Tag Archive for ATM

| April 30, 2018
Comments Off on ATM Jackpotting

ATM Jackpotting

ATM JackpottingThe U.S. Secret Service has warned (PDF) financial institutions of logical (jackpot) attacks on Automated Teller Machines (ATMs). These ATM attacks originated in Mexico and have spread to the US. These jackpotting attacks are an industry-wide issue and as one vendor stated, are “a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

The attack mode involves a series of steps to defeat the ATM’s existing security mechanisms and the authorization process for setting the communication within the ATM. Internal communications are used when computer components like the mainboard or the hard disk have to be exchanged for legitimate reasons.

Description of an ATM attack

Automated Teller Machines (ATMs)In a Jackpotting attack, the criminal gains access to the internal infrastructure of the terminal to infect the ATM PC or by completely exchanging the hard disk (HDD). There are a number of steps the attacker has to take for this type of attack:

  1. The top of the ATM must be opened.
  2. The original hard disk of the ATM is removed and replaced by another hard disk, which the attackers have loaded with an unauthorized and/or stolen image of ATM platform software.
  3. In order to pair this new hard drive with the dispenser, the dispenser communication needs to be reset, which is only allowed when the safe door is open. A cable in the ATM is unplugged to fool the machine into allowing the crooks to add their bogus hard drive to the ATM.
  4. A dedicated button inside the safe needs to be pressed and held to start the dispenser communication. The crooks insert an extension into existing gaps next to the presenter to depress the button. CCTV footage has shown that criminals use an industrial endoscope to complete the taskATM's

In other Jackpotting attacks, portions of a third-party multi-vendor application software stack to drive ATM components are used. Brian Krebs at Krebs on Security reports that Secret Service issued a warning that organized criminal gangs have been attacking stand-alone ATMs in the United States using “Ploutus.D,” an advanced strain of jackpotting malware first spotted in 2013.

Mr. Krebs also reports that “During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM. Once this is complete, fraudsters own the ATM and it will appear Out of Service to potential customers according to the confidential Secret Service alert. At this point, the crook(s) installing the malware will contact co-conspirators who can remotely control the ATMs and force the machines to dispense cash.

In previous Ploutus.D attacks, the ATM Dispensed at a rate of 40 bills every 23 secondscontinuously dispensed at a rate of 40 bills every 23 seconds,” the alert continues. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad. Otherwise, the machine is completely emptied of cash, according to the alert. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.”

Specific Guidance and Recommendations

The most common forms of logical attack against ATMs are “Black Box” and “Offline Malware”. The steps to minimize the risks to ATMs are the same as any other enterprise device.

  1. Make sure firmware and software are current with the latest updates, are important protections to mitigate the impact of Black Box attacks. Four out of five cash machines still run Win XP or Win XP Embedded. The Secret Service alert says ATMs still running on Windows XP are particularly vulnerable, and it urged ATM operators to update to at least Windows 7 to defeat this specific type of attack.
  2. Use secure hard drive encryption protections against Offline Malware
  3. Use a secure BIOS remote control app to lock the ATM BIOS configuration and protect the configuration with a password.
  4. Deploying an application whitelisting solution.
  5. Limit Physical Access to the ATM:
    • Use appropriate locking mechanisms to secure the head compartment of the ATM.
    • Control access to areas used by staff to service the ATM.
    • Implement two-factor authentication (2FA) controls for service technicians.
  6. Set up secure monitoring
  7. Use the most secure configuration of encrypted communications. In cases where the complete hard disk is being exchanged, encrypted communications between ATM PC and dispenser protect against the attack.
    • Ensure proper hardening and real-time monitoring of security-relevant hardware and software events.
    • Investigate suspicious activities like deviating or non-consistent transaction or event patterns, which are caused by an interrupted connection to the dispenser. Monitor unexpected opening of the top hat compartment of the ATM.

rb-

Followers of the Bach Seat know how to secure their PCs, I have written about securing PCs many times here. So the question is why not ATMs? Research says that consumers go into the branch less every year. The experts say that by 2022 customers will visit a branch only 4 times a year. In many cases, ATMs are the bank’s surrogates for most cash transactions. It makes sense to get it right.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
| June 25, 2016
Comments Off on Malware Steals Your Cash At ATM

Malware Steals Your Cash At ATM

Malware Steals Your Cash At ATMOn September 2, 1969, America’s first automatic teller machine (ATM) started dispensing cash to customers at Chemical Bank in Rockville Center, New York. Since then ATMs have been a trusted avenue for many banking transactions. However, Business Insider warns that the next time you pull cash out of the ATM, or “Tap the Mac” you should take extra care. BI reports that Internet security firm Kaspersky Lab has announced the return of a newer and more dangerous version of the Skimer malware.

