Remember how pleasant it is to hear the sound of bills being read off by an ATM? It is even more pleasant to pick them up from the ATM. These feelings are plagued by many attackers who carry out targeted attacks on ATMs. In recent years, researchers have increasingly documented major attacks on ATMs, and criminals continue to improve their methods in pursuit of cash, which is why it is necessary to be aware of the main patterns of attacks on ATMs.
1. Introduction
2. Jackpotting
3. Skimming
4. Shimming
5. Network attacks on ATM
6. Conclusions
Introduction
The problem of hacking ATMs has grown to such an extent that the US Secret Service has sent out warnings to financial institutions this year. At one time, Burnaby Jack amazed the participants at the Black Hat conference by demonstrating an attack that made an ATM literally spit out money. This method was named jackpotting; until recently, experts considered jackpotting to be only a hypothetical way to hack ATM.
Now that malware like Ploutus.D has emerged, jackpotting can be safely added to the growing list of types of ATM attacks. In addition to jackpotting, skimming, shimming and ATM network attacks are also known. Let's try to consider the popular schemes of attacks on ATMs, as well as methods of protection against them.
Jackpotting
This type of attack involves the use of external electronic devices by attackers, or malware, with the help of which they manage to gain control over the hardware component of the ATM. These attacks are also referred to as cash-out attacks.
In some cases, criminals replaced the entire hard drive of an ATM and launched malware that forced the ATM to "spit out" money. In other incidents, attackers plugged in a USB cable connecting an ATM computer to a criminals' device, which similarly forced ATM to cash out all available funds.
Using the USB port, fraudsters could also connect the ATM to a USB drive containing malware. Thus, ATM was infected and then gave money to carders.
One of these attacks was recorded back in 2015 in Germany. The attackers connected the ATM computer to their own device, which made it possible to unauthorized cash out.
Also, a cybercriminal from Novosibirsk distinguished himself, who managed to steal 360 thousand rubles from an ATM. He used a "flash drive" and a malicious program written on it.
This malicious technology is called BlackBox. Already in April of this year, experts noted a sharp increase in the demand of carders for BlackBox. BlackBox is based on connecting a third party device to a dispenser. Such a device is connected either through a drilled hole in the ATM, or using the keys of the engineers to open the service part of the ATM where the computer is located.
The best way to minimize the risk of jackpotting attacks is end-to-end encryption. Basically, encryption should be used for communication between the ATM computer and the dispenser. Robust network security controls should be used - this will also reduce the attack surface.
The most popular cybercriminal group using jackpotting, Cobalt, has attacked banks around the world, allowing it to steal more than 1 billion euros. The leader of Cobalt, which has been operating since 2013, was caught by law enforcement in Spain.
Skimming
Skimming (from the English "skim" - to slide, barely touch) is one of the types of fraud associated with payment bank cards. Criminal actions consist in the fact that hidden devices are installed in ATMs, most often located on the street, that allow reading information from payment cards during the transaction.
Having in their hands closed data on a payment document, attackers create a duplicate with a pin code recorded on a magnetic tape, which allows using this payment document for personal gain, for calculating in cash in stores, retail outlets and online stores.
An unpleasant situation is that it is very difficult for the holder of a payment document that has become a victim of skimming to prove to the bank the fact of fraud. The best and most reliable way to protect yourself from this type of fraud is to use payment cards with a chip and strictly follow all precautions for using the card.
This type of attack requires a skimmer. The skimmer is a card reader that can be easily inserted into the card slot found in all ATM machines. Thus, when a user inserts his card into an ATM, it unwittingly goes through a skimmer, which scans and stores the information, and then transfers it to the carders.
In this case, the attackers will also need the victim's PIN code, they can get it using surveillance cameras, or by applying an additional layer over the keyboard. Of course, skimming remains the most widespread method of attacks against ATM, this is due to the fact that the vulnerability lies in the magnetic stripe located on the cards themselves.
Thus, as long as the magnetic stripe is present on the cards, and they are forced to pass through its readers, attackers will always have a surface for attack. Skimming can be dealt with by installing comprehensive anti-skimming solutions as well as monitoring solutions.
For example, ATM manufacturers use technologies that interfere with the skimmer, preventing it from collecting information about users' cards. What's more, these solutions also allow you to instantly alert ATM operators, who will immediately disable the ATM in the event of an attack on it.
From the resonant incidents in which carders used skimming, one can recall three residents of the Republic of Dagestan who committed a series of thefts from ATMs. In the United States, a similar scheme was used by an unemployed person who was convicted of compromising 13 thousand bank cards. As a result, a federal court in San Diego sentenced a man who organized a massive skimming scheme to seven years and three months in prison.
Shimming
The so-called shimmer is installed in a card reader, and an attacker can do this operation in a matter of minutes, pretending, for example, that he is making a legitimate withdrawal of funds. Shimmers are made from a thin flexible printed circuit board and a microprocessor.
Once installed, the microprocessor on the shimmer will operate on the chip-in-the-middle principle, as it is programmed to transmit commands from the ATM to the victim's card and back, recording all the information the attacker needs in the process. This information is later retrieved by an attacker and used to create a fake copy of the card.
Shimmers are more difficult to detect than skimmers as they are fully integrated into the reader making them virtually invisible.
Figure 1. Shimmers inserted into an ATM reader
Despite the fact that shimming is quite popular, it will only work if the attacked bank incorrectly organizes transactions. An attacker will not be able to use a clone of a card if a transaction requires a CVV, but if this code is not required (for example, for any online transactions), then the criminal will be able to steal money.
Network Attacks on ATM
In this case, cybercriminals infect ATMs via the network. Once the cybercriminals gain access to the bank's network, they can remotely install malware into the ATM. It should be noted that many private ATMs operated by retailers use unencrypted messages, which puts users' card details at risk.
On one of the online markets, a set of malicious programs for ATMs was even found, for which the authors asked for $ 5,000. The set was actively promoted by cybercriminals, who called it Cutlet Maker. Cutlet Maker was developed to attack various models of Wincor Nixdorf ATMs, the malicious code used the manufacturer's API, which allowed it to carry out illegal actions without interacting with ATM users and their data.
Such attacks on bank networks are no different from cyberattacks on other types of infrastructures, therefore, they should be protected in the same way. Namely:
- Protect credentials - secure storage of credentials, restricting access to them to minimize the risk of unauthorized use.
- Protect sessions - Clearly separate the admin endpoint from the ATM infrastructure to prevent malware from infiltrating assets from the network.
- Provide low-level privileges and endpoint protection - reduce attack surface, apply whitelisting and blacklisting principles.
- Continuous monitoring - thoroughly scan the network based on event patterns. In the event that an attacker gains access to data, the responsible persons must immediately detect and eliminate the malicious behavior.
Conclusions
ATM attacks are as old as the world, but some of the techniques that attackers are adopting are relatively new. Some malicious schemes leave banks wondering how to securely protect their ATMs. With a basic understanding of the most popular attack methods, it will be easier for banks to navigate the protection methods, which will better protect client funds.
