According to research conducted by Kaspersky Lab experts, the widespread use of outdated and insecure software, mistakes in network configuration and a lack of physical security for critical parts of the ATM make them vulnerable.
For many years the biggest threat to the customers and owners of ATMs were skimmers – special devices attached to an ATM in order to steal data from bank card mag-stripes. But as malware has evolved, ATMs are exposed to more danger.
In 2014, Kaspersky Lab researchers discovered Tyupkin – one of the first widely known examples of malware for ATMs, and in 2015 company experts uncovered the Carbanak gang, which, among other things, was capable of jackpotting ATMs through compromised banking infrastructure.
In an effort to map all ATM security issues, Kaspersky Lab penetration testing specialists conducted research based on the investigation of real attacks, and on the results of ATM security assessments for several international banks.
The results show that malware attacks against ATMs are possible due to several security issues. (1) All ATMs are PCs run on very old versions of operation systems such as Windows XP. This makes them vulnerable to infection with PC malware and attack via exploits. In the majority of cases, the special software that allows an ATM’s PC to interact with banking infrastructure and hardware units to process cash and credit cards is based on XFS standard.
This an old and insecure technology specification, originally created to standardize ATM software so it could work on any equipment regardless of manufacturer. Once an ATM is infected and control over that ATM is compromised, the PIN pad and card reader can be converted into a “native” skimmer or all of the money stored in the ATM can simply be dispensed all upon a command from the hacker.
In many cases, criminals don’t have to use malware to infect the ATM or the network of the bank to which it is attached as the lack of physical security for the ATMs themselves – a very common issue for these devices makes them vulnerable. Very often ATMs are constructed and installed in a way that means a third-party can easily gain access to the PC inside the ATM, or to the network cable connecting the machine to the Internet.
By gaining even partial physical access to the ATM, criminals can:
- Install specially programmed microcomputer (a so called black box) inside the ATM, which will give attackers remote access to the ATM
- Reconnect the ATM to a rogue processing center
A fake processing center is software that processes payment data that is identical to the bank’s software, despite the fact that it doesn’t belong to the bank. Once the ATM is reconnected to a fake processing center, attackers can issue any command they want.
At issue are financial institutions reluctant to put in often costly protection methods, or misconfiguring hardware or software VPN, SSL/TLS encryption, firewalls or MAC-authentications in xDC protocols. As a result, criminals don’t have to manipulate hardware, they just exploit insecurities in the network communication between the ATM and banking infrastructure.
How to stop ATM jackpotting:
“The results of our research show that even though vendors are now trying to develop ATMs with strong security features, many banks are still using old insecure models which makes them unprepared for criminals actively challenging the security of these devices. This leads to huge financial losses for banks and their customers. From our perspective, this is the result of a long-held misconception that cybercriminals are only interested in cyberattacks against Internet banking. They are interested in these attacks, but increasingly see the value in exploiting ATM vulnerabilities, because direct attacks against such devices significantly shorten their route to real money,” says Olga Kochetova, security expert at Kaspersky Lab’s Penetration Testing department.
What can be done? ATM manufacturers can reduce the risk of attack on cash machines by applying the following measures:
- Revise the XFS standard with an emphasis on safety, and introduce two-factor authentication between devices and legitimate software. This will help reduce the likelihood of unauthorized money withdrawals using trojans and attackers gaining direct control over ATM units.
- Implement “authenticated dispensing” to exclude the possibility of attacks via fake processing centers.
- Implement cryptographic protection and integrity control over the data transmitted between all hardware units and the PCs inside ATMs.
How customers can protect themselves:
Customers can often receive timely alerts about account transactions at no extra cost. Alerts give the status of account activities at a glance and help customers monitor their accounts. Alerts are sent right to email or a wireless device. (The mobile carrier’s text messaging and web access charges may apply for text message alerts.) A withdrawal, deposit or check post to your account will instantly alert customers to any unauthorized account access.