like a garage a warehouse a car park that's covered but you still need to think about how you're going to power it which turns out to be a bit of a nightmare so I went for Tess link and the other thing that I've discovered when you buy an ATM is that even if you want to buy just a single unit you have to establish an account with one of these companies even if you're buying one unit so you need to establish a credit line with them so

that's another thing to factoring they won't just let you do a bank transfer so we had to establish a credit line I had to talk to our encounter internally and also tell him why we were buying an ATM which is very interesting conversation and as you can see so if you buy a tested ATM you can buy something from about two and a half K upwards which isn't I mean it's a lot of money but it's not that much money really so one side purchase the ATM I thought great okay we're going to have it shipped in time we settled on a delivery date well as soon as possible which turned out to be four or five business days before

InfoSec which was cutting it pretty fine so let's talk about logistics so this is all about all the things I discovered about receiving storing and moving an ATM this is my rough expectations of how it would be on delivery day this was the reality of how it was on delivery day we tried to put the ATM inside of the building but unfortunately the floor would have just been completely destroyed so the Korea decided that he wasn't willing to move this pallet into the building so we ended up having to take receipt of this thing outside in a car park which was not ideal as you can imagine not only that but the person who deliver it at

the ATM had it on a tail lift and I'm pretty sure it exceeded the CAMAC Samim capacity of the tail lift he was very confident but it's just something to consider so I had an ATM in a car park four days before InfoSec not including the weekend so the first day wasn't too bad the Sun was shining and I made friends with some of the other businesses downstairs and I managed to get extension cable don't worry I bought like an outdoor extension cable I was thinking ahead and ran it through their premise outside that was great okay and we had an absolute nightmare in terms of getting this thing working because it turns out there are a few things we

overlooked like there wasn't a cassette the cassette holds the money in the dispenser and we decided for InfoSec that we were going to show an ATM that could jackpots and had custom notes so we needed to check that the notes wouldn't get shredded through the dispenser because they're custom notes but we didn't have a cassette and it was three days before InfoSec so we managed to turn around and get work and getting that ordered but the weekend rolls around and I just keep dropping it where you are is great this is the reality of owning an ATM is on the weekend I was lowering a extension lead out of a fire exit off the top of a

building in London to power an ATM so got pretty interesting and as I said details really matter when you're buying things like this you must check every single aspect of the configuration because it has so many different components and as it turned out we fail to miss that oh we missed the fact that it didn't have a cassette in it so no cassette four days before and at this point I would like to present you with a quote from a national treasure Churchill which kind of represented the mood at the time which is success is not final failure is not fatal it is the courage to continue that counts and really it was a lot of courage to continue at this

point so let's talk a bit about what you can do with an ATM so an ATM is made up of a bunch of different components essentially so at the top you've got the PC and then at the bottom you've got the dispenser which holds a number of cassettes which would hold the money you obviously have a card reader and a PIN pad or an encrypted PIN pad and EPP and as I discuss so most of these machines are running a variant of Windows and in fact in the marketplace predominantly most in the running Windows XP which might be surprising to some of you and then all of this connects to the bank network somehow so

let's talk about how that works so in most cases so you've got a few options you've got connection through VPN to the bank network or via a satellite or in the case of ATMs which situated in a branch they would just connect directly to the core banking there are four main attack vectors or four main ways that you can hack an ATM so the first is still the most popular believe it or not and that is brute force and that means physically gaining access to the ATM in some way in order to gain access to the the vault and that's where all the money is stored the second option is exploring misconfigurations or vulnerabilities at

the OS level so that includes things like bypassing the kiosk mode or taking advantage of some other misconfigurations or utilizing malware and then the third option is looking at interacting with hardware directly so you could do something like remove the disk itself you can connect to the dispenser directly and interact with that and bypass the PC you can also bypass Hardware VPN as well and then lastly the last attack vector is anything via the network so you could do something like compromised an administrators account and VPN into the machine you can utilize things like malware and so on so just a brief history on the attacks of ATM so a lot of people are familiar with Barnaby Jack

in 2010 he demonstrated at black hats a way to dispense money or like Jack potting essentially so what he did is he used administrator tools to connect remotely to ATMs and he showed how easy it was to get money out and then in 2012 we saw the first published black box attack and what that is is when you connect directly to the dispenser to force it to push out cash and then in 2013 we saw the first logical attack doing the same thing 2014 I would say positive along with a few other companies started publishing some of the first research on like how you actually carry out security testing against ATMs and how you can configure them securely

so as you can see from this timeline I think what might be surprising is I think ATMs are often overlooked in terms of security and most people aren't that aware of what they look like in terms of how they put together what the operating system is what kind of vulnerabilities are associated with them they're not actually secured by design so let's talk about brute force attacks okay so as I said very very popular still the most popular form of attack so in 2016 in Europe alone there's 1604 attacks by this factor 34 million euro reported loss so the basic idea is that you want to get access to the vault and one of the most popular

ways of doing that is to take a crowbar to force open the just cash dispenser so where the money comes out to push in compress gas and ignite it and what it does is it causes the back door of the vault to bust open another popular way I will demonstrate this is probably a way that most of you imagine brute force attacks to happen but look at how quickly this occurs so we've got some nice friendly chaps in balaclava making friends of the ATM [Music] they've got some of the doors open which you think is enough but they haven't got access to the safe right now and they don't know how to get access to the safe

[Music]

[Music] so that happened in under a minute which is pretty fast but obviously there's a high risk of being caught or you'd want to outsource that kind of work close to super but it's still surprising right that's the the single largest attack factors on ATMs to this day even in in Europe that still happens all the time probably the next most common attack factor is things like malware so because compromising a single ATM is not necessarily that fruitful the best thing to do is to get hold of an entire network of ATMs so let's talk about some attack factors at the OS level so one thing you can do is you can bypass the kiosk mode and as you can see in this

photo this is my cat Anabel who is bypassing the kiosk mode let's just say that so the kiosk mode is just like an application that sits on front on top of the operating system so it's security implemented bias obscurity it's just a window that sits on front on the front you can you can bypass it using things like hotkeys so often on these ATMs you find that like a lot of the keys or the keyboard might be disabled or there might be some applications running that don't permit you to do certain things but you can use a combination of keys on your keyboard to bypass kiosk mode and then you could do something like launch

Internet Explorer as it's demonstrated in this photo here and then you can then access the file system so that takes a few minutes another option you have is you can access this is pretty easy to do if you can access the service area which is like at the back of the ATM so there's two doors typically on an ATM once to the vault once to the service area which gives you access to the PC if you can access that maybe you can connect or you can get a file onto the system and run some Maur and there's a a library called XFS which is specific to ATMs which has an API that you can then interact with any of the components

like the PIN pad on the ATM so that's another common way of compromising an ATM but with a lot of these attacks what you'll find is they require a combination of attack vector so maybe you'll need like physical access to something or maybe you'll need network access and then you can compromise you can do something via the operating system so typically it's not just a single attack vector and as I talked about the black box attack see an example of this is you can see here on the your right hand side that this is me working late one night with the Ben & Jerry's kept me going so you can see I've highlighted that's basically the

port which connects to the dispenser you can attach like raspberry pie or something like that and just interact directly with the dispenser itself forcing it to eject cache other things you can do so this is involves a bit of a hardware compromises that accessing the peripherals so here we've also got a photo of how you can drill or you can remove some of the facade which a lot of people would say isn't very probable but actually it is quite probable it happens a lot and it's really easy to cover up the hole as you can see with like a sticker sometimes people put like an entirely new plastic facade on the ATM and then you can access things like USB

ports for example and then lastly so network attack so it's really easy in places where they have standalone ATM so whether that's like a newsagent or in fact in a lot of other parts of the world like Asia specifically there's lots of freestanding ATMs which as you can see is highlighted in the picture you can just connect directly to the network another option is as I mentioned you could potentially bribe someone so we've seen from our research for some of the recent attacks we've seen on ATMs or there's examples of service engineers being bribes and then people then those people would put a malicious file in the system will give you access to the network in some way and so here's an

update from NCR which is one of the manufacturers this was in 2016 talking about this specific attack vector and what's really interesting as I said is that the problem with security or securing an ATM is it's difficult to determine where the responsibility lies so some people would say the responsibility responsibility lies entirely with the banks especially the manufacturers would say that their response to most of these attack vectors is you just need to buy a new ATM but that's because they're obviously driven by selling as many units as possible and that doesn't really address this complex issue and and most of the times in order to actually secure an ATM you have to carry out a proper audit so it's a very

detailed process it's not like you could just say oh you need Windows 7 you know that will solve it all you need to do you just need a new ATM or you just need like one thing like hardware you need encryption between these two points it doesn't really solve the issue so let's talk about money so this is a dispenser on the left-hand side and let's talk about so we've talked a bit about attack factors so talking about the kind of money or values you could obtain from an ATM so you typically have four cassettes in any given unit in the UK we've now see a lot of ATMs have five-pound notes so you're likely to see some combination

of five pounds ten pounds and 20 pound notes in any given machine another factor is if you were to attack a machine is you need to take into consideration when it might have been last replenished sometimes these cassettes are out of out of use as well and typically you're looking at a maximum of 440 notes per transaction so if you want to compromise an ATM your best bet is to compromise a network of ATM so that you can use mules to withdraw a lot of cash because 40 notes is quite limiting and the other thing to keep in mind so in a cassette itself you can get around 2,000 banknotes which is quite a lot but

