Teacher
Professional
- Messages
- 2,670
- Reaction score
- 791
- Points
- 113
Under the heading "Club of Experts" we continue to publish the book by A. Lukatsky "Myths and Misconceptions of Information Security"
There is an opinion that an ATM is practically impossible to hack. This myth is based on a number of opinions, premises and misconceptions:
1. The ATM is not connected to the Internet.
2. The ATM uses a specialized operating system.
3. The ATM is equipped with all kinds of sensors and sensors that counteract physical penetration into the mini-vault.
4. Description of actions, interfaces and API for ATM developers is kept secret and not available to outsiders.
All this led to the fact that attacks on ATMs were carried out, as a rule, in a "physical" way - skimming in its various manifestations and even physical tearing of the ATM with a cable attached to the car. But the situation is changing and today there have been already recorded cases of ATM hacking with the help of high technologies. Let's see how this is done. But first, I will comment on the first 4 opinions regarding ATMs.
The Internet is today the cheapest, and in some cases the only way to connect an ATM. Laying your own channels to the ATM is simply unprofitable in most cases; especially if the ATM is located outside the bank branch, and the installation of a radio modem is impossible for technical reasons. There are frequent cases of using ordinary telephone lines, the security of which is not much different from the Internet. Of course, the ATM is not just plugged into the Internet - various protective mechanisms are used. At a minimum, we are talking about encryption of the communication channel (VPN) and regular updates of the operating system. Also, ATM manufacturers recommend the use of additional protection tools - antiviruses, personal firewalls (for example, Symantec Sygate Enterprise Protection solution on Diebold ATMs), multifunctional security systems (for example, the Cisco Security Agent solution on Wincor Nixdorf ATMs), etc. True, wanting to save money, not everyone uses them, which often leads to the temporary disabling of ATMs and even theft of money from the cards of unsuspecting customers.
A specialized operating system for ATMs is also a fallacy. Indeed, in the last century, most ATMs were running OS / 2 from IBM. But after IBM announced the end of standard support for OS / 2 in 2006, Microsoft stepped up its activities and today, according to various estimates, about 70% of all ATMs are built on the basis of Windows operating systems of various modifications (CE, XP, Embedded). For example, major ATM makers Diebold and NCR have switched to Windows XP Embedded. What can this lead to? If you do not follow the recommendations of ATM manufacturers and security experts, the consequences will be dire - virus attacks, the installation of Trojans that steal credit card numbers and PIN codes, etc. In order not to be unfounded, you can give an example with Diebold ATMs, infected with the Nachi worm back in 2003. In the same year, the Slammer worm affected 13,000 Bank of America ATMs and all ATMs of the Canadian Imperial Bank of Commerce. On the territory of the post-Soviet space, not so many cases of infection are known. For example, in the same 2003, many Latvian banks suffered from the Sobig virus (for example, Latvijas Unibanka or Hansabank)
Now with regard to the inability for outsiders to write malicious code for the ATM. Who said it had to be an outsider? Where does such confidence in the infallibility of the service personnel come from? Especially in a crisis, when employees are laid off or wages are cut and they are forced to earn "as they can". The latest notorious case is the hacking of ATMs of a number of Russian banks. CNews names three - "Rosbank", "Petrokommerts" and "Bin-Bank", but in fact there are more of them - just not all cases become known to the general public. The Trojan installed on ATMs stole card numbers and PIN-codes and reported them to criminals. Of the three named banks, one (Bin-Bank) denies contamination of its ATMs, the second (Petrokommerts) made an official statement on its website about the infection of only one ATM. and the third (Rosbank) did not publish news about this on the website, but some news agencies, referring to it, reported that 4 ATMs were infected. The truth is, this message says that customer accounts were not affected; I know about at least one case when a Rosbank client missed his money and the bank refused to return it (why, read below).
