CG - The Untold Story About ATM Malware - Daniel Regalado

I don't need this. I got this.

[Music] I'm making sure this Oh, how's Yeah. Okay, we're good.

All right, everyone. This is Daniel Regalado. This the talk is the untold story about ATM malware. As was just said, if everybody would mind trying to keep noise to an absolute minimum, we're having sound quality issues and so we're recording ambient off of the uh off of the camcorder so it will pick up like any talking that's going on. So, thank you. Without any further ado, here's Daniel. Good morning. Thanks for coming here. So, we're going to talk about ATM malware and And the idea is that after this stop, you can go out and get into an ATM and get money for free. Actually, that's not the idea. Is there any ATM vendor here? Okay. So,

briefly a Mexican as you can notice 49ers. I work for Far. Um um the great hacking book is going to be released at the end of this year. So you can buy it if you want. And this is the agenda. Um I'm going to talk about ATM introduction, why ATM malware, the steps that the malware is doing um in order to get the money or steal information and some details at the end. Uh this is just a disclaimer everything is public in internet. So you can find it there. It is nothing confidential. It is everything already there. Um this is some terminology before starting the drop is the person who receives the money. So in this whole campaign there

is one guy who's going to get to the ATM get the money. Obviously he's not the boss. He's just the first the person who is sent to ATM. is called the drop and transaction law. Every log from banking transactions to the ATM back and forth. The BIN number that's the first six numbers in your card. That's to know which is the bank that issue that card. That's important. The DOM, the DOM is all information written in the tracks which is sold in the black market as we we will see here. Track one and track two is essentially the same thing. It is account holder information but track two was signed by the banks. So basically

when you enter your car in the ATM the track two is the one being checked there. So this is the kind of information is going to be uh stolen from the ATM. So if we someone says that probably it's not real in 2013 New York Times published this which these guys in New York City just in a few hours withdraw 2.4 4 million from ATMs. Uh around 2,44 machines over 10 hours were stolen just in that period of time uh during ATM software attacks. Just quick introduction uh an ATM is two types standalone and at the right side and and the wall one. All of them has a CPU as any other machine. They have Ethernet, USB ports, CD ROM

and actually that's the way the attackers transfer the malware into the ATM. Uh they have the vendor specific software. Each vendor has its own software on the in the machine. H they used to run Linux, uh IBM OS, Solaris but now all probably 90% runs on Windows. Uh so these are some components. H you can see in the left side uh we have the card reader we have the encrypted pin pan pin pad the CPU as I was saying. Uh we have the camera the grip the grip the pin pan the the gator the dispenser and at the bottom we have the bolt. The bolt is the secure door which is supposed to not be

broken by anyone. So in the last um years they used to break into the vault but now they don't need to do that. They just need to plop the the software into the ATM which is easier. This is just quickly how the ATM works so that you have a an idea. So we have the ATM on the right side and it it is going to connect via a list line or a model dialogue into the host computer which is like the internet service provider so that it can connect to the bank and when you enter your car you it's going to read the six uh digits of your card then it knows what's the bank

associated with your card and then we'll route the transaction to the bank and we will validate your PIN number the amount that you want to withdraw And if it is accepted, it will come back send a acknowledge return to the ATM saying okay you can withdraw the money. So that's kind of the communication between the ATM and bank all the time. There are two types of FDM malware. H the ones which is attacking the card holders that means they are going to steal information from your debit card. when you enter the car, they will store your account information, expiration date, the PIN, which is encrypted, but we will see how they crack it. Um, this is less sophisticated

because it is just a process inside the ATM running just grabbing the locks and sending out in different forms. We will see how they send it out. H but it is not sophisticated. I mean, you can just see a process running and they don't do anything else. But that's the role. the return of investment is that one because that they use that information for carding process to clone your debit cards. And the second attempt is to empty ATMs. So that one is more sophisticated because they need to talk to the middleware. We will see how they do that. So they need to understand how the middleware in the ATM works uh so that they can interact and ask just the

