Banking | Bach Seat

Tag Archive for Banking

RB | April 30, 2018

Comments Off

ATM Jackpotting

ATM Jackpotting The U.S. Secret Service has warned (PDF) financial institutions of logical (jackpot) attacks on Automated Teller Machines (ATMs). These ATM attacks originated in Mexico and have spread to the US. These jackpotting attacks are an industry-wide issue and as one vendor stated, are “a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

The attack mode involves a series of steps to defeat the ATM’s existing security mechanisms and the authorization process for setting the communication within the ATM. Internal communications are used when computer components like the mainboard or the hard disk have to be exchanged for legitimate reasons.

Description of an ATM attack

In a Jackpotting attack, the criminal gains access to the internal infrastructure of the terminal to infect the ATM PC or by completely exchanging the hard disk (HDD). There are a number of steps the attacker has to take for this type of attack:

The top of the ATM must be opened.
The original hard disk of the ATM is removed and replaced by another hard disk, which the attackers have loaded with an unauthorized and/or stolen image of ATM platform software.
In order to pair this new hard drive with the dispenser, the dispenser communication needs to be reset, which is only allowed when the safe door is open. A cable in the ATM is unplugged to fool the machine into allowing the crooks to add their bogus hard drive to the ATM.
A dedicated button inside the safe needs to be pressed and held to start the dispenser communication. The crooks insert an extension into existing gaps next to the presenter to depress the button. CCTV footage has shown that criminals use an industrial endoscope to complete the task

In other Jackpotting attacks, portions of a third-party multi-vendor application software stack to drive ATM components are used. Brian Krebs at Krebs on Security reports that Secret Service issued a warning that organized criminal gangs have been attacking stand-alone ATMs in the United States using “Ploutus.D,” an advanced strain of jackpotting malware first spotted in 2013.

Mr. Krebs also reports that “During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATMs operating system along with a mobile device to the targeted ATM. Once this is complete, fraudsters own the ATM and it will appear Out of Service to potential customers according to the confidential Secret Service alert. At this point, the crook(s) installing the malware will contact co-conspirators who can remotely control the ATMs and force the machines to dispense cash.

“In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds,” the alert continues. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad. Otherwise, the machine is completely emptied of cash, according to the alert. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.”

Specific Guidance and Recommendations

The most common forms of logical attack against ATMs are “Black Box” and “Offline Malware”. The steps to minimize the risks to ATMs are the same as any other enterprise device.

Make sure firmware and software are current with the latest updates, are important protections to mitigate the impact of Black Box attacks. Four out of five cash machines still run Win XP or Win XP Embedded. The Secret Service alert says ATMs still running on Windows XP are particularly vulnerable, and it urged ATM operators to update to at least Windows 7 to defeat this specific type of attack.
Use secure hard drive encryption protections against Offline Malware
Use a secure BIOS remote control app to lock the ATM BIOS configuration and protect the configuration with a password.
Deploying an application whitelisting solution.
Limit Physical Access to the ATM:
- Use appropriate locking mechanisms to secure the head compartment of the ATM.
- Control access to areas used by staff to service the ATM.
- Implement two-factor authentication (2FA) controls for service technicians.
Set up secure monitoring
Use the most secure configuration of encrypted communications. In cases where the complete hard disk is being exchanged, encrypted communications between ATM PC and dispenser protect against the attack.
- Ensure proper hardening and real-time monitoring of security-relevant hardware and software events.
- Investigate suspicious activities like deviating or non-consistent transaction or event patterns, which are caused by an interrupted connection to the dispenser. Monitor unexpected opening of the top hat compartment of the ATM.

rb-

Followers of the Bach Seat know how to secure their PCs, I have written about securing PCs many times here. So the question is why not ATMs? Research says that consumers go into the branch less every year. The experts say that by 2022 customers will visit a branch only 4 times a year. In many cases, ATMs are the bank’s surrogates for most cash transactions. It makes sense to get it right.

Related article

ID thieves filing for unemployment benefits (WOOD.TV)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2018, 2FA, 7, ATM, Banking, BIOS, Encryption, Jackpotting, Microsoft, MSFT, Security, Whitelisting, Windows, XP

RB | March 17, 2015

Comments Off

Banks Scramble to Fight Apple Pay Fraud

SearchFinancialSecurity reports that Apple Pay fraud is on the rise and banks are rushing to fix sloppy authentication processes. Sloppy bank authentication processes are at the heart of growing Apple Pay fraud and experts worry about potential fraud with other mobile payment systems.

When Apple Pay was first unveiled by Apple (AAPL) in October 2014, it was touted for its increased security thanks to tokenized Device Account Numbers and the Touch ID fingerprint system. eWeek.com provided a good overview of how Apple Pay’s approval process works:

The camera of an iPhone 6 or 6 Plus takes a photo of the credit or debit card
Apple Passbook software extracts the name and expiration date, then encrypts and transmits the data to Apple
If the photo doesn’t allow for extraction (poor quality or card is too worn), users are allowed to manually enter the card number
Apple checks to see if the card is already on file in iTunes, verifying it through a match
But most cards aren’t already in iTunes – so Apple sends card data, phone data, and iTunes account info to the card-issuing bank
If verified by the bank and approved, it’s added to Apple Pay and the Apple Passbook, and it’s ready to be used for purchasing

If this provisioning is successful, the bank will automatically accept (Green Path) the info and then beam an encrypted version of the card details to be stored.

According to reports, criminals have set up iPhones with stolen personal information, which has been tracked back to accounts compromised in Target’s big data breach at the end of 2013, the Home Depot hacking in 2014, and likely the Anthem breach of 2015. The criminals take the stolen PII and call banks to authenticate a victim’s card on the new device. This is so-called “Yellow Path” authentication, where a card isn’t or rejected (Red Path), but requires more provisioning by the bank to be added to Apple Pay.

