According to a Kaspersky Lab expert survey, any criminal in the world could gain unauthorized access and profit from an ATM, with or without the help of malware. This is due to the widespread use of obsolete and unsafe software, errors in network configuration, and lack of physical security for the critical parts of the ATM.
For many years, the biggest threat to customers and ATM owners was so-called skimmers, i.e. special devices connected to an ATM to intercept data from the cards' magnetic strips. But as malicious techniques have evolved, ATMs have been exposed to greater risks. In 2014, Kaspersky Lab researchers discovered the Tyupkin, one of the first widely known examples of malware for ATMs. 2015, the company's experts, uncovered the gang Carbanak, which, among other things, could make profits from ATMs, violating banking infrastructure. Both attacks were made because criminals have managed and exploited various common weaknesses in ATM technology and the infrastructure that supports them. And that's just the tip of the iceberg.
Σε μια προσπάθεια να χαρτογραφηθούν όλα τα θέματα ασφάλειας των ATM, οι ειδικοί δοκιμών διείσδυσης της Kaspersky Lab έχουν διεξάγει έρευνες, με βάση τη διερεύνηση πραγματικών attacks, καθώς και τα αποτελέσματα των αξιολογήσεων ασφάλειας των ATM για αρκετές διεθνείς τράπεζες.
Η έρευνα των ειδικών της Kaspersky Lab καταλήγει ότι μπορούν να πραγματοποιηθούν επιθέσεις κακόβουλου λογισμικού εναντίον των ΑΤΜ, λόγω των αρκετών ζητημάτων ασφάλειας. Αρχικά, όλα τα ΑΤΜ είναι υπολογιστές που λειτουργούν με πολύ παλιές εκδόσεις λειτουργικών συστημάτων, όπως τα Windows XP. Αυτό τα καθιστά ευάλωτα σε «μολύνσεις» από κακόβουλα προletterτα και επιθέσεις μέσω exploits. Στη συντριπτική πλειονότητα των περιπτώσεων, το ειδικό λογισμικό που επιτρέπει στον υπολογιστή του ΑΤΜ να αλληλεπιδρά με τις τραπεζικές υποδομές και τις μονάδες hardware, για την επεξεργασία συναλλαγών με μετρητά και πιστωτικές κάρτες, βασίζεται στο πρότυπο XFS.
This is a fairly old and insecure technology specification, originally created to standardize ATM software so that it could work on any equipment, regardless of manufacturer. Once the malware successfully "infects" an ATM, it gains almost unlimited control over the machine. For example, it can turn the ATM's PIN keypad and card reader into a "physical" skimmer, or simply hand over all the money stored in the ATM at the command of its hacker.
In many cases investigated by her researchers Kaspersky Lab, criminals do not need to use malicious software to "infect" the ATM or the network of the bank they are connected with. This is because of the lack of physical security for ATMs themselves - a very common problem for these devices. Very often, ATMs are manufactured and installed in a way that means that third parties can easily access the computer located in the ATM or the network cable that connects the machine to the Internet. By acquiring even partial physical access to ATMs, criminals can potentially:
- Install a specially designed microcomputer (the so-called black box) inside the ATM, which will give attackers remote access to the ATM.
- Reconnect the ATM to a fake "processing center".
The fake "processing center" is software that processes payment data and is identical to the bank's software, even though it is not owned by the bank. Once the ATM connects with a fake processing center, the attackers can issue any command they want. And the ATM will simply execute it.
The connection between an ATM and a processing center can be protected in several ways. For example, it may use VPN hardware or software, encryption SSL / TLS, firewall or MAC authentication, implemented in xDC protocols. However, these measures are not often implemented. When implemented, they are often flawed – even vulnerable. This could only be discovered during a security assessment of an ATM.
As a result, criminals do not need to manipulate hardware but simply exploit vulnerabilities in network communication between ATM and banking infrastructure.
How to stop the ATM violation
"The results of the survey show that even if the machine operators ATM are now trying to develop machines with strong security features, many banks are still using older, precarious models. So, they are unprepared for criminals who are actively putting at risk the safety of these devices. This is the current reality, which can cause enormous financial losses to banks and their customers. We believe that this situation is the result of a long-standing misconception that digital criminals are only interested in attacks against online banking services. They are interested in these attacks, but they are also increasingly aware of the value to them of exploiting ATM vulnerabilities, because direct attacks against these devices significantly reduce the "distance" they have to travel until they acquire access to real money", said Olga Kochetova, Security Specialist at Kaspersky Lab Penetration Testing.
Although the security issues mentioned above most likely affect many ATMs around the world, this does not mean that the situation can not be corrected. ATM manufacturers can reduce the risk of attack on machines by applying the following measures:
- Firstly, it is necessary to revise the safety-oriented XFS standard, as well as to introduce two-factor authentication between devices and legitimate software. This will help reduce the possibility of unauthorized withdrawals of money using Trojan programs and attackers to gain direct control of ATM units.
- Secondly, it is necessary to apply "identifiable access" to exclude the possibility of attacks through false processing centers.
- Thirdly, it is necessary to implement encrypted protection and integrity control of the data transmitted between all hardware and computer units within the ATMs.
More information on modern ATM security issues is available on the site Securelist.com.