ATM to get the money. Each cassette in in a ATM can have either h the cassette in the ATM is the one who holds the money. It can be $2,000 or up to $25,000 in it depending on the ATM. So if you are in a mall probably you will have around $15,000. If you are in a liquor store it probably will be just 500 something like that. It depends but it is also that's why it's a target. previous attack ATMs. Uh this this is nothing new. Uh we have seen info stealers as I said grabbing PII personal identifiable information like your credit or debit card. Uh in Russia in 2009 it was a well-known attack

against ATMs. Um they also use schemers. The skewers are those hardware that they put into the ATM so that it put it on top of the carrier or and on top of of the pin pad so that when you enter your new or you enter your card, it will be read by the disposit by the device and it will send it via SMS message right after you enter it to the criminals. Uh that was that's very common one as you know bar he talk about um a v vulnerabilities found in the ATMs that was a vulnerability but in this case it's not even a vulnerability you will see that it's just a common process to

interact with the middleware and you don't need to hack anything all major vendors all ATM methods are affected in either way so it's not something that someone is uh safe about this attack Why ATM malware? Obviously, because they get free money, no need to break into the vault. They just need to transfer the malware into the ATM. Uh, and the cutting process, the cutting process is at the end to clone your debit card, sell it in the market. Um, even they can sell the debit card numbers with per state, per country. Because as you know if someone is trying to withdraw money with your debit card probably if you live in Chicago and you are trying to withdraw it from even

Minnesota or any other state can be detect detected by the bank. So they even uh group all those different doms based on country state and either and zip code. This is just an example of a dome in the market. So they usually sell like track one, track two as I said uh like they said in USA, UK, Canada, any or many countries and they they just um you send the money via Western Union or now they also accept Bitcoin. Okay. So how the rece obviously by breaking into the vault which is hard but it is possible. The second option is to steal card holder information so that they can get information clone in a debit card and

then withdraw the money with your with your debit card. The problem here is that you you won't realize that you're losing money until something is happening in your account. At that time you will report to the bank and probably they will pay you but the criminals they already have that money because they got it from their team directly. uh extending transaction blocks and the other thing is controlling the ATM middleware. We will talk about that Bluetooth is one sample of controlling the ATM middleware. So we so what the first step is coding the malware. So the requirements is that the hackers they need an ATM right. So they cannot just prepare proof of concepts or

just uh h try to play with it and just transfer into ATM and pray that it's going to work. So they have ATMs. So, and I want to show you this. So, this one is in Mexico. So, you can see these two ATMs stolen directly from the wall. Uh, when you see this, you can think like, oh, these guys are going to get the money in the garage. They want to break into the vault. Obviously, that's one option, but mainly what they are doing is they are getting the the ATM so that they can give it to the hackers. they can reverse if if they want to reverse the ATM software and then come up with a proof of concept so that they

can test it and once it's ready deployed into the different countries they they need to go to a there are many ATN maintenance uh sites where they can ask questions and and we will see that example here uh the configuration they need to understand how it works where are the the transaction logs stored everything with the encryption keys and they need to understand the wasa xfs. I'm going to talk about wasa xfs which is the framework that every ATM uses in in in pro when they are running in windows operating system. So this is just an example of how they they have been training in in in the forums. So this is one guy who is

in bank. It's a Russian forum. So obviously it's they are using translation to talk to these ATM guys. The ATM guys in this forum they are always helping each other like I have a problem in the receipt I have problem in the card reader they help each other you know in a in a good way but these guys goes to that places and say hey you know like this example this is a law which is the transaction law between the ATM and the bank and it's clear that they have a working ATM right so they are asking why the pin is u masked so they are asking in the in the forum if there is a way to

unmask unmask the pins. Obviously these people is is uh asking why do you want to do to know that that but they just focus on getting the the information. So for example if they are talking about CC pro here right so we don't know what is CC pro but again you go to internet and it is public here it says CC pro all host to terminal and terminal to host messages will be stored in this file the CC pro in the transaction law is just in one ATM vendor there are many others in other vendors so this guy is trying to understand that specific ATM vendor how it works and how the pins are been

