Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 916
- Points
- 113
Recently, Doctor Web announced the discovery of a new Trojan program, Trojan.Skimer.18, created specifically to infect ATMs and steal plastic card data. The Banki.ru portal looked into how things are going with protecting ATMs from malware .
Virus collection
For the cardholder, the ATM is the face of the bank. If you urgently need to withdraw or deposit cash, and the nearest ATM is not working, this upsets the client. Such incidents are especially unpleasant for domestic holders: not everyone likes to carry cash with them, and cards are not accepted for payment everywhere. In fact, this is not the worst thing. Alas, even a completely “healthy”-looking device may turn out to be not a friend, but a real enemy.
It is no secret that inside the ATM there is a very ordinary personal computer running a program that controls all the functions of the machine: reading and authorizing plastic cards, sending data to the processing center, issuing and accepting cash. The card reader and banknote dispenser are connected to this computer and controlled using special driver programs . The system is architecturally no different from the computer that is on your desk. And it is just as vulnerable to Trojans.
This is not the first time Doctor Web has reported on a threat of this kind: in 2009, the discovered Trojan.Skimer, which stole card data from Diebold ATMs, was widely discussed. Five years of relative calm have passed since then, but this does not mean that the attackers have left ATMs alone. On the contrary, carders willingly cooperate with virus writers, purchasing more and more sophisticated malware from them.
Sergey Golovanov, leading anti-virus expert at Kaspersky Lab, believes that this problem is extremely relevant: “We do not yet supply anti-virus products for ATMs, however, the company’s specialists also receive detected samples of ATM Trojans and participate in their analysis. Currently, our collection includes 68 unique specimens from four different families. Backdoor. Win32.Skimer attacks Diebold ATMs, works with both the dispenser and the card reader, 28 modifications are known from March 2009 to October 2013. Backdoor. Win32.SkimmerNC targets NCR ATMs, works only with a card reader, discovered in December 2013 (two modifications). Trojan-Banker . MSIL.Atmer works with NCR ATMs, withdraws money through a dispenser, found in October 2013, three modifications are known. A real Trojan-Spy all-rounder . Win32.SPSniffer is used with any ATMs running Windows XP and reads card data. Discovered in March 2012, 35 modifications have been captured so far.”
Mark Orlov, head of consulting and integration at NCR, clarified the situation with infections of ATMs manufactured by NCR: “ATMs manufactured before 2009, in which the old keyboard was not upgraded to PCI-compatible keyboards operating in double mode, may be infected with a Trojan program length restricted, and which also lack the protection recommended by NCR - Solidcore for APTRA. Solidcore for APTRA reduces the risk of unauthorized execution of any executable code, regardless of how an attacker manages to inject it into the ATM.”
Cards, money, Trojans
Once inside an ATM, a specially written Trojan can perform many different actions. But its main functions are reading data from the magnetic strip of a plastic card (a kind of skimming without a skimmer) and directly “milking” the ATM by sending a fake command to the dispenser to dispense banknotes. Some Trojans can do both, some can do only one thing. For a carder, the difference between these two ways of earning money is that the theft of money from cash cassettes will be detected at the very first collection after infection, and the Trojan can read other people’s cards for a very long time - perhaps even the entire service life of the ATM.
Please note that it is impossible to find out the entered PIN code of the card from inside the ATM. In PIN code entry mode, the keyboard encrypts the entered number and provides the ATM system with only a hash function with an added modifier (the so-called “salt”). This function is characterized by the fact that its value is unique for each PIN. But, knowing it, it is almost impossible to find out the PIN itself. Strictly speaking, having read the hash function from an ATM and learned the algorithm for calculating it, you can determine the PIN by simple search, calculating the hash function for all numbers from 0000 to 9999, but this is saved by the “salt”, which is known only to the keyboard and processing. Accordingly, card authorization comes down to comparing the PIN + “salt” hash function issued by the ATM keyboard with the PIN + “salt” hash function calculated by processing.
Everything would be fine, but the ATM keyboard, although called “PIN-pad” , is used far more than just for entering a PIN. Banks compete with each other on the set of functions offered to clients, and many of them require entering other numerical data: card and account numbers, phone numbers in case of paying a mobile bill, etc. This data cannot be encrypted - no processing knows it, hash there is nothing to check against. That is why the keyboard has a second mode of operation, in which it simply tells the computer the numbers that the user enters.
A Trojan that has settled in an ATM does a very simple thing: it replaces the program responsible for communicating with the user. It displays exactly the same picture, asks the cardholder for its PIN in exactly the same way, but works with the keyboard in an unprotected mode. This way he receives all the necessary information about the card: the contents of its magnetic track and PIN code .
