Kaspersky Lab specialists discover vulnerabilities in ATMs

Σύμφωνα με έρευνα ειδικών της Kaspersky Lab, οποιοσδήποτε εγκληματίας στον κόσμο θα μπορούσε να αποκτήσει παράνομη and make profits from an ATM, with or without the help of malware. This is due to the widespread use of outdated and insecure software, network configuration errors, and lack of physical security for critical ATM parts.Kaspersky Lab

For many years, the biggest threat to customers and owners of ATMs was so-called skimmers, ie special devices connected to an ATM to intercept data from card magnetic strips. However, as malicious techniques have evolved, ATMs have been exposed to greater risks. 2014, the researchers at Kaspersky Lab have discovered Tyupkin, one of the first widely known examples of malware for ATMs. 2015, the company's experts, uncovered the gang Carbanak, which, among other things, could make profits from ATMs, violating banking infrastructure. Both attacks were made because criminals have managed and exploited various common weaknesses in ATM technology and the infrastructure that supports them. And that's just the tip of the iceberg.

In an effort to map out all ATM security issues, Kaspersky Lab's penetration testing experts have conducted investigations, with τη διερεύνηση πραγματικών επιθέσεων, καθώς και τα αποτελέσματα των αξιολογήσεων ασφάλειας των ATM για αρκετές διεθνείς τράπεζες.

Kaspersky Lab's expert study concludes that malware attacks against ATMs can be carried out due to a number of security issues. Initially, all ATMs are computers that run on very old versions of operating systems, such as Windows XP. This makes them vulnerable to "malware" attacks and exploits. In the vast majority of cases, special software that allows the ATM computer to interact with banking infrastructure and hardware to process cash and credit card transactions is based on the XFS standard.

Πρόκειται για μια αρκετά παλιά και επισφαλή τεχνολογική προδιαγραφή, που δημιουργήθηκε αρχικά για να τυποποιήσει το λογισμικό των ATM, ώστε να μπορεί να λειτουργήσει σε οποιοδήποτε εξοπλισμό, ανεξάρτητα από τον κατασκευαστή. Μόλις το κακόβουλο λογισμικό «μολύνει» επιτυχώς ένα ΑΤΜ, λαμβάνει σχεδόν απεριόριστες δυνατότητες ελέγχου του μηχανήματος. Για παράδειγμα, μπορεί να μετατρέψει το πληκτρολόγιο PIN και το card reader του ATM σ' ένα «φυσικό» skimmer ή απλά να παραδώσει όλα τα χρήματα που βρίσκονται αποθηκευμένα στο ΑΤΜ, κατόπιν εντολής του of.

In many cases investigated by her researchers Kaspersky Lab, οι εγκληματίες δεν χρειάζεται να χρησιμοποιούν κακόβουλο λογισμικό για να «μολύνουν» το ΑΤΜ ή το δίκτυο της τράπεζας στο οποίο είναι συνδεδεμένο. Αυτό γίνεται λόγω της έλλειψης φυσικής ασφάλειας για τα ίδια τα ΑΤΜ – ένα πολύ κοινό πρόβλημα για αυτές τις συσκευές. Πολύ συχνά, τα ΑΤΜ κατασκευάζονται και τοποθετούνται με τρόπο που σημαίνει ότι τρίτοι μπορούν εύκολα να αποκτήσουν πρόσβαση στον υπολογιστή που βρίσκεται μέσα στο ΑΤΜ ή στο δικτύου που συνδέει το μηχάνημα στο Διαδίκτυο. Με την απόκτηση έστω και μερικής φυσικής πρόσβασης στο ΑΤΜ, οι εγκληματίες δυνητικά μπορούν να:

  • Install a specially designed microcomputer (the so-called black box) inside the ATM, which will give attackers remote access to the ATM.
  • Reconnect the ATM to a fake "processing center".

The fake "processing center" is software that processes payment data and is identical to the bank's software, even though it is not owned by the bank. Once the ATM connects with a fake processing center, the attackers can issue any command they want. And the ATM will simply execute it.

The connection between an ATM and a processing center can be protected in several ways. For example, it may use VPN hardware or software, encryption , firewall ή MAC ταυτοποίηση, που εφαρμόζονται στα πρωτόκολλα xDC. Ωστόσο, τα μέτρα αυτά δεν εφαρμόζονται συχνά. Όταν εφαρμόζονται, είναι συχνά εσφαλμένα – ακόμη και ευάλωτα. Αυτό θα μπορούσε να ανακαλυφθεί μόνο κατά τη διάρκεια αξιολόγησης ασφάλειας ενός ATM.

As a result, criminals do not need to manipulate hardware but simply exploit vulnerabilities in network communication between ATM and banking infrastructure.

How to stop the ATM violation

"The results of the survey show that even if the machine operators ATM are now trying to develop machines with strong security features, many banks are still using older, precarious models. So, they are unprepared for criminals who are actively putting at risk the safety of these devices. This is the current reality, which can cause enormous financial losses to banks and their customers. We believe that this situation is the result of a long-standing misconception that digital criminals are only interested in attacks against online banking services. They are interested in these attacks, but they are also increasingly aware of the value to them of exploiting ATM vulnerabilities, because direct attacks against these devices significantly reduce the "distance" they have to travel until they acquire access to real money", said Olga Kochetova, Security Specialist at Kaspersky Lab Penetration Testing.

Although the security issues mentioned above most likely affect many ATMs around the world, this does not mean that the situation can not be corrected. ATM manufacturers can reduce the risk of attack on machines by applying the following measures:

  • Firstly, it is necessary to revise the safety-oriented XFS standard, as well as to introduce two-factor authentication between devices and legitimate software. This will help reduce the possibility of unauthorized withdrawals of money using Trojan programs and attackers to gain direct control of ATM units.
  • Secondly, it is necessary to apply "identifiable access" to exclude the possibility of attacks through false processing centers.
  • Thirdly, it is necessary to implement encrypted protection and integrity control of the data transmitted between all hardware and computer units within the ATMs.

More information on modern ATM security issues is available on the site Securelist.com.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).