masked inside after this I I decided to track this guy. His his nickname is Madnx. It's right there. So I noticed the transaction line is in Spanish. So then I start tracing this guy and then he had a profile in internet that it is claiming is from Venezuela which makes sense because it is in Spanish and then from Venezuela. And so I went to Venezuela and I found this site where this guy is h pasting the same transaction log that we saw in the forum before exactly the same but now he's teaching how to crack pins from from the logs and actually he he was also selling this tool to so that he can offer the

services to crack pins from from um from ATMs. Now this important here is that the ATMs now they are supposed to use triple desk for encryption but the old ATMs use desk so it is easy to crack and it is h mostly in Latin America is it is the major market of this because in USA probably I don't know but probably they have newer ATMs but Latin America is still have um old ATMs this another one is on online training You can go to internet find this programming language which is going to teach you how to interact with the ATM and this is a legitimate um uh tutorial from the ATM vendor but it is

obviously leaked in internet. Okay. So that's the first step to training the hackers. The second step is to infecting the ATM. So the Bluetooth installation if you if you heard about Bluetooth last year it was a malware which was emptying ATMs. Everyone talks about the CD ROM. The CD ROM they said that they transferred the malware into the ATM via a CD room. H so people is saying always but you know what ATM is not going to work because uh you need a person who who go to the ATM open it and transfer the the the malware to the ATM. That's not possible because you have cameras you have guards you have everyone. But that's not the case.

Actually what they do is they hire employees. So when they hire employees, bank employees or ATM technicians, so they can transfer the malware and they are authorized to interact with the ATM. So there is no nothing suspicious there. H so and also when they transfer the malware sometimes the ATM needs to be restarted and it takes about 5 minutes for for ATM to restart. So c can you imagine a guy opening the ATM with the guards there and people around and trying to you know close the city room or the USB. So that's that's obviously it's not visible. So and in the underground is also well known. So this guy is is the guy who created the tool

the cracking tool he said that to every car cloning effort always there is an internal confederate in the bank this bank employees help to transfer the malware to the ATM. So if you see this picture, you can see these guys. I mean, I'm not saying these guys are bad, right? So they are just ATM technicians, but you can see one guy like fixing the cassette and the other one at the top, they said, "Oh, let me plug this USB." And suddenly it would just transfer and infect the ATM. So they don't need to know anything. They just get the USB plugged into the ATM and they just get paid. That's it. They don't know anything in the internal workings. So

that's that's that's the reason because all the people says, "Oh, no, the ATM doesn't work." You can see it in New York Times it's working. So it's it's easy. Obviously this is more common in Latin America. I don't know in USA but Latin America is very common with low salaries. You can easily hire plant employees. They get low salary so they can get easy money portability. So they need to make sure that the the software the hardware will work in all different ATM versions, right? because they want to go to every single state or country and and try to make it work. So, Plutus for example, it it what he does was he just copied the

whole uh ATM software. He has its own legitimate software from the ATM vendor. Just copy it into the window directory with the malware. So, when the malware runs, it just uses those DLS and those specific ones. Those are not signed, by the way. So they don't care about what is running. They just put into the ATM obviously they know that the ATM vendor which is important but after that they just pay their own ATM software which is a legitimate one obviously stolen so that they can run it in that version so that way they guarantee it can run in any other uh version. The step three is interacting with the malware. Okay. So they are

trained, they prepare the the malware, they transfer it into the to the ATM. Now they need to go to the ATM and interact with it, right? To get the money or to steal data. So interacting with the malware one is via a GUI. So they can uh they can just have a like the gooey that we see in the ATM when we withdraw money, they have their own interface to stream. So Mar is already the ATM is already infected. So they just touch screen and get money out of it. Normally they need to enter an specific combination because uh they don't want others to find it and just get the money out. So pro they generate

a a a combination which is the access code. So they enter it and they get the money via external keyboard. So you have an ATM, you open it, you plug an ATM keyboard like a um keyboard from a router. It's like your just to interact with the with the ATM. Uh that's very common for ATM technicians. They do that or when they get the um the ATM into the garage, they just block the keyboard and they can interact with the with the ATM malware directly in the pinpad also. So they can just in the pinpad they can enter the specific combinations and they can interact with the malware uh the control card into the reader. So this