that's only when they are brand new freshly cut notes and it's more likely to be around 1,800 notes that have been used so at this point just a check that you're all still awake I like to put it to the audience and see if anyone can guess how much money could be in an ATM in the UK just anyone want to guess how much money at least one great good any more guesses you're about the closest so it's about probably you're looking around a hundred two hundred and twenty K but obviously if you were trying to get money from the machine as I said there's a lots of factors to consider including the fact that you can only get

around 40 notes out at a time but what we saw I don't know if any of you familiar with the green dispenser attack so what that utilized is that had malware on a whole network of ATMs and then mules went to the ATMs and they would get a one-time password on their mobile because obviously you need to control the mules array as well and then put that into the PIN pad and then that would dispense money so that's a way of of utilizing an entire network so let's talk about how you can make money with this thing so if you're going to go to the trouble of buying an ATM and spending a few grand on it you've got to

try and make some then something really interesting happened when I bought an ATM and put it in a car park everyone in the vicinity started asking when they would be able to use the ATM strangely enough something really strange happened when I moved the ATM to my house I live in a shed I like have a shared courtyard and the exact same thing happened people were asking me when it's going to be in use and I realized how simple it would be to buy an ATM and put it somewhere and start skimming people's card data and because it would be my ATM I could put a camera there and I could record their pin codes

this was quite shocking to me another way obviously that I looked at making money out of this thing was eventually I took it to InfoSec which was an absolute nightmare so it arrived at 9 o'clock the day before the conference started and it was a bit of a nightmare maintaining this thing over several days it was quite sensitive and then unfortunately I had as I said the problem of what to do with an ATM afterwards so it got delivered to outside of my house unfortunately the couriers couldn't get it in to my place so it had to spend a few nights under the stars but for the first few days I had good weather after

that I had to get pretty inventive so I was utilizing pond liner in order to build a makeshift environment in which I could work on this atm my cats thought this was great then I figured out a way to get this ATM into my house which was great for my next idea of how to make money out of this unfortunately as I said before logistics are a nightmare and as it turns out no floor is suitable for having an ATM this is a concrete floor it absolutely destroyed my apartment floor and I also would not recommend moving an 800 was 750 kilo ATM in your flip-flops don't do it at home but once I got the ATM into

my apartment it turns out that the BBC click were doing two television shows on cybersecurity framed around blackhat and they wanted to get some potential scenarios that they could document there were visual about security and we had an ATM perfect so thus began the journey of trying to sell the ATM to the BBC which was really invasive I have to say so first of all they were pretty particular about how this ATM should be positioned in my apartment which I thought was a bit cheeky really given that it was so heavy and so complicated and their original idea when they came to us and spoke to me was because it's so heavy and unpredictable let's just film

outside the BBC Studios which I thought probably wouldn't be very aesthetically pleasing anyway so it's in my apartment we start going through the process of talking to the production people and they say okay this sounds really interesting but what we need from you in order to get to the next step is we need video footage of you doing this demonstrating this attack vector video footage of your apartment photos of your apartment we need research about the ATM attack vector statistics on all of this stuff so I get all of this stuff together which I can tell you was very invasive and they said yeah we want to film your ATM so the BBC came to film

the ATM and I spoke to Spencer Kelly and a very nice lady who did the car rest of the world program as well but you might notice on floor no one's wearing any shoes and you might wonder why that is because my floor was destroyed so I ended up painting over my floor with normal emulsion just to cover up the holes it's still destroyed it still looks really bad so there was a no shoes rule until filming and one of the problems with generating media interest is it's actually quite difficult to explain to people in simple terms what the implications are of a security issue but it's it's pretty important I think as an industry we have a responsibility as

much as possible to try and communicate that to people who don't understand or at least to do our best so a little clip of the BBC click in case you haven't seen it I won't play at all [Music] so an attacker has come to the front of the ATM they've drilled a hole in the front you can see we can access this USB cable right so inside here there's something that has a USB port what's inside here this is just a normal computer [Music] I'm sure not many people would expect this to just be a normal Windows XP machine perhaps not but it's just a safe with a computer on top [Music] and that resulted in a larger sort of

episode orbs part parvo larger episode but the problem with security research of any kind is that when bad things happen like this people tend to put you in a position of blame so unfortunately shortly after the program as I had been to talk to our PR company and I was walking down the street and I saw this ATM and unfortunately a lot of people thought that the person who did this might have been inspired by my video but my response to that is of course there's quite a big difference between a petty thief and a normal person the motivations are very different so you would have to have the motivations this brings me on to my last step of my

