04:06 PM
Connect Directly

ATMs At Risk

Targeted attack on ATMs raises the bar -- as well as concerns -- about security of cash machines

Cracking automatic teller machines isn't new: ATMs have been rigged with sniffers, spoofed with cloned cards created from successful phishing attacks, and even physically blasted open by explosives. But a new, sophisticated attack that inserted information-stealing malware on ATM machines has raised the bar on just what determined criminals can and will do to steal banking information and money.

The latest ATM hack came to light yesterday after Sophos revealed its discovery of a Trojan that had been specially crafted to steal information from users of Diebold ATM machines. Diebold in January had issued a security update for its Windows-based Opteva ATMs, some of which it said had been physically broken into and infiltrated with the Trojan software in Russia.

"We immediately notified our customers globally of the malware risk and sent a precautionary software update," a Diebold spokesperson says. "We were made aware of the isolated incident in Russia in the January time frame. The criminal gained physical access to the ATMs at site locations, and the malware was installed by someone with high-tech knowledge and expertise. "

The attackers were well-versed in the software internals of the ATM machines. "It's fascinating that the hackers went to this extent...they [knew] the API calls and understood how the cash machine works," says Graham Cluley, senior technology consultant at Sophos. "We haven't seen that before.

"This is not something the average hacker on the street would have access to," he adds. "They need physical access to the ATM -- they need to have someone on the inside or involved with the manufacture of these devices to gain access and install the software. "

It's unclear just how the attackers got such inside access to the machines, but security experts say it represents a whole new attack vector for bank machines, and that this incident may be only scratching the surface. "There could be many other ATMs under this type of malicious and hidden Trojan," says Kim Singletary, director of OEM and compliance solutions for Solidcore Systems.

In its security update to ATM machine customers, Diebold said the attackers had been caught and that an investigation was under way. Once the bad guys obtained access to the internals of the ATM machines, they were able to implant the malware and intercept sensitive data, the company says. The risk of such an attack increases when the Windows administrative password is compromised or if the built-in firewall is disabled, for instance.

Solidcore, meanwhile, first learned of the Diebold hack in January through some of its ATM customers. Kishore Yerrapragada, CTO of OEM solutions at Solidcore, says according to its sources, the attackers infected the machines via an IP connection late last year. "The attackers [knew] the inside and outside operations of ATMs and how they work," he says.

They put the machines into so-called "maintenance or system mode," where security protections and encryption are turned off for debugging or system maintenance; the ability to do so would be possible only with inside knowledge of the systems, Yerrapragada says. This allowed the hackers to siphon the data from the ATM machine with the Trojan.

The Trojan collected PINs and the so-called Track 2 encrypted data stored on magnetic stripes on ATM cards, he says, which allowed the attackers to clone real ATM cards. They would then insert their own specially crafted card into the Trojan-infected ATM machine to gain access, and the machine would then spit out the stolen information via the machine's printer. But interestingly, the data was masked so as not to attract attention, according to Solidcore.

"The big advantage is...you can't see the device being tampered with. It's all internal and inside the box," Sophos' Cluley says of the hack.

The attack is similar to a recent incident in Europe, where several checkout card readers in major supermarket chains arrived with sniffers built into them. "They had been tampered with during production, so you couldn't tell they [were compromised] from the outside," Cluley says. Some stores had to weigh the readers to see if they were rigged, he adds. Among the victim supermarkets was Wal-Mart subsidiary Asda in Britain.

Still, such targeted attacks on ATMs aren't likely to displace the low-overhead, plug-and-play, wide-net phishing approach to pilfering bank card accounts. Most cybercriminals don't have the inside track to these machines, even though such an attack can be lucrative, minus the hit-or-miss of a phishing attack.

But the attacks have shed light on some of the security weaknesses in these systems, experts say. "I'd like to see ATMs sending their information back to the payment processor encrypted over an SSL VPN or some sort of encrypted VPN link," says Simon Heron, a security analyst with Network Box.

Heron says the boxes also need more hardware protection, including a firewall with an IDS/IPS, for instance.

And there's always the runtime and change control tools that watch for suspicious activity in the ATM machines -- a technology offered by Solidcore, notes Solidcore's Singletary. "These systems can't just be protected with a perimeter defense," she says. "You need another layer [that prevents tampering]," she says.

Sophos' Cluley says the ATM attack should be a wakeup call for ATM manufacturers. "Anyone manufacturing ATM equipment or banking equipment needs to ensure those systems are fundamentally secure from the moment those devices are created and in production. They need to be handled securely like you would handle diamonds from South Africa," he says. "You need to make sure from when it's being mined and is brought into the jewelry store that the diamonds haven't been switched or tampered with."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-21
Opera before 57.0.3098.106 is vulnerable to a DLL Search Order hijacking attack where an attacker can send a ZIP archive composed of an HTML page along with a malicious DLL to the target. Once the document is opened, it may allow the attacker to take full control of the system from any location with...
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to preemptive item deletion in lmgrd and vendor daemon components of FlexNet Publisher version and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to message decoding in lmgrd and vendor daemon components of FlexNet Publisher version and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor daemon t...
PUBLISHED: 2019-03-21
A Denial of Service vulnerability related to adding an item to a list in lmgrd and vendor daemon components of FlexNet Publisher version and earlier allows a remote attacker to send a combination of messages to lmgrd or the vendor daemon, causing the heartbeat between lmgrd and the vendor ...
PUBLISHED: 2019-03-21
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.