this is also an advanced one because they get an specific card they enter it into the ATM. There is a process inside already injected into the card reader process which is just waiting for that specific combination. So they can create fake cards to say when they entering the process going to say okay this is a specific combination and I know the the guy who is behind the criminal who want to want to interact with me with the malware. uh USB controller. So when they get to the to get to the ATM, they plug a USB. There is a process internally running checking the USB being plugged into the ATM. When it detects one, it checks the

in the root folder if there is a file. If the file has an specific uh name like in this case with extension xxx that's just one example, they said okay this is coming from the terminals, right? And then what do you want me to do? So if the root folder says like bell or bill in this case it will delete itself the malware. If it says copy it will copy all information gather into the USB so that way they can interact with the malware. But you can imagine again this this cannot be done by criminals right this is also the guys who just plug in the USB get information and just send it to them to the criminals. So that's the

way it works. SMS message this was a well-known one last year via Bluetooth. So basic it's just a phone attached to the USB uh port. So as you know the the the the the cell phone can have a USB port. So you just use it to charge into the ATM. That way they don't they don't need to charge the the phone again. It is they leave it inside and then they just send an SMS message to the phone. There is another process internally. Keep in mind always this whole thing the the data is already infected. So then uh when they send an SMS message, there is a process internally listening in the USB port. As soon as they see that there

is a USB uh sorry an SMS mess coming into the phone, they will translate it into a ATM command the speed up money. The way they connect the ATM to the to the phone is many ways. One is differing as you use your phone to connect to internet through your phone in your laptop. That's called differing. So basically you route your laptop both to internet via your phone. So this is both different and that's also one way for them to to do it. Obviously they need to find specific cell phones because some cell phones have specific drives sorry drivers so that it can be difficult for them but there are some Android phones or any other phone which is easy to

install and they don't require too much effort during installation. Now getting stoing data for money. H how do they do that? They can print it into the receipt. So they get information there. They can print it print it into the into the screen or they can send an SMS message like as I said the schemer as soon as you enter something is going to be sent via SMS message to the attackers. And how do they get the money? As I said, they enter they enter in a specific combination in the pin pad for the external keyboard or the SMS message in order to get the money. Every ATM, I mean it depends on the vendor,

but there are two types of of ATM. The one which has a a small a small uh door in the dispenser is going to be open just a little bit that is going to allow to get uh 40 ms only. So that means that the the attackers can get 40 bills in one round depending on the denomination. Assuming that they get money from the cassette four, which is $50 the denomination, and they get around 40 bills, they will get around $2,000 just for one cycle. How the how that data is stolen? Identifying the transaction log. Uh they they need to know what is the transaction log. uh they they also put fake screens so that the user thinks the

pin the the screen to enter the pin they create their own screen in the in the ATM so they can steal that information man the middle attack that they what they do is every ATM has a gateway to connect to the bank so what they do is they understand how the gateway gateway works they replace the registry key with the new configuration with their own gateway they obviously create a new binary which means they understand exactly how that gateway works. So when the the the bank and the ATM wants to communicate they will go to the race they check the gateway configuration and we draft the one from the guys from the from the criminals and then they use

that gateway to communicate to the bank. Then they will change the configuration files so that instead of going to the bank they will point to the local socket in the ATM. That way they go the traffic they uh route all the traffic through their own socket and then they can intercept the information. But still even in intercepting the information the pins are encrypted because when you enter the pin in the pin pad it cannot get out of the device unencrypted is by law it is encrypted. So they still needs to crack the pin numbers for example. So, but what if they want to h be able to decrypt everything from an ATM? There is something which are the encryption

keys. Every time you set up an ATM, the bank is going to issue some encryption keys. Those encryption keys are going to be the ones to encrypt the encryption sessions in every transaction between the ATM and the bank. That means that if if the if if the attackers have access to those encryption keys, they can decrypt everything from the ATM. The thing is that those encryption keys are entered in a standard way across the ATM uh vendors. So they have an specific window like this which says enter master keys and they have an specific title uh the title is enter the A key. You can see there enter a key and enter B key. This is a 16 bytes uh size key each one