Management and control
Once inside the ATM system, the Trojan has a very limited set of ways to communicate with the outside world. Despite the fact that data exchange with processing occurs over open channels (wired network or 3G connection ), no Internet access is possible from the ATM. Special equipment is responsible for this, supporting an encrypted communication channel with processing and nothing else.
Because of this nuance, “communication” between the Trojan and the owner occurs only during a face-to-face meeting. The owner (more precisely, a drop, a criminal located at the lowest level of the carder hierarchy) inserts a special smart card into the infected ATM , which can be disguised as a regular bank card with an EMV chip . It contains a code, which, after reading, the Trojan will switch to command receiving mode and display the control menu.
Using this menu, the drop can steal money from the ATM dispenser, update the Trojan files to a new version (the Trojan will download the update from the smart card memory ), and obtain the data of the read cards. In the latter case, the Trojan will either write files with dumps and PIN codes to the same smart card , or print the data directly on ATM receipts.
Vectors of infection
The ATM is a disciplined machine, it doesn’t open phishing links, it doesn’t go to suspicious sites, and you can’t even insert an infected flash drive into it. To some extent, this protects him from the danger of picking up a malware, but carders are not immune. However, in this case, their methods lack grace: the ATM is infected by a bank employee, bribed or intimidated by criminals.
The most straightforward method of infection begins with damage to the ATM (for example, the reader slot is clogged with paper). The support engineer who arrives on call is bribed right on the spot (there is no risk, I didn’t agree - we’re going to another ATM). The engineer has a key that allows him to open the top of the ATM and gain access to its contents. He doesn’t have a collector’s key that opens a safe with cash cassettes, but he doesn’t need one - if necessary, an infected ATM will voluntarily give up all the money through the banknote dispenser.
The second method is even simpler: an employee of the processing center is seduced, who can remotely install software updates on ATMs. True, the system logs all actions of this kind, and it is not easy to avoid responsibility in such cases.
The most technical method is to open the ATM without a key. Most ATMs are equipped with tamper sensors that alert security. But carders have gotten the hang of carefully drilling holes in thin areas of the case and working through them. At the moment, only internal connections of skimmers through such holes have been recorded, but this way you can also gain access to USB ports . Many ATMs run Windows XP, which has autorun programs from external drives enabled by default. If the ATM manufacturer has not taken special protection measures, an infected flash drive can infect the system.
Shield and sword
It is certainly possible to protect an ATM. There are basic recommendations for ensuring the security of ATMs, which, however, are not mandatory for banks. Manufacturers offer banks a variety of delivery options - you can order an ATM with a minimum configuration, which will be cheaper, or you can choose a full set of protective equipment.
Dmitry Pogodin, business development manager at Diebold, described how his company offers protection against banking Trojans: “Our method is to create multi-level, comprehensive ATM protection. We believe that the fight against malware should not be reduced solely to software protection tools. We recommend that our clients start with physical security, as well as the use of such protection means as reinforced locks, a system for controlling and delineating access rights to the head of the ATM, video surveillance and monitoring systems. In terms of software, we strongly recommend starting protection by installing certified legal applications and OS on the ATM.
Our company, for example, has been installing on Diebold ATMs for several years not only a specialized secure version of Windows, but also a specially designed motherboard model with Trusted Boot technology and encoding of all communications. In addition, we install Symantec Firewall & Endpoint Protection on ATMs free of charge, which allows you to control software integrity, network access, and also includes antivirus and anti-spyware protection.”
In addition to hardware protection, antiviruses are produced for ATMs that can detect an infection if it does occur. Their effectiveness is limited due to the fact that automatic updating of their virus databases is impossible - this is only done by bank employees who may ignore these recommendations.
Systems like Solidcore for Aptra, supplied by NCR, operate differently (not excluding, but complementing antivirus software). The essence of their work is to control the actions of running programs. Not a single application not contained in the specified list will launch on such an ATM, and if it does launch, it will not gain access to either the card reader, the dispenser, or the keyboard.
Unfortunately, the cardholder has no way to protect himself or determine the presence of malware on the ATM. At the same time, many banks strive for maximum savings on their ATM network and neglect protection against Trojan programs. However, there is hope for some progress in this direction: in light of upcoming changes in the law on the national payment system, which provide for the reimbursement of money to clients who have become victims of fraudulent transactions, such carelessness can be quite expensive for banks.
(c) Mikhail DYAKOV
www.banki.ru
Virus collection
For the cardholder, the ATM is the face of the bank. If you urgently need to withdraw or deposit cash, and the nearest ATM is not working, this upsets the client. Such incidents are especially unpleasant for domestic holders: not everyone likes to carry cash with them, and cards are not accepted for payment everywhere. In fact, this is not the worst thing. Alas, even a completely “healthy”-looking device may turn out to be not a friend, but a real enemy.
It is no secret that inside the ATM there is a very ordinary personal computer running a program that controls all the functions of the machine: reading and authorizing plastic cards, sending data to the processing center, issuing and accepting cash. The card reader and banknote dispenser are connected to this computer and controlled using special driver programs . The system is architecturally no different from the computer that is on your desk. And it is just as vulnerable to Trojans.
This is not the first time Doctor Web has reported on a threat of this kind: in 2009, the discovered Trojan.Skimer, which stole card data from Diebold ATMs, was widely discussed. Five years of relative calm have passed since then, but this does not mean that the attackers have left ATMs alone. On the contrary, carders willingly cooperate with virus writers, purchasing more and more sophisticated malware from them.
Sergey Golovanov, leading anti-virus expert at Kaspersky Lab, believes that this problem is extremely relevant: “We do not yet supply anti-virus products for ATMs, however, the company’s specialists also receive detected samples of ATM Trojans and participate in their analysis. Currently, our collection includes 68 unique specimens from four different families. Backdoor. Win32.Skimer attacks Diebold ATMs, works with both the dispenser and the card reader, 28 modifications are known from March 2009 to October 2013. Backdoor. Win32.SkimmerNC targets NCR ATMs, works only with a card reader, discovered in December 2013 (two modifications). Trojan-Banker . MSIL.Atmer works with NCR ATMs, withdraws money through a dispenser, found in October 2013, three modifications are known. A real Trojan-Spy all-rounder . Win32.SPSniffer is used with any ATMs running Windows XP and reads card data. Discovered in March 2012, 35 modifications have been captured so far.”
Mark Orlov, head of consulting and integration at NCR, clarified the situation with infections of ATMs manufactured by NCR: “ATMs manufactured before 2009, in which the old keyboard was not upgraded to PCI-compatible keyboards operating in double mode, may be infected with a Trojan program length restricted, and which also lack the protection recommended by NCR - Solidcore for APTRA. Solidcore for APTRA reduces the risk of unauthorized execution of any executable code, regardless of how an attacker manages to inject it into the ATM.”
Cards, money, Trojans
Once inside an ATM, a specially written Trojan can perform many different actions. But its main functions are reading data from the magnetic strip of a plastic card (a kind of skimming without a skimmer) and directly “milking” the ATM by sending a fake command to the dispenser to dispense banknotes. Some Trojans can do both, some can do only one thing. For a carder, the difference between these two ways of earning money is that the theft of money from cash cassettes will be detected at the very first collection after infection, and the Trojan can read other people’s cards for a very long time - perhaps even the entire service life of the ATM.
Please note that it is impossible to find out the entered PIN code of the card from inside the ATM. In PIN code entry mode, the keyboard encrypts the entered number and provides the ATM system with only a hash function with an added modifier (the so-called “salt”). This function is characterized by the fact that its value is unique for each PIN. But, knowing it, it is almost impossible to find out the PIN itself. Strictly speaking, having read the hash function from an ATM and learned the algorithm for calculating it, you can determine the PIN by simple search, calculating the hash function for all numbers from 0000 to 9999, but this is saved by the “salt”, which is known only to the keyboard and processing. Accordingly, card authorization comes down to comparing the PIN + “salt” hash function issued by the ATM keyboard with the PIN + “salt” hash function calculated by processing.
Everything would be fine, but the ATM keyboard, although called “PIN-pad” , is used far more than just for entering a PIN. Banks compete with each other on the set of functions offered to clients, and many of them require entering other numerical data: card and account numbers, phone numbers in case of paying a mobile bill, etc. This data cannot be encrypted - no processing knows it, hash there is nothing to check against. That is why the keyboard has a second mode of operation, in which it simply tells the computer the numbers that the user enters.
A Trojan that has settled in an ATM does a very simple thing: it replaces the program responsible for communicating with the user. It displays exactly the same picture, asks the cardholder for its PIN in exactly the same way, but works with the keyboard in an unprotected mode. This way he receives all the necessary information about the card: the contents of its magnetic track and PIN code .
Management and control
Once inside the ATM system, the Trojan has a very limited set of ways to communicate with the outside world. Despite the fact that data exchange with processing occurs over open channels (wired network or 3G connection ), no Internet access is possible from the ATM. Special equipment is responsible for this, supporting an encrypted communication channel with processing and nothing else.
