A Peek Inside A Simple ATM Machine

This article is a derivative of an article I wrote a while back ago, which was published in 2600: The Hacker Quarterly 22:3 (Autumn 2005). If it looks familiar, that's why.

In [2600 Magazine] issue21:4, I discussed the workings and "unofficial" reset method for
LaGard ComboGard vault locks. [Also archived on HiR] This time, I've got a whole ATM to work with.

The ATM I scored is a Diebold CashSource+ 100. This is one of those smaller
indoor ATMs that you would find inside a convenience store. It features a
monochrome LCD, eight option keys beside the screen, a number pad with four
function keys (Shift, Cancel, Clear, and Enter) receipt printer, slots for
one cash box and one "reject" box. The card slot is a horizontal swipe-through
under the screen. There's a single five-tumbler lock on the front door. Once
opened, you're given access to 3 things: The combination dial, the vault door
bolt control, and a pair of buttons that let you swing the top compartment
upwards.

Once you squeeze the buttons together and swing the top compartment open,
you're given access to the printer, the main power switch, the modem, and some
Macintosh-style serial cables plugged into the backside of the LCD/Keypad.
The printer uses standard thermal receipt paper, and there's only one printer,
so there's no "live" paper audit trail. I'd imagine it's stored in memory, but
it may not keep an audit trail at all. The modem in my ATM is a generic 33.6k
serial modem. When I power the unit on, it attempts to dial the mother ship,
but I am not curious enough to hook it up to a phone line to see what happens.



Of course, all the interesting stuff is held within the vault. On my CSP-100,
the vault lock was a LaGard 3332-3, which is a 3-number (0-100) mechanical
combination lock with wires that can be used for sensing bolt position and
a "duress" combination. These wires on my ATM were simply wire tied and un-
used. A duress combination is the combination you dial in when you're being
forced against your will to open the vault. To activate duress mode, you dial
in the combination normally, except the last digit, you dial to the "change"
index, which is another mark about 20 degrees to the left of the "open" index.
This causes a plastic arm inside the lock to trigger the duress switch.



The duress wiring (white and blue wires) can be used in combination with a
silent alarm or telephone dialer to notify the police or an alarm monitoring
company. The bolt position switch that I mentioned (red and black wires)
operates in the same way, but is triggered whenever the lock is opened
regardless of duress mode. This can also be used with an alarm system or
with a buzzer so that an audible alert is heard when the vault is opened.



This lock can be easily replaced with one of many combination locks on the
market, including electronic combination locks such as the LaGard ComboGard
I wrote about in 21:4, Kaba Mas (or Mas Hamilton) Cencon S2000 or Auditcon.
The combination on the existing mechanical lock can also be changed, provided
you have a change key, which my ATM came with, taped to the vault door.
Detailed combination changing instructions are available from LaGard, I found
them by Googling for: change combination instructions group 2m

Once the correct combination (or the duress combination) has been entered,
the other knob will turn, which retracts the locking bolts that hold the door
shut. Once that knob is turned, the door opens, and you've got full access to
the cash boxes, reject box, the main power supply, control board, combination
lock housing (for changing the combination using a change key) and the
conveyor belt that moves the money around. The reject bin is where money goes
that comes out of the cash box "out of spec", that is, multiple bills stuck
together, comes out at an angle, folded, or damaged. There are several kinds
of cash boxes. The one that came with my CSP-100 was a locking cash box that
had a red/green tamper indicator on it. The locks on my reject box and cash
box were both operated by the same 7-pin cylinder key. The tamper indicators
will trigger at almost any sign of forced entry including simply removing them
from the ATM. The boxes can not be re-inserted when the indicator is red, and
the key is needed in order to clear the indicator.

The ATM knows what kind of cash boxes are inserted by means of an array of
buttons inside the ATM that are operated by plastic nubs on the back of the
cash box. I do not know what the coding is, but the reject box had its
plastic nubs in a different pattern than the $20 cash box that my ATM came
with. Most cash boxes can hold upwards of 2,000 bills (2,500 if they're
fresh, crisp, new bills), so a fully loaded cassette of $20 bills could store
up to $50,000. It's doubtful that you would see an ATM of this puny stature
loaded with more than a few thousand dollars at any given time, though.

Pressing the small blue button on the lower front of the inside frame of
the ATM allows allow you to firmly yank the innards out on a rolling rail
system. This gives you better access to the money conveyor belt system,
the main system board, the sides of the cash box area, and the main power
supply.



The vault is made of heavy guage steel, which probably is the main reason that
this thing is so heavy. I certainly see why not very many ATM's get stolen.
They might look small and easy to manage, but you would need 2 or 3 men and
a pickup truck to make a successful and timely getaway with this small ATM,
and good luck getting the vault opened up. It would certainly be more
trouble than it's worth.

I have not even tried to get into the ATM's diagnostics or settings yet. There
are no power outlets in the storage unit I'm keeping the ATM in, so I'll have
to move it somewhere else to continue tinkering beyond the mechanical realm.
Given the severe lack of external controls (and a user or installer manual),
I am thinking that the setup/maintenace process needs to happen either over
the on-board modem, or with an external device such as the ATM programmers
I've found in the dumpster before. I can't see where I'd hook such a device
up, though.

That's the mechanical breakdown of a simple ATM. As I experiment some more,
look for another article on programming, setup, auditing, and diagnostics.