a 16 bytes B 16 bytes and they need to enter it. So the malware is going to watch for the for that window for for that window. It's going to be saying find window find window and when they detect that that window is displaying the ATM they will grab all the information from from from there. So so then they they can decrypt everything from the ATM. Usually these encryption keys are changed every year probably. I don't think so but it's supposed to be every year or by request by the bank. So as soon as they get it, they can decipher everything. But okay, so we talk about this, but let's now finally check how the ATM is found, right? How we get

money out of it. Uh actually you as I said, you don't need to exploit anything. H you just need to learn how to interact with the with the middleware. The middleware is called WASA XFS. This is the extensions extensions for financial services that was developed by Microsoft so that anytime you want to run ATM software on Windows you use this framework which is was a XFS it's open source so you can download it from internet run it in your visual studio and obviously you need an ATM but but you can play with with that information this plus the programming language exposed in internet someone can easy try to come up with a with a proof

of concept. Unfortunately, this provides a common API API to manipulate the ATM hardware basically and it is vendor uh independent. So basically this is the way it works. We have the ATM application at the top if this is the legitimate one or the one created by the hackers. So they talk to the XFS manager via the APIs and the XFS manager is going to route all the requests to the different service providers. The service providers are the card reader, the printer, the dispenser, all the hardware inside inside the ATM that's called service provider. So what when you as an ATM application you want to interact with any of those hardware, you need to open a session with the XS manager who's

going to say okay do you want to enter the card? Okay, let me transfer to the cabiner. Do you want to h dispense money? Okay, I'm going to transfer you to the dispenser. So that way the excess man manager interacts with the with the application. So how how how it dispense fields? So this is the some APIs that they use. Uh this is an standard one. You can you can see this in in every single documentation. So they the WFS register that sends a request to the to the hardware via the XFS manager to say hey I want to talk to you. Then the the WS open opens a session with the dispenser in this case. If you want to

get money you open a session with the session with the dispenser. If you want to read from pimpad you open a session with the pimpad. If you want to print something you open a session with the printer. So you interact with the hardware that way. Then once you open a session you lock it so that it is exclusive use so that you can just interact with it no one else and then you run the execute dispense which is the API to dispense the money is that that's the only thing that they need to do and but some some ATM software uh doesn't allow to interact directly with the dispenser. So let's say that you create your proof of concept, you put it

in the ATM and you run it, you will sometimes you get a you you will get an error saying hey you cannot open a session with a dispenser. The dispenser is not going to talk to you. Probably I don't know probably that's a security measure but what the man what the what the privilege does was they found out that there is a supervisor mode. The supervisor mode is all the h maintenance related activities. So when the ATM guys gets into the ATM, they open it. So they will change the cassettes, they will put more money, they will check the display, everything that's in supervisor mode. That means it's a mode only depending on the vendor so that they can do

configuration changes everything. When when they are in the supervisor mode, all the hardware will attend the supervisor mode. It's like it's like a the boss. It will send a request to water hardware and it will say hey I'm gonna I'm gonna I'm in supervisor mode stop doing whatever you are doing dispenser printer and just wait for my instructions. So then that that way this uh the criminals are going to switch to supervisor mode so that they uh the ATM is going to think okay it is supervisor I I'm going to attend any request and that way they can interact with interact with the with the dispenser. So they try to talk to the dispenser but the

dispenser I said I don't want to talk I don't want to talk to you. So they switched to supervisor mode by an API also following the framework. The 18 switch to supervisor mode and now they try to talk to the dispenser and the dispenser going to say yeah I can talk to you because you're supervisor. It's like having system account in Windows. So that way they bypass that that that technique. Um but what is is is that easy? Well you can see that when they switch to supervisor mode there is no authentication. So you can do it via software. So you can just request access supervisor mode. They will say yes. They will open a session but there is no

authentication needed. Also when you open sessions with the dispenser or any other hardware you don't need to do that. Sorry you don't need to authenticate. You just open the session. So that means you have your proof of concept. You just put it in the ATM and you can start talking to the hardware. So that should be something that should not be allowed, right? It should be some authentication in between so that they say hey this is another process not within my framework in the ATM software so I'm not going to talk to you so that kind of solutions some ATM malware misunderstandings h as I said people says it doesn't work because you need to

transfer the malware to the ATM as I explained that's not a that's not an issue actually it's pretty pretty easy to install the malware in in in the ATM by hiring bank employees is um other people says that it is easy to hack because it runs on Windows XP. Keep in mind that this is not a Windows hack. I mean if you get access to the ATM running Windows, you can have given system access but that doesn't mean you will get the money out. You will need to talk to the middleware to to to ask it to get the money out. So that's separate issue. So people says, "Oh, it's Windows XP. I'm going to hack it." No, no, no.

