Automated Teller Machine (ATM) security

This was the reaction some of our colleagues received when they told their relatives & friends of the latest acquisition at NVISO: Our very own ATM (Automated Teller Machine)!

With this blog post, we want to walk our readers through the history of ATM security threats and explain the ATM R&D activities at NVISO. If you are interested in our ATM-related security services, please don't hesitate to get in touch with us!

First of all, ATM's are the main component of self-service banking functions used by millions of banking customers worldwide. In Europe alone, as of 30 June 2013, 400,000 ATM devices were deployed according to the European ATM Security group.  And they are here to stay: The strategy for a lot of European banks is to further automate the cash dispensing process, which usually means: more ATM's with more money in them and less branch employees.

Given this situation, it should be clear why these devices are a highly interesting target for criminals, so let's dive into the different attack techniques used!

Back when robbers were still wielding big guns and ammunition to rob banks, the initial focus of ATM security was to physically protect the money. This made perfect sense and was accomplished by a number of preventive measures (the diagram on the right shows a simplified version of the inside of an ATM machine):

• Securing the ATM's in place (e.g. build them into the wall);
• Storing the money in a vault;
• Using small ink bombs inside the cash cartridges to render stolen money useless;
• ...

Throughout the years, these measures were (quite successfully) further optimized, resulting in a low number of successful physical ATM heists (usually involving big vehicles and/or explosions that didn't go unnoticed).

Given the low success rate, attackers started moving away from the "physical" attack scenario and got a little smarter: instead of the money in the ATM directly, why not first target the customer (after all, information security dictates that humans are the weakest link)? Attackers would now attempt to clone customer cards and obtain valid PIN codes to later retrieve the money from other ATM's. This was done by a variety of techniques, including the installation of card skimmers, fake keypads and microscopical cameras on legitimate ATM's, as illustrated below:

A typical card skimming scam (Source: The Telegraph)

As in every cat-and-mouse game, the industry went a step further and developed means of protecting against this type of attacks using multiple techniques:

• The launch of end-user security awareness campaigns;
• Protecting the card-reader with anti-skimming devices;
• Encrypted PIN Pad's (EPP);
• ...

This historical introduction brings us to the current developments in ATM attacks: although the above-mentioned generation of attacks are still rather successful, attackers are already shifting their attention to the next big thing - once again targeting the ATM, but now from a logical (not a physical) perspective! To put things in perspective, there are a few things you should know about the ATM software:

1. Back in the 90's, ATM's ran proprietary software that was not immediately available for the general public. A bit of "security by obscurity" if you will, but it did prevent the majority of criminals to easily understand what made ATM's tick and what possible vulnerabilities could arise. Nowadays, banks want to select a specific ATM hardware vendor and possibly combine it with another ATM software provider (or develop their own). This leads to a more "open" environment which produces development standards such as CEN/XFS. Needless to say, this opens interesting opportunities for ATM-targeted malware, who of-course also have access to this information...

2. Together with the move to "open" standards, the majority of ATM devices is now Windows-based and the big majority is running Windows XP. This is a worrying statistic, given the upcoming end-of-support date for Windows XP (8 April 2014). Not even everyone is planning to immediately upgrade their ATM Operating Systems, as evidenced by this diagram from the "2013 ATM Software Trends & Analysis" guide (source: KAL):

3. ATM's are prone to network-based attacks. ATM's are obviously connected to the bank's internal networks, but Shodan even reveals several ATM's (or ATM honeypots :p) connected to the Public Internet!

From a criminal's perspective, the above trends are reducing ATM's from exotic / proprietary systems to everyday desktop computers running Windows-based operating systems, something they've been attacking for years and years! This shift is being evidenced by highly complex ATM malware samples such as the Ploutus ATM malware, which was discovered in September 2013:

• http://blog.spiderlabs.com/2013/10/having-a-fiesta-with-ploutus.html

• http://www.symantec.com/connect/blogs/backdoorploutus-reloaded-ploutus-leaves-mexico

ATM security research in itself is nothing new, and we'd also like to highlight the efforts that have previously been done by the likes of Barnaby Jack (see his Blackhat talk of 2010) and the researchers that presented at the German CCC conference in December 2013.

The reason for our ATM purchase is to perform additional research and identify new ways of both attacking and defending ATM systems, so keep an eye on our future publications. We can however already give you the following basic defense techniques:

-Protect your ATM BIOS to ensure it won't boot from foreign sources such as DVD/CD's or USB's;
-Encrypt the hard disk;
-Make sure your OS is up to date and follow up on security patches;
-Implement application white-listing techniques to prevent malware from running;
-Protect the ATM's from network-based attacks by placing them in a segmented, secured network area;
-Use protocols that provide integrity and confidentiality services for communications towards the back-end;
-Monitor your ATM's (camera protection and system-level monitoring) to ensure you can detect suspicious behavior & events.

Oh, and please: when you get rid of / sell your ATM, make sure to wipe / destroy the hard disk, because we've gathered quite some interesting information after the initial forensics we performed on our second-hand ATM. There's enough material for a next blog post ;).

If you've got some interesting experiences to share or questions to ask, please don't hesitate to get in touch with us!

To finish, some pics of our little beauty: