Last week a leading newspaper in India reported a 28-year-old commerce graduate breaking into two ATMs of Axis Bank. The siphoning lasted for six months and was estimated for a value of Rs15.5 lakh.
For a graduate it was ever so easy to break into the machines; he said he easily removed money from the ATMs, taking advantage of loopholes in them. He disconnected the link between the server and the ATM application for a short period of time by switching the machine in maintenance mode.
Insider becomes an attacker
The attacker was employed as a custodian for Writer Safeguard Private Limited in 2008, the company which had a contract from Axis Bank for the refilling of 19 ATMs between Kanjurmang and Mulund. The job of ex-Writer Safeguard’s employee was to refill the ATMs and maintain their cash balance. Some of the machines were reported to be of the capacity of Rs20 lakh and the others – Rs35 lakh.
Automated teller machines (ATMs) have become ubiquitous. We no longer are worried about carrying cash before we go out shopping for something expensive or on a journey. There are times when you might have noticed that your local ATM is shut down. The reason it’s sometimes shut down is for some kind of maintenance activity. This could range from the machine not working to not being enough cash there. Even more seriously, it could even mean that the bank detected a fraud being carried out from a specific ATM machine.
Secure your applications!
Keeping track of the cash status of every machine and monitoring every transaction made by every customer is almost impossible to do manually. That’s where helper application like the ATM reconciler comes in (more on the ATM reconciler application and other security banking tools please read our Security Testing Handbook for Banking Applications).
The above breach is an excellent example of weak (or none at all) security applications within the banking industry. Security Testing Handbook for Banking Applications is a specialised guide to testing a wide range of banking applications. The book is intended as a companion to security professionals, software developers and QA professionals who work with banking applications.