ATM attacks: past, present and future

In a post about the Internet of Things, I, with almost my sword, carried it to that and ATMs - by the criteria of autonomous work and the availability of a permanent connection to the Internet. In general, everything is as it is, but if we move from words to deeds — that is, to the real specifics of protecting ATMs from hacking, then immediately a lot of uncomfortable details arise. A modern ATM is a full-fledged computer, honed to perform one specific task, but suitable for running any code, including malicious one. The ATM is enclosed and in contact with a variety of sensors and specialized devices through which the ATM can be hacked. Or you can not crack it by intercepting the control of the cash dispenser or the keyboard for entering the PIN code.

There are many scenarios when something goes wrong with an ATM - many, and most are based not on a theoretical analysis of potential vulnerabilities, but on the practice of parsing real attacks. The banking sector as a whole is much more secure than other industries, but cybercriminals have more attention to it: real money is at stake. Nevertheless, it would be nice to somehow systematize the weak points of the banking infrastructure, which the laboratory specialists Olga Kochetova and Alexey Osipov recently took up.

As is the case with the history of the investigation of the Lurk campaign , this text is a free retelling of the original sources. For details, I send to them: this is a review article on Securelist in Russian, the study “Future attack scenarios on communication systems interacting with ATMs” in English, a brief squeeze out of there - only a description of attacks and countermeasures, as well as earlier publications: description of malware Skimer and Target Attack on Tyupkin ATMs.

Do you remember how it all started

ATM attacks are not exactly a new topic. The first version of the Skimer malware appeared in 2008-2009. The attack is directed directly to ATMs: in one of the current versions (Skimer exists and is developing today) after an ATM is infected, it can be controlled by inserting a prepared card with a “key” on the magnetic stripe into the ATM.
')

His blessing!

In accordance with its name, Skimer can activate data collection from cards inserted into an ATM, but it can also be used to directly steal cash - the corresponding command is provided in the control menu. Skimer is embedded in the legitimate SpiService.exe process, as a result of which it gets full access to XFS - a universal client-server architecture for financial applications for Windows-based systems.



Unlike Skimer, the Tyupkin attack, which was investigated at the Lab in 2014, does not use prepared maps. Instead, it is possible to activate the malicious code at a certain time of the day, and even at this time, control of the ATM can be intercepted only after entering a dynamic authorization code. The consequences of a successful attack, however, are about the same:

Carbanak and Company

Actually, the most interesting in these two examples is the process of infection, which sometimes has to be restored from the recordings of surveillance cameras. In the case of Tyupkin, the malware was installed from a CD (!), That is, there was physical access to the inside of the ATM. This is an obvious attack vector with equally obvious flaws. But he is not the only one.

In the Carbanak campaign, the details of which were revealed by the experts of “Laboratories” in February of last year, ATMs are used last of all, silently giving the cache on command from the center, without any manipulations on the spot. The infrastructure of the victims was compromised due to which the main damage was caused, as they say, by bank transfer. When losses are measured in hundreds of millions of dollars, cash ceases to play a significant role.



The trend was developed this year: in February, we told about three new attacks, two of which were focused on cashless theft of funds. Only one campaign (Metel) provided for the withdrawal of funds through ATMs, but no one hacked the devices themselves. Technically, the transaction (withdrawing money from the account) was legitimate, but after it the card balance was rolled back to its previous value. The modern version of the indispensable penny was operated, as in the case of other attacks, at night, preferably at the weekend.



Cybercriminals will attack the root infrastructure of financial organizations as long as they have such an opportunity, that is, until it becomes vulnerable. As the story of robbery through the SWIFT interbank transfer system shows, even the critical elements of the financial infrastructure are not always properly protected (doesn’t it turn out that ATM protection is sometimes better?). I want to believe that this is not for long. Given that cybercrime about ATMs and does not think to forget, they claim the dubious privilege of the long-term headache of financial industry.

Which way to be afraid ?

In their analysis of future vectors of attacks on ATMs, our experts are not limited to the immediate theft of cash. To this understandable goal, we add the theft of customer data for the subsequent removal of funds in larger volumes with less chance of being lit up on a surveillance camera. But that's not all. If you look closely, it will not be possible to find a place in the entire IT- “strapping” of an ATM network that cannot be attacked.

An interesting example is the biometric identification of customers - a relatively new technology that allows you to either replace or supplement the standard means of authorization - by PIN code, using NFC, and so on. Theft of biometric data is theoretically possible through appropriately doped skimmers (if biometrics comes again to the rake, passed earlier with card readers), through an attack like Man-in-the-middle (when the ATM starts sending data to someone else’s processing server), or through an attack on the infrastructure of a financial institution.



Further use of biometrics for theft of funds is still questionable, and is not described in detail. But there is an important nuance: if cybercriminals learn to do this, we will get an analogue of the situation with cloned credit cards, but without the possibility of “reissue” (fingerprints, voice, etc.). Not the fact that you have to reinvent fingerprint simulators: in a separate chapter of the study, there are scenarios of attacks on PIN-pads, during which data can be intercepted, or may be replaced, with a forced deactivation of encryption. Is it possible to implement this for a biometric sensor? Why not.

What to do?

The report does not address the issue of obsolete hardware in ATMs - although this presents a certain problem from a security point of view, solutions even exist for ancient devices. In general, an integrated approach to threat scenarios implies an equally diverse list of measures to prevent them. At least in three areas: network, software and hardware (plus it is desirable not to forget about training for staff). For all three, there is an obvious need for secure data transfer at all stages and verification of authenticity - otherwise situations are possible when a “foreign” control module is simply connected to the cash dispenser. Separately, for the program part, strict control over the launch of unauthorized code is proposed: for ATMs, unlike conventional computers, this is relatively easy to implement. Finally, at the network level, the isolation of network segments from each other is mandatory: so that there are not enough common situations when an ATM is directly accessible from the Internet as a result of a configuration error.


Guess the axis according to Adobe Reader

Although some of the attack scenarios shown in the report are (for now) theoretical, together with “practical” they add up to an interesting picture. Financial institutions have to deal with both specific threats (an attack on SWIFT, Carbanak - hacking with knowledge of internal processes), and commonly used ones (phishing, exploitation of vulnerabilities, configuration errors, etc.). Add here traditional skimmers, physical hacking of ATMs, difficulties with updating software and hardware (my own proof is in the photo above). On the one hand, all this makes one giant vulnerability. On the other hand, there are a lot of resources for protection, even if they are financial, although expert ones. So, in the future, the financial sector can bring us both new examples of high-profile cyber cracks and truly innovative protection models.

Disclaimer: This column is based on real events, but still reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.