Because of this nuance, “communication” between the Trojan and the owner occurs only during a face-to-face meeting. The owner (more precisely, a drop, a criminal located at the lowest level of the carder hierarchy) inserts a special smart card into the infected ATM , which can be disguised as a regular bank card with an EMV chip . It contains a code, which, after reading, the Trojan will switch to command receiving mode and display the control menu.
Using this menu, the drop can steal money from the ATM dispenser, update the Trojan files to a new version (the Trojan will download the update from the smart card memory ), and obtain the data of the read cards. In the latter case, the Trojan will either write files with dumps and PIN codes to the same smart card , or print the data directly on ATM receipts.
Vectors of infection
The ATM is a disciplined machine, it doesn’t open phishing links, it doesn’t go to suspicious sites, and you can’t even insert an infected flash drive into it. To some extent, this protects him from the danger of picking up a malware, but carders are not immune. However, in this case, their methods lack grace: the ATM is infected by a bank employee, bribed or intimidated by criminals.
The most straightforward method of infection begins with damage to the ATM (for example, the reader slot is clogged with paper). The support engineer who arrives on call is bribed right on the spot (there is no risk, I didn’t agree - we’re going to another ATM). The engineer has a key that allows him to open the top of the ATM and gain access to its contents. He doesn’t have a collector’s key that opens a safe with cash cassettes, but he doesn’t need one - if necessary, an infected ATM will voluntarily give up all the money through the banknote dispenser.
The second method is even simpler: an employee of the processing center is seduced, who can remotely install software updates on ATMs. True, the system logs all actions of this kind, and it is not easy to avoid responsibility in such cases.
The most technical method is to open the ATM without a key. Most ATMs are equipped with tamper sensors that alert security. But carders have gotten the hang of carefully drilling holes in thin areas of the case and working through them. At the moment, only internal connections of skimmers through such holes have been recorded, but this way you can also gain access to USB ports . Many ATMs run Windows XP, which has autorun programs from external drives enabled by default. If the ATM manufacturer has not taken special protection measures, an infected flash drive can infect the system.
Shield and sword
It is certainly possible to protect an ATM. There are basic recommendations for ensuring the security of ATMs, which, however, are not mandatory for banks. Manufacturers offer banks a variety of delivery options - you can order an ATM with a minimum configuration, which will be cheaper, or you can choose a full set of protective equipment.
Dmitry Pogodin, business development manager at Diebold, described how his company offers protection against banking Trojans: “Our method is to create multi-level, comprehensive ATM protection. We believe that the fight against malware should not be reduced solely to software protection tools. We recommend that our clients start with physical security, as well as the use of such protection means as reinforced locks, a system for controlling and delineating access rights to the head of the ATM, video surveillance and monitoring systems. In terms of software, we strongly recommend starting protection by installing certified legal applications and OS on the ATM.
Our company, for example, has been installing on Diebold ATMs for several years not only a specialized secure version of Windows, but also a specially designed motherboard model with Trusted Boot technology and encoding of all communications. In addition, we install Symantec Firewall & Endpoint Protection on ATMs free of charge, which allows you to control software integrity, network access, and also includes antivirus and anti-spyware protection.”
In addition to hardware protection, antiviruses are produced for ATMs that can detect an infection if it does occur. Their effectiveness is limited due to the fact that automatic updating of their virus databases is impossible - this is only done by bank employees who may ignore these recommendations.
Systems like Solidcore for Aptra, supplied by NCR, operate differently (not excluding, but complementing antivirus software). The essence of their work is to control the actions of running programs. Not a single application not contained in the specified list will launch on such an ATM, and if it does launch, it will not gain access to either the card reader, the dispenser, or the keyboard.
Unfortunately, the cardholder has no way to protect himself or determine the presence of malware on the ATM. At the same time, many banks strive for maximum savings on their ATM network and neglect protection against Trojan programs. However, there is hope for some progress in this direction: in light of upcoming changes in the law on the national payment system, which provide for the reimbursement of money to clients who have become victims of fraudulent transactions, such carelessness can be quite expensive for banks.
(c) Mikhail DYAKOV
Сюрприз для банкомата
На днях компания «Доктор Веб» сообщила об обнаружении новой троянской программы Trojan.Skimer.18, созданной специально для заражения банкоматов и кражи данных пластиковых карт. Портал Банки.ру разбирался, как обстоят дела с защитой банкоматов от вредоносных программ.