journey if it ain't broke don't fix it or the misadventures of an ATM when your boss decides to reduce the weight and make it portable I would like to remind you that part of the security of the vault lies in the weight of the vault my boss decided that we should make the ATM more transportable to bring it to security conferences I didn't exactly agree with this idea but you know I said okay let's go along with it so as it turns out I had first-hand experience in deconstructing every aspect of an ATM including the vault which as it turns out is made of two metal chassis x' and steel reinforced concrete and those are

steel fibers you can see there which it's pretty nasty stuff and this was all happening outside of my apartment not great and the person that we had doing the work had never done this work before because who gets hired to dismantle a vault of an ATM right it doesn't happen so they started off using some simple tools and realized it wasn't going to work so then this happened

now that is something that looks like it could be in a Rammstein video correct me if I'm wrong and I might point out that this is the front that's my front door I'm in my car because I decided to leave because they spent eight hours on a Saturday with a pneumatic drill my neighbours were not best pleased put it that way and this is what the vault look like afterwards so this is down to a single layer of the chassis so it still has the clips inside it to take the railings of the dispenser this is the current stay of the ATM so you might have noticed that the ATM is not at the security conference because it's still

in a process of being maintained and that's my politicians answer so it's still to be continued so what have we learned during this process I like to think that an ATM is a bit like when they do those adverts for rescue dogs you know and they say it's not just for Christmas it's for life and that's what I've learned that's one of the things I've learnt I've also learned that it's particularly it's much easier to obtain an ATM legally than it is illegally surprisingly so some of the downsides of security research as I told you is like people will tend to put the blame on you just because you've published information online it may still have

been available what was really curious about this situation as I said is that it would be surprisingly easy to take an ATM and put it in a location and to start whether this was for legitimate purposes of say security research all for the wrong reasons it'd be really easy to start obtaining people's card data so might make an interesting research project to see how many people put their cards into this ATM and the last thing I would say is I wouldn't recommend going down this road because whilst it's been really interesting and exciting to learn all about ATMs it is a logistical nightmare and it's like a ball and chain that follows me through my life now and

that concludes my talk so if you have any questions please feel free sorry I'm using it for demonstration purposes of how you can hack an ATM at security conferences or for media thank you for your question yeah I honestly don't know the answer to that yeah yeah I don't actually know but it's just like as I said it made me realize how much of an interesting research project it would be because that's people's first responses like oh when is it going to be working like I can get cash out of it which is not what you'd expect because clearly the person working on an ATM in the middle of a car park is not doing it as

like a financial institution or anything so it's a very strange response I don't know the answer I'd have to look into it yeah I think it weighs about 400 kilos yeah so there's still quite a bit of weight but it can now be moved with two people I don't think it's as stable for transportation so there's some other downsides to that which is actually get a lot of stability from having a vault and of course it's not meant to be transported it's meant to be in situ so you know that's just my opinion

what the ATM with without money in it but currently the door the back door is open the door to the dispenser is open and it's ended in in an office location it's not not yet there was a question at the back yeah right at the back so there's a couple of things so the specific ATM that I was demonstrating for BBC click was running Windows XP which has plug-and-play functionality enabled so it's all really securing an ATM is all in the configuration to be honest there's also a piece of software that runs on some of these machines called application what does the application core and it's kind of like a white listing thing that says like

certain things can't be run but it's easy to bypass that so you have to take like a really in-depth look at how that machines configured how it's connected to the network and everything yep I

don't know the answer to that I'm sorry I can find out for you there's a question to my right yeah so this is a really good question so our company has an agreement with wind core and we discussed the vulnerabilities that we find with them we're really open about that and they use some of that information to carry out some of their own testing NCR are less friendly towards us shall we say and publicly I'm privately so we've tried to have a lot of conversations with them even in the last year about things and they kind of don't want to know well the lesson is that the onus is basically on whoever buys the thing and

you know don't listen to the vendors about how you need to buy a new ATM because there's no reason why that machine that's running Windows XP without encryption between the dispenser and the PC can't be secure you can make it secure there's solutions like you can get a device which cost about 150 quid that monitors the current between the PC and the dispenser to detect whether it's been interrupted you can configure you know you can lock it down a lot so the answer is not just buying a new ATM any more question right at the back so I only have one right now what interment what aspects of it so but which so you could potentially update some aspects of

it for sure but so in terms of from a security perspective so some of the software that might be running on the machine that would be updated what we what we've seen in in terms of doing our research or working with banks is a lot of the times when it is shipped with software that for example looks at what kind of applications are running that will be shipped and not updated after shipment is what we've seen does that helped answer your question yeah any other questions

well so you can get specific cassettes which have different security mechanisms so yes that that's one option so some of the there are companies which ship like specific cassettes with mechanisms that are interesting which allow them to be tracked yeah if I mean it's is brute force something you're going for it sounds like I mean you mentioned stealing stealing the ATM I have and also explosive anger [Applause]