ATM's Machine - How can it get hacked?

Recently in Malaysia, just days ago (before I wrote this), few ATM machines was hacked and few bank losses for more than few millions RM. This is really serious and it is worst than traditional ways of stealing money from the machine. It shall be flagged as critical issue by the bankers and information security organization and community which request fast and firm action to prevent this. Just imagine if this people get to access and hacked the machine in one month from multiple locations. There will be billions losses and I can't imagine that (or rather afraid to think about it).

It was reported by The Star [3] on the same day and Harian Metero [1] and Utusan [2] on 30th September 2014 upon verification from respective agencies and company.

This is not the first as it happen previously in Montreal where 2 young teenagers unintended hacked into an Bank of Montreal ATM machines during their lunch break [8].

This won't be the last and neither the cases reported here in Malaysia. Regalado from Symantec [4], already raised the alarm since March upon his finding in end of 2013 [7].

As long as the machines is used software to operate, the issue will remain unless the community starts to built workable solutions to detect and prevent this from occurring. This is not possible until the community understand the real issue and root cause of it. People may see this as XP issue or software reside in the ATM machine and they will opt to change this two software. But in my case, these won't be the root cause. These two are merely the trigger button or one of the unlocked door waiting to be opened. The real root cause is from the initial step in software development lifecycle. This is where the community should start to implant their security measurements.

There are many ways to do this and one of the way is to increase the understanding of software developers in writing secure codes. I've wrote few papers which I hope that this will be a step moving towards having software that is harden and difficult to infiltrate:

• Understanding Vulnerabilities by Refining Taxonomy (Proceeding and presented in IAS 2011. Appear in IEEE)
• Classifications and Measurement on C Overflow Vulnerabilities Attack (Published in Journal IJNCAA)
• Vulnerabilities and Exploitation in Computer System - Past, Present and Future. SiSKOM 2013 (ISBN 978-967-12088-0-9), Universiti Teknologi Mara, Shah Alam, Selangor, Malaysia, 3rd - 4th Sep 2013

I won't says that hacking will be impossible as there is no such thing as impossible when you have 'will'. But this is another step for us to create a stronger wall of security.
References:

1. http://www.hmetro.com.my/articles/Trojan_sasarATM//Article
2. http://utusan.com.my/utusan/Jenayah/20140930/je_01/Sindiket-guna-virus-lesap-wang-ATM
3. http://www.thestar.com.my/News/Nation/2014/09/29/seventh-atm-hacked-into-al-rajhi-bank/
4. http://www.hackerjournals.com/?p=23437
5. http://www.hackersnewsbulletin.com/2014/03/windows-xp-flaw-hackers-withdraw-money-atm-just-sending-text-message.html
6. http://securityaffairs.co/wordpress/23421/cyber-crime/rob-atms-couple-sms-messages.html
7. http://www.deccanchronicle.com/140326/technology-latest/article/windows-xp-atms-being-hacked-simple-sms-symantec
8. http://www.forbes.com/sites/jameslyne/2014/06/11/14-year-olds-hack-atm-in-lunch-hour-how-it-happened/
9. http://thehackernews.com/2014/03/hacking-atm-machines-for-cash-with-just.html
10. http://www.dailymail.co.uk/sciencetech/article-2655012/Teens-hack-cash-machine-lunch-break-Stunt-prompts-security-upgrade-Bank-Montreal-ATMs.html