East European ATM sniffing down to poor code auditing
Reports that malicious hackers have developed a range of data-sniffing and stealing trojans that have skimmed cardholder data from Eastern European ATMs since the end of 2007 highlight what can happen if security code auditing is not carried out at all stages in program development, says Richard Kirk, Fortify’s European director.
“Our colleagues at Sophos and SpiderLabs have discovered that the trojans home in on the data stream from the magnetic stripe of ATM users’ cards and store/relay that data for subsequent fraudulent usage,” said Kirk.
“What’s interesting about this case is that, if the ATM program code – which probably runs on Windows operating system as most ATMs are driven by the Microsoft operating system – had been fully code audited from day one, the security loophole that allows this trojan to operate probably wouldn’t be there,” he added.
What is also of concern, says Kirk, is the fact that hackers were able to use their trojan applications for around 18 months – and refine their own program code many times – before being detected.
This, he says, indicates that the hackers probably have a development process equal to, if not better, than the developers of the ATM software.
This, he explained, is ironic, and illustrates the dedication – driven by the illegal revenues available – that criminal gangs now have when pursuing their illegal careers.
“Now that the hackers’ trojans have been rumbled, they will probably move on to new revenue-generating pastures. It is to be hoped that these pastures do not include the bank’s ATM-controlling computers, otherwise we’re all in deep trouble,” he said.