This was the reaction
some of our colleagues received when they told their relatives &
friends of the latest acquisition at NVISO: Our very own ATM (Automated
Teller Machine)!
With this blog post, we want to walk our readers through the history of
ATM security threats and explain the ATM R&D activities at NVISO.
If you are interested in our ATM-related security services, please don't
hesitate to get in touch with us!
First
of all, ATM's are the main component of self-service banking functions
used by millions of banking customers worldwide. In Europe alone, as of
30 June 2013, 400,000 ATM devices were deployed according to the
European ATM Security group. And they are here to stay:
The strategy for a lot of European banks is to further automate the
cash dispensing process, which usually means: more ATM's with more money
in them and less branch employees.
Given this situation, it
should be clear why these devices are a highly interesting target for
criminals, so let's dive into the different attack techniques used!
Back
when robbers were still wielding big guns and ammunition to rob banks,
the initial focus of ATM security was to physically protect the money.
This made perfect sense and was accomplished by a number of preventive
measures (the diagram on the right shows a simplified version of the
inside of an ATM machine):
- Securing the ATM's in place (e.g. build them into the wall);
- Storing the money in a vault;
- Using small ink bombs inside the cash cartridges to render stolen money useless;
- ...
Throughout the years,
these measures were (quite successfully) further optimized, resulting in
a low number of successful physical ATM heists (usually involving big
vehicles and/or explosions that didn't go unnoticed).
Given the low success
rate, attackers started moving away from the "physical" attack scenario
and got a little smarter: instead of the money in the ATM directly, why
not first target the customer (after all, information security dictates
that humans are the weakest link)? Attackers
would now attempt to clone customer cards and obtain valid PIN codes to
later retrieve the money from other ATM's. This was done by a variety
of techniques, including the installation of card skimmers, fake keypads
and microscopical cameras on legitimate ATM's, as illustrated below:
A typical card skimming scam (Source: The Telegraph)
As in every
cat-and-mouse game, the industry went a step further and developed means
of protecting against this type of attacks using multiple techniques:
- The launch of end-user security awareness campaigns;
- Protecting the card-reader with anti-skimming devices;
- Encrypted PIN Pad's (EPP);
- ...
This historical
introduction brings us to the current developments in ATM attacks:
although the above-mentioned generation of attacks are still rather
successful, attackers are already shifting their attention to the next
big thing - once again targeting the ATM, but now from a logical (not a
physical) perspective! To put things in perspective, there are a few
things you should know about the ATM software:
1. Back in the
90's, ATM's ran proprietary software that was not immediately available
for the general public. A bit of "security by obscurity" if you will,
but it did prevent the majority of criminals to easily understand what
made ATM's tick and what possible vulnerabilities could arise. Nowadays,
banks want to select a specific ATM hardware vendor and possibly
combine it with another ATM software provider (or develop their own).
This leads to a more "open" environment which produces development
standards such as CEN/XFS.
Needless to say, this opens interesting opportunities for ATM-targeted
malware, who of-course also have access to this information...
2. Together with the move to "open" standards, the majority of ATM devices is now Windows-based and the big majority is running Windows XP.
This is a worrying statistic, given the upcoming end-of-support date
for Windows XP (8 April 2014). Not even everyone is planning to
immediately upgrade their ATM Operating Systems, as evidenced by this
diagram from the "2013 ATM Software Trends & Analysis" guide
(source: KAL):
3. ATM's are prone to network-based attacks. ATM's are obviously connected to the bank's internal networks, but Shodan even reveals several ATM's (or ATM honeypots :p) connected to the Public Internet!
- http://blog.spiderlabs.com/2013/10/having-a-fiesta-with-ploutus.html
- http://www.symantec.com/connect/blogs/backdoorploutus-reloaded-ploutus-leaves-mexico
ATM security research in
itself is nothing new, and we'd also like to highlight the efforts that
have previously been done by the likes of Barnaby Jack (see his Blackhat talk of 2010) and the researchers that presented at the German CCC conference in December 2013.
The reason for our ATM purchase is to perform additional research and identify new ways of both attacking and defending ATM systems, so keep an eye on our future publications. We can however already give you the following basic defense techniques:
The reason for our ATM purchase is to perform additional research and identify new ways of both attacking and defending ATM systems, so keep an eye on our future publications. We can however already give you the following basic defense techniques:
-Protect your ATM BIOS to ensure it won't boot from foreign sources such as DVD/CD's or USB's;
-Encrypt the hard disk;
-Make sure your OS is up to date and follow up on security patches;
-Implement application white-listing techniques to prevent malware from running;
-Protect the ATM's from network-based attacks by placing them in a segmented, secured network area;
-Use protocols that provide integrity and confidentiality services for communications towards the back-end;
-Monitor your ATM's (camera protection and system-level monitoring) to ensure you can detect suspicious behavior & events.
Oh, and please: when you get rid of / sell your ATM, make sure to wipe / destroy the hard disk, because we've gathered quite some interesting information after the initial forensics we performed on our second-hand ATM. There's enough material for a next blog post ;).
If you've got some interesting experiences to share or questions to ask, please don't hesitate to get in touch with us!
To finish, some pics of our little beauty:
Great post!I am actually getting ready to across this information,i am very happy to this commands.Also great blog here with all of the valuable information you have.Well done,its a great knowledge.
ReplyDeleteSecurity Services in Chennai