Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:06 PM
Connect Directly

ATMs At Risk

Targeted attack on ATMs raises the bar -- as well as concerns -- about security of cash machines

Cracking automatic teller machines isn't new: ATMs have been rigged with sniffers, spoofed with cloned cards created from successful phishing attacks, and even physically blasted open by explosives. But a new, sophisticated attack that inserted information-stealing malware on ATM machines has raised the bar on just what determined criminals can and will do to steal banking information and money.

The latest ATM hack came to light yesterday after Sophos revealed its discovery of a Trojan that had been specially crafted to steal information from users of Diebold ATM machines. Diebold in January had issued a security update for its Windows-based Opteva ATMs, some of which it said had been physically broken into and infiltrated with the Trojan software in Russia.

"We immediately notified our customers globally of the malware risk and sent a precautionary software update," a Diebold spokesperson says. "We were made aware of the isolated incident in Russia in the January time frame. The criminal gained physical access to the ATMs at site locations, and the malware was installed by someone with high-tech knowledge and expertise. "

The attackers were well-versed in the software internals of the ATM machines. "It's fascinating that the hackers went to this extent...they [knew] the API calls and understood how the cash machine works," says Graham Cluley, senior technology consultant at Sophos. "We haven't seen that before.

"This is not something the average hacker on the street would have access to," he adds. "They need physical access to the ATM -- they need to have someone on the inside or involved with the manufacture of these devices to gain access and install the software. "

It's unclear just how the attackers got such inside access to the machines, but security experts say it represents a whole new attack vector for bank machines, and that this incident may be only scratching the surface. "There could be many other ATMs under this type of malicious and hidden Trojan," says Kim Singletary, director of OEM and compliance solutions for Solidcore Systems.

In its security update to ATM machine customers, Diebold said the attackers had been caught and that an investigation was under way. Once the bad guys obtained access to the internals of the ATM machines, they were able to implant the malware and intercept sensitive data, the company says. The risk of such an attack increases when the Windows administrative password is compromised or if the built-in firewall is disabled, for instance.

Solidcore, meanwhile, first learned of the Diebold hack in January through some of its ATM customers. Kishore Yerrapragada, CTO of OEM solutions at Solidcore, says according to its sources, the attackers infected the machines via an IP connection late last year. "The attackers [knew] the inside and outside operations of ATMs and how they work," he says.

They put the machines into so-called "maintenance or system mode," where security protections and encryption are turned off for debugging or system maintenance; the ability to do so would be possible only with inside knowledge of the systems, Yerrapragada says. This allowed the hackers to siphon the data from the ATM machine with the Trojan.

The Trojan collected PINs and the so-called Track 2 encrypted data stored on magnetic stripes on ATM cards, he says, which allowed the attackers to clone real ATM cards. They would then insert their own specially crafted card into the Trojan-infected ATM machine to gain access, and the machine would then spit out the stolen information via the machine's printer. But interestingly, the data was masked so as not to attract attention, according to Solidcore.

"The big advantage is...you can't see the device being tampered with. It's all internal and inside the box," Sophos' Cluley says of the hack.

The attack is similar to a recent incident in Europe, where several checkout card readers in major supermarket chains arrived with sniffers built into them. "They had been tampered with during production, so you couldn't tell they [were compromised] from the outside," Cluley says. Some stores had to weigh the readers to see if they were rigged, he adds. Among the victim supermarkets was Wal-Mart subsidiary Asda in Britain.

Still, such targeted attacks on ATMs aren't likely to displace the low-overhead, plug-and-play, wide-net phishing approach to pilfering bank card accounts. Most cybercriminals don't have the inside track to these machines, even though such an attack can be lucrative, minus the hit-or-miss of a phishing attack.

But the attacks have shed light on some of the security weaknesses in these systems, experts say. "I'd like to see ATMs sending their information back to the payment processor encrypted over an SSL VPN or some sort of encrypted VPN link," says Simon Heron, a security analyst with Network Box.

Heron says the boxes also need more hardware protection, including a firewall with an IDS/IPS, for instance.

And there's always the runtime and change control tools that watch for suspicious activity in the ATM machines -- a technology offered by Solidcore, notes Solidcore's Singletary. "These systems can't just be protected with a perimeter defense," she says. "You need another layer [that prevents tampering]," she says.

Sophos' Cluley says the ATM attack should be a wakeup call for ATM manufacturers. "Anyone manufacturing ATM equipment or banking equipment needs to ensure those systems are fundamentally secure from the moment those devices are created and in production. They need to be handled securely like you would handle diamonds from South Africa," he says. "You need to make sure from when it's being mined and is brought into the jewelry store that the diamonds haven't been switched or tampered with."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Exploitation, Phishing Top Worries for Mobile Users
Robert Lemos, Contributing Writer,  2/28/2020
Kr00k Wi-Fi Vulnerability Affected a Billion Devices
Robert Lemos, Contributing Writer,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-28
On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for so...
PUBLISHED: 2020-02-28
Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensi...
PUBLISHED: 2020-02-28
An open redirect is present on the gateway's login page, which could cause a user to be redirected to a malicious site after logging in.
PUBLISHED: 2020-02-28
A reflected XSS vulnerability exists within the gateway, allowing an attacker to craft a specialized URL which could steal the user's authentication token. When combined with CVE-2020-6803, an attacker could fully compromise the system.
PUBLISHED: 2020-02-28
BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.