TATMs hackedhe report characterizes Skimer as an especially dangerous malware that turns whole ATMs into card-skimming machines. The malware first appeared in 2009 and has been distributed at ATMs all over the world.

The majority of ATM fraud takes place through card skimming. Card skimming is usually physical, as criminals typically install an illegal card-reading device into ATMs, film people entering their PINs on keypads, and then create duplicate cards for sale and use, reports the New York Times. Fortunately, users can uncover these card skimmers because they’ll spot a problem with the card reader or notice an unusual camera.

Gas pump skimmerSkimer is particularly problematic because it is software-based. The article explains the threat is undetectable to the common ATM user since there is no physical sign of the ATM being tampered with. The Russian-based program lets criminals access an ATM remotely, install the malware, and then gather data such as PINs, card numbers, and account numbers over the course of time. A “money mule” can then insert a special magnetic stripe card into the ATM to access the stolen data, take out money, or print card numbers onto a receipt.

The attack begins by gaining access to the ATM system either through physical access or via the bank’s internal network. Then Backdoor.Win32.Skimer malware is installed which infects the core of the ATM. The ATM core is responsible for the machine’s interactions with the banking infrastructure, cash processing, and credit cards. After that, the ATM has become a skimmer. The compromise allows the attackers to withdraw all the funds in the ATM or grab the data from cards used at the ATM, including customers’ bank account numbers and PIN codes.

Kaspersky logoKaspersky is trying to help banks detect Skimer and is providing techniques for identifying affecting machines and securing their ATM networks in the future. Sergey Golovanov, a principal security researcher at Kaspersky Lab explains it is possible for banks to stop Skimer.

We have discovered the hardcoded numbers used by the malware, and we share them freely with banks … they can proactively search for them inside their processing systems, detect potentially infected ATMs and money mules, or block any attempts by attackers to activate the malware

To prevent ATM attacks, Kaspersky recommends that banks:

  • Perform regular AV scans,
  • Use whitelisting technologies,
  • Have a good device management policy,
  • Enable full-disk encryption,
  • Protect the ATM’s BIOS with a password,
  • Only allow HDD booting,
  • Isolate the ATM network from any other internal bank network.

ATM fraud continues to growDespite a way to control Skimer, ATM fraud continues to grow according to BI. A recent FICO study found the number of compromised ATMs in the U.S. surged 546% from 2014 to 2015, thanks in large part to the slow EMV migration of debit cards and ATMs. The article speculates that EMV upgrades would stop Skimer. The resistance to EMV means ATM fraud could grow even more from 2015 to 2016.

John Heggestuen, at BI Intelligence, explains that EMV cards are being rolled out with an embedded microchip for added security. The microchip carries out real-time risk assessments on a person’s card purchase activity based on the card user’s profile. The chip also generates dynamic cryptograms when the card is inserted into a payment terminal. Because these cryptograms change with every purchase, it makes it difficult for fraudsters to make counterfeit cards that can be used for in-store transactions.

EMV cardsRetail card fraud cost U.S. retailers approximately $32 billion in 2014, up from $23 billion in 2013. To solve the card fraud problem across all channels, payment companies and merchants are implementing new payment protocols that could finally help mitigate fraud. In the article, BI’s Heggestuen describes some of the other technologies that financial institutions are utilizing to reduce fraud risks.

Encryption of payments data is being widely implemented. Encryption degrades valuable data by using an algorithm to translate card numbers into new values. This makes it difficult for fraudsters to harvest the payments data for use in future transactions.EncryptionPoint-to-point encryption electronically changes sensitive payment data from the point of capture at the payments terminal all the way through to the gateway or acquirer. This makes it much more difficult for fraudsters to harvest usable data from transactions.

Point-to-point encryption
Tokenization increases transaction security. Tokenization assigns a random value to payment data, making it effectively impossible for hackers to access the sensitive data from the token itself. Tokens are often “multiuse,” meaning merchants don’t have to force consumers to re-enter their payment details. Apple Pay uses one emerging form of tokenization.Tokenization
3D Secure is an imperfect answer to user authentication online. One difficulty in fighting online fraud is that it is hard to confirm that the person using card data is actually the cardholder. 3D Secure adds a level of user authentication by requiring the customer to enter a passcode or biometric data as well as payment data to complete a transaction online.

rb-

The best recommendation to protect yourself from Skimer and other ATM threats is to use the ATMs at your bank or credit union. These ATMs are harder for thieves to install any type of skimmers or malware on because of the higher traffic and monitoring. ATMs located outside a financial institution like at a 7-11 are highly suspect.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , ,