Nepal has officially raised the matter of Chinese nationals involved in a massive ATM hacking scandal that duped Nepali banks of millions of rupees.
- On the 31st of August, five Chinese men in Nepal, in a coordinated action, carried out fraud by tampering with the ATM. The ATM switch linked Nepal Electronic Payment System or NEPS to 11 Nepali banks. The mentioned 5 men were able to withdraw a large amount of cash illegally. The gang had plans to leave on September.
- Foreign Ministry Officials along with Nepali Finance Ministry briefed the Chinese officials of the nature of crime and the mechanism used by conspirators for the theft. They also warned that incidents like these in future could majorly impact the Chinese business interest in Nepal.
- The Nepal Rastra Bank or NRB, the central bank of the country had convened a special meeting of all Nepali banks to discuss the issue on September 9 and 10. The matter was to be raised with Chinese Foreign Minister Wang Yi during his visit to the country earlier this month but Nepali side decided not to raise the issue at the end moment to avoid embarrassment. As Chinese Finance Minister was on a visit to China from September 8 to 10 that time.
- Approximately, Nepali Rs 34.5 million was withdrawn illegally including INR 10.5 million from India according to Bam Bahadur Mishra, chief of the Payment Systems Department at Nepal Rastra Bank as quoted by local media.
- This incident not only raised eyebrows in the country but also internationally on the fact that the way criminals were able to find loopholes in the electronic financial systems of Nepal.
- Though there have been previous cases of ATM hacking in Nepal, including in 2017 involving NIC Asia Bank, this is one of the largest electronic financial fraud that has come to light in the south Asian country in recent years.
If you’re wondering how were they able to do this, these are the ways how they did this, as hacking an ATM Is Shockingly Easy.
- Every single ATM the researchers examined was vulnerable to software-based attacks, not all of which involved opening up the ATM cabinet. The stats show that all gave up customer card data in one way or another where: 85 percent, or 22 of 26 ATMs that are tested, lets one take and steal the cash without cracking open the safe.
- An ATM consists of a computer and a safe enclosed in a cabinet. The computer on it most of the times runs Windows and has regular keyboard, mouse and network inputs. Open up the cabinet with a drill, a lock pick or a key — one key will often open all units of a given model — and you get physical access to the computer.
- The safe which contains the cash at ATMs, is directly attached to the cash dispenser, which if you want to crack open needs heavy equipment or explosives. But some of the researchers say that the computer, its network connections or the interface connecting the computer to the safe could almost give cash or a customer’s ATM-card information to a person.
- Before an ATM can give user cash, it’s computer must communicate to a server at a far-off transaction processing center. This usually is done either using a wired Ethernet connection or a cellular modem. During this, some of the connections are dedicated direct links, while others go out over the internet, but not all of them are encrypted.
- Even some of the tested ATMs frequently featured poor firewall protection and insufficient protection for data transmitted between the ATM and processing center.
- Physical but non-intrusive ATM attacks
- Some ATM models put the Ethernet port on the outside of the cabinet, making it possible to disconnect the cable and plug in a laptop that spoofed a processing server and told the ATM to spit out cash. Also the known security flaws in the ATM’s network hardware or software could also be exploited, since not all the ATMs had patched known flaws.
- Granted, it’s not always easy to hang around an ATM and have enough time to pull off an attack. Despite that, according to a recent report a crook would need only 15 minutes to access the ATM network connection to the processing center. This would be something that might not be as conspicuous at three in the morning.
- Opening up the ATM cabinet
- When a user uses an ATM, it’s in “kiosk mode” and in this mode you can’t switch to another application. But you can use the ATM like a regular computer if you plug in a keyboard, or a Raspberry Pi set up to act like a keyboard.
- Exiting kiosk mode does not give up the cash, but instead using a keyboard makes it a lot more convenient to run malicious commands on the ATM. Well, most of the machines were always vulnerable since half of them examined ran Windows XP, a 2001 operating system which was known with many vulnerabilities. Hence this was not that hard always.
- Once after opening up the cabinet and getting access to the computer’s input ports, there are not that much distance between the hacker and a cash jackpot.
- Plugging in an ATM black box
- It’s not that you always need to access the ATM’s computer to get cash. You can quickly connect a “black box” a Raspberry Pi or similar machine running modified ATM diagnostic software — directly to the cash dispenser on the safe to make the dispenser vomit banknotes.
- Most ATM makers encrypt communications between the ATM computer and the cash dispenser to make this attack theoretically impossible. But half the ATMs that Positive Technologies examined used poor encryption that was easily cracked, and five ATMs had no software protections against black-box attacks at all.
- Installing malicious ATM software
- Most of the ATMs ran security appications to prevent installation of malicious software. Four of those applications themselves, including two made by McAfee and Kaspersky Lab, had security flaws of their own. Another security application stored an administration password in plaintext.
- Once you change the security application’s settings, you can connect directly to the ATM’s hard drive to add malicious programs if the drive isn’t encrypted. The researchers could do this to 24 of the 26 ATMs examined. Buying such malware isn’t cheap — it starts at $1,500 in online criminal forums — but you can use it on one machine or another of the same model.
- So what’s in it for me?
- The real risk is to the banking industry, and Positive Technologies said the industry could minimize the amount of theft by insisting that ATM makers encrypt ATM hard drives, strongly encrypt communications with processing servers, upgrade machines to run Windows 10, disable common Windows keyboard commands, lock down BIOS configurations, use better administrative passwords and, last but not least, make the ATM computers harder to physically access.
Here are some of our more recent articles: