Six years removed from the famed late researcher Barnaby Jack's legendary Black Hat talk, in which he lugged two fully operational ATMs onto a Las Vegas stage and commanded them - one of them remotely - to dispense cash, the security of banking machines remains as dubious as ever.
Earlier this year, the FICO Credit Alert Service reported a startling 546 percent increase in the number of ATMs compromised by criminals - mostly through skimming attacks and at nonbank locations - between 2014 and 2015. Meanwhile, losses related to ATM attacks continue to rise year over year, with estimates placing the total around $2 billion, even as chip-based cards become more ubiquitous.
More than a half-decade after Jack awed a packed house at Black Hat, the topic remains as timely as ever, with a fresh batch of ATM attack research planned for the conference's 2016 installment, happening this week in Las Vegas. Financial institutions are responding to the onslaught of ATM thefts with smarter technology, but thieves continue to invent clever ways to evade the new measures.
To learn more about ATM hacks and what is needed to secure these precious computer terminals, I sat down with two Trustwave SpiderLabs experts to pick their brain on the hot topic.
What makes ATMs so vulnerable to cybercrime?
Thanassis Diogos, SpiderLabs managing consultant at Trustwave: ATMs typically exist as physical contact points of the banking infrastructure that are exposed to public sight. Due to this exposure, physical security has been enhanced, but criminals constantly look for an entry point that will allow them to quickly succeed with their malicious purposes. From this point of view, ATMs are becoming excellent targets for criminals, and even though we would expect fewer attacks due to new chip-and-PIN and EMV cards, this hasn't occurred.
John Hoopes, SpiderLabs managing consultant at Trustwave: They hold cash. Criminals want cash. They are often unattended. You can walk up with a ski mask and not freak anyone out. Can't do that anywhere else. They are standardized. Once you have a physical attack (or skimmer) that works on one, you can replicate it easily on tons of them. Of the six I've tested, only one bank encrypted the link from ATM to backend, and that was done using Cisco routers inside the ATM. None of them were encrypting at the OS layer. If you compromise that link, you get magnetic stripe data and the encrypted PIN block. Also of note, you can authorize massive transactions and clean out the ATM. (There's some debate on which is more useful, the card data without the PIN, the ability to eject cash from one machine, or the network connection. If you're admin on one ATM inside a VPN group, can you login to other ATMs and cause them to spit cash as well?)
Skimming is far and away the most dominant method used to compromise ATM machines, and often these hardware devices are unrecognizable. How do they work?
Thanassis: The goal behind skimming devices is to copy the personal information from the magnetic stripe of victim's card - so skimmers often come as a combination of several different components. They utilize a card reader, which, in most cases, is placed within or over the actual card reader in order to make a copy of the personal information stored within the card. The next problem that thieves have to solve is getting their hands on the PIN code, which will allow them to access the account after creating a clone card with the data already stolen. Multiple different methods have been used to do this, including fake keyboards or cameras that focus on the hand typing the PIN.
(And as this video shows, criminals will often create skimming devices that actually mimic anti-skimming devices).
Skimmers seem to be a problem not just on ATMs but also on other devices, like gas pumps and self-checkout kiosks. Are these systems facing similar risks?
Thanassis: A major part of skimming devices is the card reader, which will steal the personal information from the card inserted. Therefore, all legitimate devices accepting credit cards are potential targets for installing a skimmer device. This is especially true for devices found in gas stations or similar places, which are installed in public places, making them easy and attractive targets for criminals.
As the above video (taken by a Carbon Black security researcher) demonstrates, skimming obviously presents a huge problem for ATMs. But what about malware, which has been used in attacks.
Thanassis: On the backend, ATMs rely on a computer system that is often not based on the latest software or operating systems. A large number of ATMs still rely on Windows XP, which is unsupported and therefore provides several vulnerabilities that an intruder can take advantage of. Malicious software has been used with the intention of commanding ATMs to empty the cash they are carrying, but this kind of attack requires more advanced techniques than just installing a skimmer on front of the ATM. Based on our investigations, it seems that criminals prefer skimming devices or other physical attacks over software because of the ease to physically access the front end of ATMs.
