Endpoint

8/11/2016
12:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

The Future Of ATM Hacking

Research released at Black Hat USA last week shows that one of our best defenses for the future of payment card and ATM security isn't infallible. Here's why.

The late Barnaby Jack showed us in 2010 how cyberattacks could persuade ATMs to part with their cash, in what he called "jackpotting" attacks. Years later, hackers and their well-organized teams of money mules are indeed having a grand time with jackpotting attacks, encouraged by ATM operators' slow adoption of EMV technology, lax physical security, reluctance to upgrade outdated hardware, poorly maintained embedded systems, middleware that creates a new attack surface, and insufficient motivation to change. 

Trend Micro reported in April that ATM malware is on the rise. Recent attacks have shown with a combination of hacking and large teams, ATM operators, banks, and account holders are collectively getting slammed with millions of dollars in losses over the course of just a few hours.

And just last week, research released at Black Hat by Rapid7's Weston Hecker showed that one of our best defenses for the future of payment card and ATM security isn't infallible, either. 

ATMs Being Robbed Via Smartphone

In July, another coordinated group lifted a large sum of cash from ATMs in a short period of time, but the particularly noteworthy aspect was that instead of inserting payment cards in the machines, they appeared to use smartphones.

According to the South China Morning Post, a coordinated group of two-person teams stole NT$83.27 million (~$2.67 million USD) cash from 41 First Bank ATMs in Taiwan. Police have arrested three individuals in connection with the attack -- citizens of Moldova, Latvia, and Romania -- but believe they were part of a 16-person team, most of whom fled the country. Police have recovered most of the money, according to the Morning Post.

How the attackers carried out their theft, possibly via smartphone, remains unclear. Two years ago, Symantec researchers outlined ATM malware called Ploutus that would cause an ATM to spit out cash after being sent a command via SMS message. The malware first had to be installed by physically opening up the ATM machine and attaching the phone to the hardware via USB. No information has been released saying that Ploutus was used in this attack, but police were quoted as saying that they suspected that malware was installed on the ATMs at an earlier date.

Regardless, a report in ABC News Australia said investigators discovered not just one, but three malware programs on the compromised ATM machines. 

Traditional Organized Crime Getting In On Cybercrime 

In May, a coordinated group of as many as 100 people in Japan stole 1.4 billion yen (about $12.8 million USD) in less than three hours, by simply withdrawing it from 7-Elevens. They used counterfeit credit cards that were created using stolen data on roughly 1,600 account holders from Standard Bank in South Africa; 7-Eleven ATMs were apparently popular for the attack because they accept foreign-issued debit cards.

Japanese police have made multiple arrests in connection with the theft, including a member of a yakuza associated with Japan's largest organized crime syndicate, according to a report in Japan Today.  

New ATM Malware Strains 

In May, Kaspersky Lab discovered evidence that new variants of the ATM malware Skimer were compromising devices across the globe.

The malware can be installed either directly onto the device, or remotely, by first exploiting the network that the ATM connects to. Once Skimer is installed, it sits idly by until the attacker visits the ATM and sets the program into motion with a series of interactions that, to the careless observer, wouldn't look strange at all. 

The attacker inserts a "magic card" into the machine, instead of a regular debit or credit card. Skimer both harvests prior ATM users' magstripe data or dispenses cash, in response to commands issued by the attacker. If it downloads data, that can either be stored on the card or printed out on what appear to be normal receipts.

Skimer exploits CEN/XFS, a technology created to standardize ATM software built on Windows-based machines. So, it affects multiple ATM makes and models, as long as they run Windows.   

"La Cara" -- Exploiting EMV for Cash in Near-Real Time

The EMV technology replacing magnetic stripes is improving payment card and ATM security -- albeit, very slowly in the United States, where adoption has been sluggish. However, when the magstripe trade ceases to turn a profit, adaptable attackers will be able to exploit EMV, too.

At the Black Hat USA conference last week, Hecker, Rapid7's senior security consultant, showed how EMV could be exploited and what this next-generation carding network would look like. 

Nowadays, carders and fraudsters can happily buy and sell magstripe card data with a relatively high degree of confidence that it will be usable, because magstripe data is all static. EMV card transactions, however, include dynamic data. Banks generate one-time codes for each transaction, so any stolen transaction data may only be valid for one minute or less. If carders want to continue to have a business once EMV becomes the norm, they'll need a way to not only transmit that dynamic data to their buyers in real-time, but enable their buyers to monetize it in real- or near-real time.

Hecker created a way:

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Ninja
7/31/2017 | 3:31:47 PM
Re: Security Cost vs. Risks
It should be noted that by deferring costs for securing a user's private data or money (even though insured, its still your money being attacked since your personal info is attached to it) rather than fixing a known problem (or an anticpated problem) a company risks alienating customers and breaking a very fundamental business ethics practice.  We need to get better at saving money early on in the process so we can put due diligence into the design, secure early on to avoid such exploits, and maintain ethical relationships with our customers.  Heck, we could even use some of the money saved on operational security monitoring...
IdahoseW596
0%
100%
IdahoseW596,
User Rank: Apprentice
5/8/2017 | 12:48:53 PM
Re: ATM Security
hi there
jcavery
50%
50%
jcavery,
User Rank: Moderator
8/28/2016 | 10:23:41 PM
Re: Security Cost vs. Risks
you're rght andrew, cost is the main driver when choosing a defense against hackers. the problem will always be that hackers only have to invest in the first target, once hacked, there is no cost for them to replicate the hack again across infinite targets. however, banks, institutions, etc have a huge initial cost for the solution, and then multiplied to implement across every customer they have. this is why the hackers will have a "cost" advantage until a better solution is found
AndrewfOP
50%
50%
AndrewfOP,
User Rank: Strategist
8/13/2016 | 2:14:38 PM
Security Cost vs. Risks
"Unfortunately, many ATM operators are reluctant to make hardware upgrades..."

 

It's all about costs vs. risks.  If the costs of better security is more than the damage of the risks, decision makers would continue to avoid 'costly' security until the damage itself becomes far more costly.  It's the same thing with EMV adaption with merchants: when VISA & Master Card made the ones that won't adopt EMV bear the fraud damage, the adoption became far more wide spread. Until the manufacturers/operators start to bear More of the damage responsibility, there would continue to be poor security with ATMs.  
Nabeelshaikhd
50%
50%
Nabeelshaikhd,
User Rank: Apprentice
8/13/2016 | 8:11:25 AM
Thanks for this nice post!
I love this blog and its posts!
DrNashik
50%
50%
DrNashik,
User Rank: Apprentice
8/11/2016 | 2:53:14 PM
ATM Security
I remember the May ATM scandle Japan. I wonder if using the chips in ATM's would help reduce the fraud. Seems to be working everywhere else..
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What did you expect from this SOC? A unicorn....
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.