In Russia, the hype was raised by Dr.Web, the developer of the well-known antivirus. Although, in fairness, it must be admitted that the Trojan for ATMs was publicly announced earlier by Sophos in its blog (Russian-language news), and Diebold itself (the manufacturer of vulnerable ATMs) notified its customers about this threat back in January. The SecurityLab portal reports that the hack took place in the fall of last year, but banks for a long time did not want to admit the fact of a massive hack. ATMs were damaged in crowded places - the metro. How many people suffered is unknown, but the fact that the cases are not isolated is for sure. Suffice it to say that, according to Diebold's own estimates, they occupy about 30% of the total ATM market in Russia.
How did it come about? Diebold ATMs operate under Windows XP Embedded operating system. Apologists for Linux or Open \ FreeBSD will probably once again refer to the low level of Windows security and will be wrong. The problem is not at all in the OS - it goes much deeper. According to experts, it is almost impossible to implement the Trojan without the help of the bank's employees. this requires physical access to the internals of the ATM, which are usually equipped with various sensors and a video camera, making life difficult for criminals. On the other hand, writing such a Trojan is also not an easy task. According to the experts of the Russian company Positive Technologies, this can be done only if you have an idea of how Diebold ATMs and their software work, having access to the API description and other technical details. There are very few such people in our Fatherland and they did it not because of a good life. Considering that the incidents occurred only in Russia, I would rule out the possibility of a foreign "trace" in this case. Most likely, the author of the Trojan was either fired or otherwise suffered during the crisis and found a new use for his knowledge. A detailed analysis of the Trojan's operation once again confirms this.
In fact, the Trojan could have been introduced not only by the personnel serving the ATMs. This is another classic misconception. Many participants are involved in the chain from the production of ATMs to the start of their operation:
· ATM manufacturer
· ATM distributor
· ATM buyer (bank)
· Organization writing software for ATMs.
· The organization that installs ATMs
· The organization that serves ATMs.
And not only can each of these participants potentially have impure thoughts, but the connections between these individuals can be attacked. For example, in the fall of last year in the UK and mainland Europe, there were cases of installing POS terminals in stores, initially containing bookmarks aimed at intercepting card numbers and PIN codes and transmitting them to attackers using built-in GSM modules. Experts suspect that the criminals were either at work in China or immediately after the ATMs left the factory grounds.
Is it hard to imagine that a crime syndicate would carry out such a scheme? But the fact is the fact! Now consider an even simpler case. In 2006, in the United States, an unidentified attacker reprogrammed a Tranax Mini-Bank ATM using a manual found on the Internet. As a result, the ATM began to issue twenty instead of 5-dollar bills. In the found manual, the procedure for transferring the ATM to the diagnostic mode was given and programmed at your discretion. Of course, you had to know the administrative password to do this. But as it turned out, the ATM used the default password, also specified in the manual. Can we then assume that the information on access to the ATM functions is secret? True, in our case, taking into account all factors, I am inclined to believe
What should banks do in such a situation? Diebold itself makes the following recommendations to protect its ATMs:
· Do not use default administrative passwords and change them regularly
· Disable Windows Desktop
· Use the Symantec personal firewall that comes with Diebold software
· Use a specially configured, secure Windows operating system that again offers Diebold to its customers.
It is difficult to recommend something to clients. Do not give up the use of bank cards. Someone recommends using the card only in the branches of their bank and carrying out all transactions through tellers, bypassing ATMs in principle. Not the most convenient option, especially if you are on vacation or business trip abroad. Another recommendation is to put the minimum required amounts on the card. Also not always applicable; for example, in the case of a vacation. Moreover, the attackers can withdraw money not immediately, but several months after the theft. The third recommendation is quite simple - enable notification of all transactions via SMS. Paradoxically, not too many people take this opportunity. Apparently paying about 60 rubles a month for this service is more expensive for them than losing all the money from a bank card. Of course, such a precaution will not protect you from theft of your PIN and card number through a hacked ATM, but it will help you to call the bank in a timely manner and report the fraud. This will enable the bank to block the transaction and the card so that it can no longer be used. True, then you will have to confirm your call in writing (at least, this is the requirement in my bank).