John: Inside the ATM there are two important components: A computer, and USB-connected safe. When discussing the security of the ATMs, banks always want to talk about how good the safe is: what alarms there are on the safe, one-time passwords, long combinations, etc. What they don't mention is that it's connected as a USB device to a computer, which has all the information needed to spit out cash. I've heard of (but not seen) malware that targets these USB devices directly. No safe cracking, no explosives, just simple computer commands (such as "Spit out $20) - and the safe is soon empty.
The computers inside ATMs are rarely updated. In fact, from what I've heard, banks will break their support contracts if they update the computers. Many of them run old operating systems, including (Windows) XP. If a bad guy gets on the same network as one of these, it's trivial to gain access. I talked to one bank that wanted to migrate to the next (OS) solution, but it was going to cost around $2,000 per device.
We all remember Barnaby Jack's talk, in which he remotely commanded one of his ATMs, without ever touching it, to spit out cash. He also physically tampered with another machine to infect it with malware. Are these types of attacks happening in the real world?
Thanassis: It seems that due to new smart credit cards, which are difficult or impossible to clone, criminals had to come up with different methods of attacking the same infrastructure that remained physically exposed. ATMs internally comprise of a computer system (often based on Windows) connected to a cash dispenser, which accepts commands from the computer and handles cash management. The ultimate goal for attackers is to get their hands on cash, so it seems that directly accessing the cash dispenser and executing commands on it so that it will start spitting out cash is easier than any other more "sophisticated" method. This type of attack requires custom hardware to correctly interface the computer against the cash dispenser - often called the "black box" - and software in order to successfully emulate the communication between core computer and cash dispenser.
Have you seen anything new and interesting out there, especially since it's getting harder to reproduce credit cards given the rise of the EMV standard?
Thanassis: One recent case we have been investigating was related to three ATMs within the same region which were physically attacked during the same night. What actually happened was that attackers drilled holes on the external chassis in order to gain access to the ATM's internal cabling and the rest of the infrastructure. Doing so allowed them to plug an external black box device directly into the cash dispenser and execute the required commands so that it started spitting out cash. Three different ATMs had to be attacked because the criminals were after a compatible plug with their custom device, which was finally located only in one of the three ATMs.
You're regularly conducting forensic investigations in the wake of different attacks, including on ATMs. What common security shortfalls have you seen?
Thanassis: Recent cases have demonstrated that ATMs were configured in such a way that did not include the possibility of facing a security incident. Operating system event logging typically was configured using default values, which means it was missing several events from time and detail perspective. Additionally, there was no application whitelisting, making it very difficult to distinguish between legitimate and non-legitimate software residing within the ATM file system.
Let's get into what businesses, especially banks, need to do to prevent and detect/respond to these types of attacks. What would be your top recommendations for them?
Thanassis: Currently most ATMs suffer from software, patching and remote management issues. ATMs operate as the bank teller, but at the same time, these devices provide some level of access to internal banking infrastructure. And if banks miss security updates, they can become unmanaged resources due to missing several security updates and remote management using various "bizarre" software. We could think of ATMs like becoming the SCADA systems within the banking infrastructure. A process to keep them updated with the latest patches and security best practices should be implemented for this kind of infrastructure.
Considering many ATM attacks involve physical access - such as in the case of skimmers or black box attacks - is security testing the physical resilience of ATMs also important?
John: Absolutely. I have seen ATMs with simple locks that were supposed to be replaced in the field that weren't. I've seen Philips-head screws holding the back panel onto the ATM. I've seen panels that could be pulled off with no screws (basically a large suction cup). I've seen plain network connections plugged into the wall. I've see holes that if you poked them right, the ATM lock would pop open. I've seen bars that if you pull them with a hook, the face pops open.
For more information about how Trustwave can help technically review your ATMs for security weaknesses, visit here.
Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.