You get access to the system. you can get the administrator or pass or whatever uh sorry system is even better and and you you you still need to know how to calculate it. How to prevent it? Well, physical security as you see uh is too much too much effort on that but uh since the bank employees are being hired so that's not an issue. pull this encryption that helps if they they get the ATM into the garage. So offline they cannot transfer anything into a hard disk but if they transfer the malware online that's full this encryption is not going to help. ATM sports hardening so that they no one can just plug something into the ATM

that that must be some validation there. Authentication process authentication at process level so that the XFS manager when it gets a request from some process to interact with it should be authenticated. H enforce ATM dispense only when authorization is coming back from the bank. As I explained before, when you get the confirmation from the bank to get the money is when the ATM start dispensing it. Why? You can just talk to it directly and dispense money. They should have a process in place to make sure that probably a token one time token that they get from the bank and they can use it to dispense the money. But only that time they can do that. If

the attacker wants to withdraw the money, they need to know the token which is coming from the bank. So that way they don't know how to do it, how to guess it because it's calculated in the bank uh side. So that kind of things should be uh implemented also some role based authentication so that if someone is transferring the malware into the ATM and I'm the bank employee I should have some role based authentication so that at least I know who installed this or this into the into the ATM uh machine at specific times at least it's going to be reactive but at least they know who was who transferred the the the and better salaries probably from the

guys so that they don't work for bad guys and so they can just work. So that's it. If you have any questions I'm [Applause] here. So I'm interesting interested to know um in Latin America how big a problem is this? Uh do you have uh uh any visibility? Well I I I I don't I don't have numbers but definitely in 2013 it was uh it is still actually is going on right now. uh Pluto which is the malware emptying ATMs. It is been emptying machines in Mexico all the 2013 and they are still getting uh reports about this being done. They are just changing the packer. So they use the same software but they just change the packer so that the

antivirus cannot detect it. Uh but it is in in Mexico and the guys creating these things are from Venezuela. So in Mexico, the criminals were caught and and there were hackers even the software and selling to Mexicans. So a follow on, have you heard uh of any of this going on in Costa Rica or Panama? Uh there's lots of, you know, obviously they both use US dollars, so those would maybe be more attractive targets. you're well no it's very it's very well known in Venezuela and Mexico probably Peru but it's not common I have not seen reports on those places but the problem is that ATMs are so old that they can just keep in mind that the ATM

software it is the same across the countries I mean you can change the language but it is the same software so whatever you run here is going to run in Russia or Ukraine so it's just a matter to get the contact local who is able to transfer the malware that's the main point. So it's pretty easy Mexico, Latin America, right? But I don't know those countries. So as soon as as soon as they got someone who is able to transfer the hardware, so they can work with them. It's the organized crime actually behind this. So everything relies on on either a bank employee or the person survey servicing the ATM for this to work. If I'm hearing you right

throughout your thoughts, You have to get your physical access device somehow. And the way you're going to pull this off is to either pay someone off at the bank or pay off the ring sky or whoever's punishing you. Yeah. But actually that's that's that's uh the documented way to do it. Uh if if you go to underground forums and those those different examples, they always talk about these guys who are going to kill them. So it is the documented way to do it. And actually it to me it makes sense because otherwise you can be easily detected you know by the different physical security controls in place. So that's the way to go I think

they are. Are you aware of any attacks that coming through the network? Yeah there are some of them I I I didn't have it documented here but there are some other attacks which is in the bank right there. So they have the pointto-point connection and then they hack into the network and from there they can get into the the Yes. Uh with the master keys, are those used to encrypt the CVB on the credit cards? Yeah. Uh well, the the CVB is is also encrypted coming from the in your card. The PIN and the CVB is already encrypted. So by law, it cannot be in plain text. Uh some of them even doesn't even have that number in your in your