The most unpleasant thing in this situation is that the affected clients (even in the case of timely notification of the bank) may not return their money back. The fact is that in almost any agreement for banking services that we sign without reading, there are clauses that: the bank is not responsible for any actions of third parties; the bank is not responsible for unauthorized actions with the PIN code you received and a card (this also applies to a password, session keys and EDS in the case of Internet banking), and it is very difficult to prove their unauthorized access you acknowledge any transactions made with your card.
The difficulty is that if you decide to go to court, then even hiding behind the law on the protection of consumer rights, you most likely will not find understanding from the judge. As the initiator of civil proceedings, you, not the bank, will have to prove your case. You have no evidence of an ATM break-in. References to the fact that you were in Russia when they tried to withdraw money from your card, for example, in London or Zagreb, will not convince the judge, because you could easily transfer your card to a friend who withdrawn the money (there are many such cases). On the other hand, the contract clearly states that all responsibility lies with you. Such disappointing conclusions are confirmed by one of the SecurityLab visitors, as well as the vice president of Transcreditbank, Andrey Kruptsov.
There is an opinion that an ATM is practically impossible to hack. This myth is based on a number of opinions, premises and misconceptions:
1. The ATM is not connected to the Internet.
2. The ATM uses a specialized operating system.
3. The ATM is equipped with all kinds of sensors and sensors that counteract physical penetration into the mini-vault.
4. Description of actions, interfaces and API for ATM developers is kept secret and not available to outsiders.
All this led to the fact that attacks on ATMs were carried out, as a rule, in a "physical" way - skimming in its various manifestations and even physical tearing of the ATM with a cable attached to the car. But the situation is changing and today there have been already recorded cases of ATM hacking with the help of high technologies. Let's see how this is done. But first, I will comment on the first 4 opinions regarding ATMs.
The Internet is today the cheapest, and in some cases the only way to connect an ATM. Laying your own channels to the ATM is simply unprofitable in most cases; especially if the ATM is located outside the bank branch, and the installation of a radio modem is impossible for technical reasons. There are frequent cases of using ordinary telephone lines, the security of which is not much different from the Internet. Of course, the ATM is not just plugged into the Internet - various protective mechanisms are used. At a minimum, we are talking about encryption of the communication channel (VPN) and regular updates of the operating system. Also, ATM manufacturers recommend the use of additional protection tools - antiviruses, personal firewalls (for example, Symantec Sygate Enterprise Protection solution on Diebold ATMs), multifunctional security systems (for example, the Cisco Security Agent solution on Wincor Nixdorf ATMs), etc. True, wanting to save money, not everyone uses them, which often leads to the temporary disabling of ATMs and even theft of money from the cards of unsuspecting customers.
A specialized operating system for ATMs is also a fallacy. Indeed, in the last century, most ATMs were running OS / 2 from IBM. But after IBM announced the end of standard support for OS / 2 in 2006, Microsoft stepped up its activities and today, according to various estimates, about 70% of all ATMs are built on the basis of Windows operating systems of various modifications (CE, XP, Embedded). For example, major ATM makers Diebold and NCR have switched to Windows XP Embedded. What can this lead to? If you do not follow the recommendations of ATM manufacturers and security experts, the consequences will be dire - virus attacks, the installation of Trojans that steal credit card numbers and PIN codes, etc. In order not to be unfounded, you can give an example with Diebold ATMs, infected with the Nachi worm back in 2003. In the same year, the Slammer worm affected 13,000 Bank of America ATMs and all ATMs of the Canadian Imperial Bank of Commerce. On the territory of the post-Soviet space, not so many cases of infection are known. For example, in the same 2003, many Latvian banks suffered from the Sobig virus (for example, Latvijas Unibanka or Hansabank)
Now with regard to the inability for outsiders to write malicious code for the ATM. Who said it had to be an outsider? Where does such confidence in the infallibility of the service personnel come from? Especially in a crisis, when employees are laid off or wages are cut and they are forced to earn "as they can". The latest notorious case is the hacking of ATMs of a number of Russian banks. CNews names three - "Rosbank", "Petrokommerts" and "Bin-Bank", but in fact there are more of them - just not all cases become known to the general public. The Trojan installed on ATMs stole card numbers and PIN-codes and reported them to criminals. Of the three named banks, one (Bin-Bank) denies contamination of its ATMs, the second (Petrokommerts) made an official statement on its website about the infection of only one ATM. and the third (Rosbank) did not publish news about this on the website, but some news agencies, referring to it, reported that 4 ATMs were infected. The truth is, this message says that customer accounts were not affected; I know about at least one case when a Rosbank client missed his money and the bank refused to return it (why, read below).
