What they don’t do with ATMs: they are torn out of the wall, tied with a cable to a car, drilled, blown up and cut (sometimes in the State Duma building). According to EAST statistics, criminals have become less likely to use skimming, preferring trapping and physical sabotage. Another new trend is causing a lot of trouble for security specialists: virus attacks on ATMs. There is Trojan.Skimer, Backdoor.Ploutus, the very recent Tyupkin malware, and other “applications”, well-known and not so well known. The malware is downloaded into the ATM computer, usually from external media, and is used for unauthorized withdrawal of money or interception of card data. Another method of attack was described by Positive Technologies experts Olga Kochetova and Alexey Osipov at the computer security conference Black Hat Europe 2014, held in October in Amsterdam.
To test the security of the test ATM, which survived three Positive Hack Days forums, the popular miniature Raspberry Pi controller was chosen. The device is easily hidden inside the case and does not attract the attention of technical personnel who, for example, change paper in built-in printers and therefore have keys to the service area.
Finding documentation describing ATM interfaces is not so difficult, and Alexey Lukatsky wrote about this five years ago in his “Myths of Information Security.” ATM and payment terminal equipment, regardless of manufacturer, has a common API for accessing and managing various modules and runs on the Windows platform in accordance with the unified Extensions for Financial Services (XFS) standard.
Knowing the API, you can gain control over the ATM host computer and directly manage various peripheral devices installed inside the ATM cabinet - card reader, PIN keypad, touch display, banknote dispenser, etc. Don't forget about operating system vulnerabilities ATM systems, and Windows has them in stock for many years to come.
Weakness
Before installing the Raspberry Pi and connecting the device to the Ethernet, USB, or RS-232 ports, the ATM must be opened. At the top of the ATM is the service area. This is where the computer that controls the ATM devices and network equipment (including poorly protected GSM/GPRS modems) is located. The service area is practically uncontrolled, as it is used by maintenance personnel for various jobs. It is much easier to access than the safe with money located below. It can be opened with keys that are easy to make or with very simple improvised means.
But just opening it is not enough - you need to do it quickly and unnoticed.
At the Black Hat conference, Positive Technologies researchers demonstrated how long it would take for attackers to install a microcomputer in an ATM service area to use it as a sniffer—an interceptor of PIN codes and credit card numbers—or a hardware skimmer that leaves no trace on the appearance of the ATM. It took two minutes to unlock the ATM case, integrate the microcomputer, disguise it and connect it to the Internet.
In preparation for the show, the Raspberry Pi was programmed to control ATM peripherals. A Wi-Fi adapter was connected to the microcomputer, which could be connected to from any device, for example, from a smartphone. Commands to dispense money to the dispenser were sent through a specially implemented web interface. As an example, the issuance of several banknotes was shown, and after some modification of the sent code, the ATM immediately parted with all the deposited banknotes. By the way, each cassette of a typical ATM holds from two to three thousand bills, and there are usually four such cassettes - for several denominations.
Needless to say, during the experiment, the ATM dispensed bills without leaving any records in its computer, and the built-in video camera of the ATM, although working, was, like other devices inside the captured ATM, controlled using a Raspberry Pi.
Is it possible to protect yourself
Securing ATMs is not easy. Much depends on the attack scenario. For example, the Research Center “Security” of the Ministry of Internal Affairs recommends that manufacturers use a smoke generator, an ultrasonic barrier and a xenon strobe, and specialists from the British LINK recommend banning standard locks for access to the service area and making more active use of web cameras.
However, the main problem, according to our researchers, is the ability to install any device or program into an ATM (even Angry Birds), which is caused by the abundance of critical vulnerabilities in operating systems. The situation could be changed by the joint work of banking equipment manufacturers on a new open specification that would ensure secure interaction and effective authentication of ATM components: so that anyone, having obtained a key to a service area, could not so easily connect anything to the system.