debit card. It is in the bank. So they just check it with once you do the transaction but those the PIN and the CVB is always encrypted. They don't even go plain text in the wire. They don't need the master keys. Answer your question. They don't even need the master keys because they already encrypted. The master keys will encrypt the transaction the whole transaction between the ATM and the bank. But but those specific fields are already encrypted. So is is changing the master key every year is that a security problem or does it actually Well actually to be honest uh I don't know if it is every year I I I I know that it is it's just one time when it is

the agent is being set up because actually they get I think a physical envelope is not even software so they get some specific uh because it's they trying to do it very secure because obviously it's the encryption keys is the whole thing. So, and then you do it one time. I'm guessing it's one is every year because it's supposed to be that way. But I'm guess I'm bet is it's not even changed, right? So, I don't know. Unfortunately, when you talk about these things with ATM vendors, they don't they don't talk to you about it. So, if you ask them, hey, how it works or I have this malware or I am analyzing this, they don't talk to you. And then if you

talk about something, they don't want you to talk about it. But at the same time, they don't want to share anything. So that's we don't have that information. Yes. How long does it take to physically dump a cash drawer when they're standing there waiting for it to come out? Yeah. Well, see just one round. It is around uh 30 seconds. Just one round. Really? Yeah. It is that fast. H depending on the machine because some machines are old. So So they start counting the cash and you can you can hear it right like run and then they get the money. some those are old ones but the new ones uh not new ones but better

than those h they do it faster. So but it is around 30 or even 15 seconds. So for example when you send an SMS message uh by the time you send the SMS message get into the ATM and dispense the money is 15 seconds and they disable the video camera. I mean how do they evade getting caught that way? They just put up there with a bag. Yeah. So they they just they just get into the the ATM and that's the mute they will take that risk because they will get there they will get the money and run or something like that and then there is no way but some of them also they they pretend to be withdrawing

money right so they put the car because it's the camera there so if you imagine they put the card and the camera is saying oh this guy is going to get money right they don't know there is an SMS message coming right so when they plug they enter the car and then suddenly the companies the money is coming out. The camera is thinking the money is coming out just because you enter the pin number whatever but they don't know the SMS is coming. So obviously uh but this is like um they they are empty in the ATS that means they have around 5 minutes withdrawing all the money and then from there they just skate but h the marker

is able to choose the cassette. The cassette is going to be the highest denomination. So they will check the cassettes will check what is the denomination five 20 40 50 even I don't know if it is 100 I don't think so but let's say 50. So they choose that uh that cassette and get the money out of it and they just cycle it. It's just a cycle running and just getting the money out. So there are 20 of the ATS which has this um um small recycle no a small bean when the money is coming out as it is. And there is another one who just opened the door. Right? So the ones who just open the

door, they need to wait to get the money and then the next one. Right? But the ones who just spit out the money so they can just grab the money as it comes out, you know. So it depends. Yeah. Yes. Why

do Oh yeah. No. Well, actually, yeah, they since they are Windows machines, they use it just to install the ATM software. They are Windows machines. So, why don't we use special hardware for ATMs, not simply computers? Yeah. Well, actually, I think I don't know, but I think was a strategy because Microsoft created this whole thing. So, they were trying to move ATM whole world into into their world. So they come up with this XFS framework so that everything running in Windows need to be used this specific excuse me they didn't change yeah they didn't change it is an exactly CPU but as I said it is not bad because h they can use the board but just make sure

that it is uh hardened so that nobody can just block it that's a solutions already for that any other questions be posted online somewhere Uh I don't Is this going to be posted? Follow the plan. Yeah, but the the slides are the slides also. Yeah, I mean I can I can share it also. The slides are captured. Slides are captured. See here here is my this is my email.

So you want the slides. It's not on the screen. Slide it over. interview.

Press the end key. Just press the end key. It'll jump straight to the So that's this is this is not one second. So this is the the email if if you want to the slides I can share. Any other question? Okay. Thank you so much.