Threat Forward

It seems like the sophisticated ATM attacks that occur around the world (the ones not using skimmers and cameras) happen because the attackers manage to acquire or gain access to a representative ATM of the type they want to attack.

eBay has plenty of used Hyosung and Triton ATMs for sale.  Picking one up is a great investment for an attacker who wants to understand the software and hardware weaknesses of the devices.  Heck, starting up a tunrkey ATM business is probably an even better investment, since you’ll get access to the latest and greatest to experiment on.

It reminds me of the gambling industry, and how their slot machine security depended partially on “crossroaders” not being able to get a look at the internals.  This turned out as well as you’d expect.  One former casino thief named John Soares wrote an entertaining book going into some depth on the subject.

Many like to call this security by obscurity and leave it at that, but a little analysis shows the underlying risk decisions.

If you go back 40-50 years to mechanical slot machines as described in Loaded Dice, you can reconstruct the “threat profile” casinos likely constructed around people who can successfully attack slot machines:

• They need to be technically adept to understand the inner workings of slot machines, and how to ensure payouts
• They need to be dexterous and accurate to effect the attack in a reasonable amount of time
• They need to gain unrestricted access to a similar machine for practice

That limits the pool of attackers.  To defend against these threat actors, some countermeasures were put in place:

• Supply chain regulation, which makes direct acquisition of the equipment riskier and more susceptible to future investigation
• Common casino surveillance practices extended to the slots floor that limit what actions can be taken by an attacker in the scope of time, noise, and visual detectability
• A mix of high-payout and low-payout machines with a corresponding traffic flow that makes the desirable target machines have a correspondingly smaller window of opportunity for the attacker.

With less time, and less freedom of action, an attacker must be *extremely* dexterous and accurate to have a reasonable chance of success.  When it is hard to buy or acquire target slot machines, tracking down the perpetrators after the crime occurs can be easier.  This in turn limits the pool of threat actors.  The attackers need to be *very* good, *very* fast, and *very* careful about how they acquire their knowledge to put the risk equation in their favor.

In Loaded Dice, John Soares’ crew is very good.  The fact that casinos they hit didn’t go bust because of them and other crews manipulating machines implies that the bar was raised high enough to limit just how many people could successfully attack desirable slot machines.