Imagine winning the lottery and having an ATM spit huge amounts of cash at you. That’s exactly what some cyber criminals are after. They’re targeting ATMs and launching “jackpotting” attacks, forcing them to dispense bills like a winning slot machine. Already this year, the U.S. Secret service has warned financial institutions of such attacks.
Security researcher Barnaby Jack demonstrated such an attack and amazed attendees at Black Hat when he made two unpatched ATMs spit out cash on stage. For the most part, however, jackpotting was little more than a hypothetical until recently.
Now, with confirmed strains of malware like Ploutus.D being used in ATM jackpotting attacks on U.S. soil, jackpotting can be added to the growing list of popular ATM attack types, including skimming, shimming and network-based attacks. Here we examine various ATM attack techniques and offer security recommendations to protect against them.
Attackers use external electronic devices, or malicious software, to launch jackpotting or “cash-out” attacks, which allow them to take control over the ATM hardware. In some instances, attackers replace the entire hard disk of an ATM and run malicious software to spit out cash from ATMs. Other attacks involve locating the USB cable connecting the cash dispenser with the ATM’s PC, cutting it and connecting the dispenser side to an attacker device, which commands the cash dispenser to dispense all the cash out. Attackers can also uncover a USB port on the ATM PC and plug it into a USB drive containing malware, which then takes control of the cash dispenser.
One such attack was performed in Germany in August 2015 when attackers accessed the ATM top box, disconnected the communications cable to the cash dispenser from the ATM PC core, and then connected the cable to their own device (the ‘Black Box’). Commands were then sent by the external electronic device directly to the dispenser, resulting in an unauthorized dispense of cash from the ATM.
The best way to minimize the risk of jackpotting attacks is with end-to-end encryption. Basically, encrypting communications between the ATM PC and cash dispenser; the hard-drive; and communications between the financial network and the ATM. This along with using good networking security controls and endpoint least privileged methodology will drastically reduce the attack surface.
Some attackers take the old-fashioned route and crack the ATM open using explosives, but there’s a much slicker, high-tech form of magnetic card theft targeting ATMs: skimming.
ATM skimming is a two-component identity theft. First, attackers use hidden electronics to steal personal information stored on a user’s card. Next, they use further means to record a user’s PIN.
The first part involves the skimmer itself. The skimmer is a card reader that seamlessly integrates over the ATM’s card slot. When a user inserts their card into the machine, they are unwittingly inserting it through the attacker’s card reader, which scans and stores the information on the magnetic stripe and sends it back to the attacker.
Attackers then need the user’s PIN to make use of the stolen card. They use spy cameras and keyboard overlays to record the victim’s PIN, giving them everything they need to replicate and use a victim’s card.
Card skimming remains, by far, the most frequent form of ATM attack and its frequency remains high even in markets where EMV (Europay, Mastercard and Visa) has been fully deployed and chip cards are used. That’s because the vulnerability lies with the magnetic strip on the card. As long as the magnetic strip remains on the card and the card is swiped through a device that reads the strip data, the risk of card skimming exists.
Card skimming can be effectively prevented through the deployment of comprehensive anti-skimming and monitoring solutions. For example, ATM manufacturers are using jamming capabilities to effectively disable the skimmers capability to capture the card information with a sophisticated monitoring system, allowing ATM operators to receive alerts and notifications with the ability of the operator to take the ATM immediately out-of-service when they suspect the ATM is being attacked.
Unlike skimmers, a shimmer – named for its slim profile – fits inside an ATM card reader and can be installed quickly and unobtrusively by an attacker who slides it into the machine while pretending to make a withdrawal.
Shimmers are made of a thin, flexible, printed circuit board and microprocessor chip. Once installed, the microprocessor on the shimmer is programmed to function as a chip-in-the-middle, where it relays the ATM commands to the victim’s chip card and back, while recording information from the chip card. This information is later extracted by the attacker and used to clone fake magnetic cards. However, they can’t be used to fabricate a chip-based card. Shimmers are harder to detect than skimmers because they are completely inserted into the ATM reader, making them virtually invisible.
Although shimming attacks are here to stay, they’re only successful if issuing banks fail to properly authorize card transactions. By using different card verification values (CVV) for chip cards and magnetic cards and regularly checking CVVs during transactions, attackers will not be able to clone magnetic cards using this technique, thus effectively preventing this category of fraud. Shimming-cloned cards can be used, however, in those Internet transactions where CVV is not required.
ATM network-based attacks
Attackers are also now infecting ATMs with malware through networks. Once an attacker gains access to a bank’s network, they can install ATM malware from a remote location.
Another ATM network attack targets off-premise ATMs. These have to be connected to the banking networks. However, many of these off-premise ATM are using unencrypted communications, exposing card details (although not PINs, which are always sent encrypted).
Network-based attacks on ATMs are no different than attacks on other types of infrastructure, and should be protected by using the same means, which include:
Protecting credentials – Store access credentials securely, restrict access and automatically rotate them to reduce unauthorized use of privileged accounts.
Securing sessions – Use session isolation to create separation between administrator’s endpoints and ATM infrastructure, ensuring malware cannot spread from the network to target assets.
Enforce least privilege and endpoint protection – Reduce the attack surface while blacklisting/whitelisting operations on ATM infrastructure.
Continuous monitoring – Closely monitor networks based on events or patterns of events that fall outside baselines, generated for each network. In the event that an attacker manages to hijack credentials and gain access to target assets – such as ATMs – organizations must be able to quickly detect and address the malicious behavior.
The bottom line
Criminal attacks on ATMs aren’t anything new. What’s new, however, is the ways in which they’re being carried out.
Attackers are constantly evolving their attack methods. This makes it particularly challenging for financial institutions to secure ATMs.
With a basic understanding of the most popular attack methods, banks will be more successful in protecting ATMs – and ultimately, their customers – even when new malware is introduced.