When Yellow Path authentication is required, the bank may send a one-time authorization code to the customer’s email or mobile phone that must be entered into the Apple Pay set-up. Other banks may ask the customer to call a toll-free number where a customer service representative will try to verify the person’s identity with a series of questions about recent purchases or a home address according to the WSJ.

If this provisioning is successful, the bank will then beam an encrypted version of the card details to be stored on the Secure Element of the phone (PDF). The author contends that the heart of the problem is that some banks have lax Yellow Path processes, only asking for the last four digits of a Social Security number, leading to criminals using stolen identities and credit/debit cards to buy high-priced goods, often from Apple Stores.

Avivah Litan, a VP at Gartner (IT) said that this kind of fraud is a fundamental flaw that will affect all mobile payment services. “This isn’t necessarily an Apple Pay problem. The responsibility ultimately lies with the card issuer who must be able to prove the Apple Pay cardholder is indeed a legitimate customer with a valid card,” Ms. Litan wrote in a blog post. “That always appeared to me to be the weakest link in mobile commerce — making sure you provide the app to the right person instead of a crook.”

rb-

With the iPhone 6’s NFC capabilities, the physical card may not be required for such “purchases.” Maybe someday this will keep merchants from holding card data but for now, seems like the banks need to get their act together.

Apple Pay: Bridging Online and Big Box Fraud (krebsonsecurity.com)

Category: Uncategorized | Tags: 2015, AAPL, Anthem, Apple, Apple Pay, Authentication, Banking, Biometrics, Data breach, Fraud, Home Depot, iPhone, PII, Security, Target

RB | February 23, 2012

One comment

McAfee Labs 2012 Threat Predictions

Computer security company McAfee unveiled its Threat Predictions report (PDF), outlining the top cybersecurity threats organizations and individuals are likely to face in 2012. McAfee, a wholly-owned subsidiary of Intel (INTC), says that for the most part, 2012 looks like it will look like 2011 only worse, with many of the recent threats gaining momentum. Here are the predictions:

Industrial Attacks: Cyber-criminals will target Water, electricity, oil, and gas utilities. These are essential services to everyday lives, yet many industrial systems are not ready for cyber-attacks according to McAfee. Many of the environments where SCADA (supervisory control and data acquisition) systems are deployed don’t have stringent security practices. McAfee predicts attackers will leverage this lack of preparedness with greater frequency, if only for blackmail or extortion in 2012.

Legalized Spam: McAfee Labs says global spam volumes have declined in the past two years. However, legitimate advertisers are picking up where the spammers left off using the same spamming techniques, such as purchasing third-party email lists or databases from companies going out of business. McAfee Labs expects to see this “legal” spam and the technique known as “snowshoe spamming” continue to grow at a faster rate than illegal phishing and confidence scams.

Mobile Threats: 2011 has seen the largest levels in mobile malware history, McAfee Labs expects that continue in 2012. They expect mobile attackers to improve on their skill set and move toward mobile banking attacks. Techniques previously dedicated for online banking, such as stealing from victims while they are still logged on while making it seem that transactions are coming from the legitimate user, will now target mobile banking users. McAfee Labs expects attackers will bypass PCs and go straight after mobile banking apps, as more and more users handle their finances on mobile devices.

Embedded Hardware: Embedded systems are designed for a specific control function within a larger system, and are commonly used in automotive, medical devices, GPS devices, routers, digital cameras, and printers. McAfee Labs expects to see proofs-of-concept codes exploiting embedded systems to become more effective in 2012 and beyond. This will require malware that attacks at the hardware layer and will enable attacks to gain greater control and keep up long-term access to the system and its data. Sophisticated hackers will then have complete control over hardware.

Cyberwar: Countries are vulnerable due to massive dependence on computer systems and a cyber-defense that primarily defends only government and military networks. Many countries realize the crippling potential of cyber attacks against critical infrastructures, such as water, gas, and power, and how difficult it is to defend against them. McAfee Labs expects to see countries prove their cyberwar capabilities in 2012, to send a message.

Rogue Certificates: Organizations and individuals tend to trust digitally signed certificates, however, recent threats such as Stuxnet and Duqu used rogue certificates to evade detection. McAfee Labs expects to see the production and circulation of fake rogue certificates increase in 2012. Wide-scale targeting of certificate authorities and the broader use of fraudulent digital certificates will affect key infrastructure, secure browsing and transactions as well as host-based technologies such as whitelisting and application control.

Legislative Issues: DNSSEC (Domain Name System Security Extensions) is designed to protect a client computer from inadvertently communicating with a host as a result of a man-in-the-middle attack. Governing bodies around the globe are taking a greater interest in establishing “rules of the road” for Internet traffic, and McAfee Labs expects to see more and more instances where legislative issues hamper future solutions.

Hacktivism: McAfee Labs predicts that in 2012 digital disruptions like Anonymous will join forces with physical demonstrators and will target public figures such as politicians, industry leaders, judges, and law enforcement, more than ever before.

Virtual Currency: McAfee Labs expects cryptocurrency will be an attractive target for cybercriminals. to see threats evolve to steal money from unsuspecting victims or to spread malware.

Hardware Attacks: McAfee Labs expects to see more effort put into hardware and firmware exploits to create persistent malware in network cards, hard drives, and even system BIOS (Basic Input Output System). and their related real-world attacks through 2012.

Former McAfee CTO Debuts Stealthy Security Technology Startup CrowdStrike With $26M In Funding (techcrunch.com)

Category: Uncategorized | Tags: 2012, Banking, BIOS, cryptocurrency, Embedded, Hacktivism, McAfee, Mobile, Mobile device, PC, SCADA, Security, SPAM, System

Bach Seat