WhY It’S So eaSY to make an atm oBeY haCker CommandS
We spoke to Altaf Halde, Managing Director-South Asia, Kaspersky Lab India to understand the key security issues that confront ATM operations across India and to understand the results of their ATM security assessments for several international banks
About 2 years ago, at the request of a financial institution, Kaspersky Lab’s Global Research and Analysis Team performed a forensics investigation into a cyber-criminal attack targeting multiple ATMs in Eastern Europe. During the course of this investigation, they discovered a piece of malware that allowed attackers to empty the ATM cash cassettes via direct manipulation. At the time of the investigation, the malware was active on more than 50 ATMs at banking institutions in Eastern Europe. Based on submissions to VirusTotal, researchers at Kaspersky Lab believe that the malware has spread to several other countries, including the U.S., India and China. According to Altaf Halde, Managing Director (South Asia), Kaspersky Lab, India, this new malware, detected by Kaspersky Lab as Backdoor.MSIL. Tyupkin, affects ATMs from a major ATM manufacturer running Microsoft Windows 32-bit. The malware uses several sneaky techniques to avoid detection. First of all, it is only active at a specific time at night. It also uses a key based on a random seed for every session. Without this key, nobody can interact with the infected ATM. When the key is entered correctly, the malware displays information on how much money is available in every cassette and allows an attacker with physical access to the ATM to withdraw 40 notes from the selected cassette.
Almost any ATM in the world could be illegally accessed and jackpotted with or without the help of malware. This is because of the widespread use of outdated and insecure software, mistakes in network configuration and a lack of physical security for critical parts of the ATM.
For many years the biggest threat to the customers and owners of ATMs were skimmers – special devices attached to an ATM in order to steal data from bank card magstripes. But as malicious techniques have
Software Problems
– evolved, ATMs have been exposed to more danger. In 2014, Kaspersky Lab researchers discovered Tyupkin – one of the first widely known examples of malware for ATMs, and in 2015 company experts uncovered the Carbanak gang, which, among other things was capable of jackpotting ATMs through compromise banking infrastructure. “Due to the nature of the devices where this malware is run, we cannot determine the extent of the infections. However, based on statistics from VirusTotal, we have seen malware submissions from the following countries; Russia, India, Isreal, US, China, Malaysia & France,” said Halde.
Both examples of the attack were possible due to the exploitation of several common weaknesses in ATM technology, and in the infrastructure that supports them. This is only the tip of the iceberg.
In an effort to map all ATM security issues, Kaspersky Lab penetration testing specialists have conducted research based on the investigation of real attacks, and on the results of ATM security assessments for several international banks.
Embedded systems, like ATMs and point- of-sale devices, present unique challenges for information security, and unique opportunities for attackers. To stop such attacks first, it is necessary to revise the XFS standard with an emphasis on safety, and introduce two-factor authentication between devices and legitimate software. This will help reduce the likelihood of unauthorized money withdrawals using trojans and attackers gaining direct control over ATM units.
Secondly, it is necessary to implement “authenticated dispensing” to exclude the possibility of attacks via fake processing centers.
Finally, it is necessary to implement cryptographic protection and integrity control over the data transmitted between all hardware units and the PCs inside ATMs. All ATMs are PCs running on very old versions of operation