Cracking automatic teller machines isn't new: ATMs have been rigged with sniffers, spoofed with cloned cards created from successful phishing attacks, and even physically blasted open by explosives. But a new, sophisticated attack that inserted information-stealing malware on ATM machines has raised the bar on just what determined criminals can and will do to steal banking information and money.

The latest ATM hack came to light yesterday after Sophos revealed its discovery of a Trojan that had been specially crafted to steal information from users of Diebold ATM machines. Diebold in January had issued a security update for its Windows-based Opteva ATMs, some of which it said had been physically broken into and infiltrated with the Trojan software in Russia.

"We immediately notified our customers globally of the malware risk and sent a precautionary software update," a Diebold spokesperson says. "We were made aware of the isolated incident in Russia in the January time frame. The criminal gained physical access to the ATMs at site locations, and the malware was installed by someone with high-tech knowledge and expertise. "

The attackers were well-versed in the software internals of the ATM machines. "It's fascinating that the hackers went to this extent...they [knew] the API calls and understood how the cash machine works," says Graham Cluley, senior technology consultant at Sophos. "We haven't seen that before.

"This is not something the average hacker on the street would have access to," he adds. "They need physical access to the ATM -- they need to have someone on the inside or involved with the manufacture of these devices to gain access and install the software. "

It's unclear just how the attackers got such inside access to the machines, but security experts say it represents a whole new attack vector for bank machines, and that this incident may be only scratching the surface. "There could be many other ATMs under this type of malicious and hidden Trojan," says Kim Singletary, director of OEM and compliance solutions for Solidcore Systems.

In its security update to ATM machine customers, Diebold said the attackers had been caught and that an investigation was under way. Once the bad guys obtained access to the internals of the ATM machines, they were able to implant the malware and intercept sensitive data, the company says. The risk of such an attack increases when the Windows administrative password is compromised or if the built-in firewall is disabled, for instance.

Solidcore, meanwhile, first learned of the Diebold hack in January through some of its ATM customers. Kishore Yerrapragada, CTO of OEM solutions at Solidcore, says according to its sources, the attackers infected the machines via an IP connection late last year. "The attackers [knew] the inside and outside operations of ATMs and how they work," he says.

They put the machines into so-called "maintenance or system mode," where security protections and encryption are turned off for debugging or system maintenance; the ability to do so would be possible only with inside knowledge of the systems, Yerrapragada says. This allowed the hackers to siphon the data from the ATM machine with the Trojan.

The Trojan collected PINs and the so-called Track 2 encrypted data stored on magnetic stripes on ATM cards, he says, which allowed the attackers to clone real ATM cards. They would then insert their own specially crafted card into the Trojan-infected ATM machine to gain access, and the machine would then spit out the stolen information via the machine's printer. But interestingly, the data was masked so as not to attract attention, according to Solidcore.

"The big advantage is...you can't see the device being tampered with. It's all internal and inside the box," Sophos' Cluley says of the hack.

The attack is similar to a recent incident in Europe, where several checkout card readers in major supermarket chains arrived with sniffers built into them. "They had been tampered with during production, so you couldn't tell they [were compromised] from the outside," Cluley says. Some stores had to weigh the readers to see if they were rigged, he adds. Among the victim supermarkets was Wal-Mart subsidiary Asda in Britain.

Still, such targeted attacks on ATMs aren't likely to displace the low-overhead, plug-and-play, wide-net phishing approach to pilfering bank card accounts. Most cybercriminals don't have the inside track to these machines, even though such an attack can be lucrative, minus the hit-or-miss of a phishing attack.

But the attacks have shed light on some of the security weaknesses in these systems, experts say. "I'd like to see ATMs sending their information back to the payment processor encrypted over an SSL VPN or some sort of encrypted VPN link," says Simon Heron, a security analyst with Network Box.

Heron says the boxes also need more hardware protection, including a firewall with an IDS/IPS, for instance.

And there's always the runtime and change control tools that watch for suspicious activity in the ATM machines -- a technology offered by Solidcore, notes Solidcore's Singletary. "These systems can't just be protected with a perimeter defense," she says. "You need another layer [that prevents tampering]," she says.

Sophos' Cluley says the ATM attack should be a wakeup call for ATM manufacturers. "Anyone manufacturing ATM equipment or banking equipment needs to ensure those systems are fundamentally secure from the moment those devices are created and in production. They need to be handled securely like you would handle diamonds from South Africa," he says. "You need to make sure from when it's being mined and is brought into the jewelry store that the diamonds haven't been switched or tampered with."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message