1. InfoconDB
  2. Security BSides
  3. BSidesSF 2019
  4. Goldilocks and the Three ATM Attacks

Goldilocks and the Three ATM Attacks

Presented at BSidesSF 2019, March 4, 2019, 1:30 p.m. (30 minutes)

Automated Teller Machine (ATM) attacks are more sophisticated than ever before. Criminals have upped their game, compromising and manipulating ATM networks, software, and other connected infrastructure. Between having a third-party manage these machines and ATMs deployed on low-bandwidth links, it's an inevitable wild-west environment. In this talk I will review three case studies of ATM attacks, showing how they have become more dangerous than ever before. In this session, I will discuss unknown ATM flaws our pentesting team has uncovered while performing testing, the various ways criminals are attacking ATMs, the many security problems that we have identified with ATM systems, and what can be done to prevent these attacks. I will review three case studies of ATMs. One where the ATM security was extremely poor; One where the security was very good but the ATM still fell victim to an attack because we discovered a zero-day in the management software; And one where the security was just right- but its specific deployment had some major flaws that ultimately led to an ATM compromise. In this last case, the attackers side-loaded an application, and were able to run a criminal ring that led to $7M USD in losses.

Presenters:

  • David Bryan / VideoMan as David M. N. Bryan
    David M. N. Bryan is an Executive Consultant, and Technology leader with X-Force Red, IBM’s elite security testing team. Responsibilities include establishing standardized tools and procecess for our consultants and working with clients on penetration testing projects. David has over 18 years of experience. From being a defender of security at a top ten bank, to securing the DEF CON network. David has been a participant in the information security community for 20+ years. David has been the attacker in many scenarios as a penetration tester covering: ATMs, embedded devices, network, wireless, web applications, and physical security. David has presented at many security conferences including: BlackHat, DEF CON, ToorCon, LayerOne, ToorCamp, BSides Events, AppSecUSA, Etc. David lives in cold, but beautiful Minneapolis Minnesota.

Links:

Similar Presentations: