Endpoint
8/11/2016
12:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

The Future Of ATM Hacking

Research released at Black Hat USA last week shows that one of our best defenses for the future of payment card and ATM security isn't infallible. Here's why.

The late Barnaby Jack showed us in 2010 how cyberattacks could persuade ATMs to part with their cash, in what he called "jackpotting" attacks. Years later, hackers and their well-organized teams of money mules are indeed having a grand time with jackpotting attacks, encouraged by ATM operators' slow adoption of EMV technology, lax physical security, reluctance to upgrade outdated hardware, poorly maintained embedded systems, middleware that creates a new attack surface, and insufficient motivation to change. 

Trend Micro reported in April that ATM malware is on the rise. Recent attacks have shown with a combination of hacking and large teams, ATM operators, banks, and account holders are collectively getting slammed with millions of dollars in losses over the course of just a few hours.

And just last week, research released at Black Hat by Rapid7's Weston Hecker showed that one of our best defenses for the future of payment card and ATM security isn't infallible, either. 

ATMs Being Robbed Via Smartphone

In July, another coordinated group lifted a large sum of cash from ATMs in a short period of time, but the particularly noteworthy aspect was that instead of inserting payment cards in the machines, they appeared to use smartphones.

According to the South China Morning Post, a coordinated group of two-person teams stole NT$83.27 million (~$2.67 million USD) cash from 41 First Bank ATMs in Taiwan. Police have arrested three individuals in connection with the attack -- citizens of Moldova, Latvia, and Romania -- but believe they were part of a 16-person team, most of whom fled the country. Police have recovered most of the money, according to the Morning Post.

How the attackers carried out their theft, possibly via smartphone, remains unclear. Two years ago, Symantec researchers outlined ATM malware called Ploutus that would cause an ATM to spit out cash after being sent a command via SMS message. The malware first had to be installed by physically opening up the ATM machine and attaching the phone to the hardware via USB. No information has been released saying that Ploutus was used in this attack, but police were quoted as saying that they suspected that malware was installed on the ATMs at an earlier date.

Regardless, a report in ABC News Australia said investigators discovered not just one, but three malware programs on the compromised ATM machines. 

Traditional Organized Crime Getting In On Cybercrime 

In May, a coordinated group of as many as 100 people in Japan stole 1.4 billion yen (about $12.8 million USD) in less than three hours, by simply withdrawing it from 7-Elevens. They used counterfeit credit cards that were created using stolen data on roughly 1,600 account holders from Standard Bank in South Africa; 7-Eleven ATMs were apparently popular for the attack because they accept foreign-issued debit cards.

Japanese police have made multiple arrests in connection with the theft, including a member of a yakuza associated with Japan's largest organized crime syndicate, according to a report in Japan Today.  

New ATM Malware Strains 

In May, Kaspersky Lab discovered evidence that new variants of the ATM malware Skimer were compromising devices across the globe.

The malware can be installed either directly onto the device, or remotely, by first exploiting the network that the ATM connects to. Once Skimer is installed, it sits idly by until the attacker visits the ATM and sets the program into motion with a series of interactions that, to the careless observer, wouldn't look strange at all. 

The attacker inserts a "magic card" into the machine, instead of a regular debit or credit card. Skimer both harvests prior ATM users' magstripe data or dispenses cash, in response to commands issued by the attacker. If it downloads data, that can either be stored on the card or printed out on what appear to be normal receipts.

Skimer exploits CEN/XFS, a technology created to standardize ATM software built on Windows-based machines. So, it affects multiple ATM makes and models, as long as they run Windows.   

"La Cara" -- Exploiting EMV for Cash in Near-Real Time

The EMV technology replacing magnetic stripes is improving payment card and ATM security -- albeit, very slowly in the United States, where adoption has been sluggish. However, when the magstripe trade ceases to turn a profit, adaptable attackers will be able to exploit EMV, too.

At the Black Hat USA conference last week, Hecker, Rapid7's senior security consultant, showed how EMV could be exploited and what this next-generation carding network would look like. 

Nowadays, carders and fraudsters can happily buy and sell magstripe card data with a relatively high degree of confidence that it will be usable, because magstripe data is all static. EMV card transactions, however, include dynamic data. Banks generate one-time codes for each transaction, so any stolen transaction data may only be valid for one minute or less. If carders want to continue to have a business once EMV becomes the norm, they'll need a way to not only transmit that dynamic data to their buyers in real-time, but enable their buyers to monetize it in real- or near-real time.

Hecker created a way:

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jcavery
50%
50%
jcavery,
User Rank: Moderator
8/28/2016 | 10:23:41 PM
Re: Security Cost vs. Risks
you're rght andrew, cost is the main driver when choosing a defense against hackers. the problem will always be that hackers only have to invest in the first target, once hacked, there is no cost for them to replicate the hack again across infinite targets. however, banks, institutions, etc have a huge initial cost for the solution, and then multiplied to implement across every customer they have. this is why the hackers will have a "cost" advantage until a better solution is found
AndrewfOP
50%
50%
AndrewfOP,
User Rank: Strategist
8/13/2016 | 2:14:38 PM
Security Cost vs. Risks
"Unfortunately, many ATM operators are reluctant to make hardware upgrades..."

 

It's all about costs vs. risks.  If the costs of better security is more than the damage of the risks, decision makers would continue to avoid 'costly' security until the damage itself becomes far more costly.  It's the same thing with EMV adaption with merchants: when VISA & Master Card made the ones that won't adopt EMV bear the fraud damage, the adoption became far more wide spread. Until the manufacturers/operators start to bear More of the damage responsibility, there would continue to be poor security with ATMs.  
Nabeelshaikhd
50%
50%
Nabeelshaikhd,
User Rank: Apprentice
8/13/2016 | 8:11:25 AM
Thanks for this nice post!
I love this blog and its posts!
DrNashik
50%
50%
DrNashik,
User Rank: Apprentice
8/11/2016 | 2:53:14 PM
ATM Security
I remember the May ATM scandle Japan. I wonder if using the chips in ATM's would help reduce the fraud. Seems to be working everywhere else..
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.