In Russia, the hype was raised by Dr.Web, the developer of the well-known antivirus. Although, in fairness, it must be admitted that the Trojan for ATMs was publicly announced earlier by Sophos in its blog (Russian-language news), and Diebold itself (the manufacturer of vulnerable ATMs) notified its customers about this threat back in January. The SecurityLab portal reports that the hack took place in the fall of last year, but banks for a long time did not want to admit the fact of a massive hack. ATMs were damaged in crowded places - the metro. How many people suffered is unknown, but the fact that the cases are not isolated is for sure. Suffice it to say that, according to Diebold's own estimates, they occupy about 30% of the total ATM market in Russia.
How did it come about? Diebold ATMs operate under Windows XP Embedded operating system. Apologists for Linux or Open \ FreeBSD will probably once again refer to the low level of Windows security and will be wrong. The problem is not at all in the OS - it goes much deeper. According to experts, it is almost impossible to implement the Trojan without the help of the bank's employees. this requires physical access to the internals of the ATM, which are usually equipped with various sensors and a video camera, making life difficult for criminals. On the other hand, writing such a Trojan is also not an easy task. According to the experts of the Russian company Positive Technologies, this can be done only if you have an idea of how Diebold ATMs and their software work, having access to the API description and other technical details. There are very few such people in our Fatherland and they did it not because of a good life. Considering that the incidents occurred only in Russia, I would rule out the possibility of a foreign "trace" in this case. Most likely, the author of the Trojan was either fired or otherwise suffered during the crisis and found a new use for his knowledge. A detailed analysis of the Trojan's operation once again confirms this.
In fact, the Trojan could have been introduced not only by the personnel serving the ATMs. This is another classic misconception. Many participants are involved in the chain from the production of ATMs to the start of their operation:
· ATM manufacturer
· ATM distributor
· ATM buyer (bank)
· Organization writing software for ATMs.
· The organization that installs ATMs
· The organization that serves ATMs.
And not only can each of these participants potentially have impure thoughts, but the connections between these individuals can be attacked. For example, in the fall of last year in the UK and mainland Europe, there were cases of installing POS terminals in stores, initially containing bookmarks aimed at intercepting card numbers and PIN codes and transmitting them to attackers using built-in GSM modules. Experts suspect that the criminals were either at work in China or immediately after the ATMs left the factory grounds.
Is it hard to imagine that a crime syndicate would carry out such a scheme? But the fact is the fact! Now consider an even simpler case. In 2006, in the United States, an unidentified attacker reprogrammed a Tranax Mini-Bank ATM using a manual found on the Internet. As a result, the ATM began to issue twenty instead of 5-dollar bills. In the found manual, the procedure for transferring the ATM to the diagnostic mode was given and programmed at your discretion. Of course, you had to know the administrative password to do this. But as it turned out, the ATM used the default password, also specified in the manual. Can we then assume that the information on access to the ATM functions is secret? True, in our case, taking into account all factors, I am inclined to believe
What should banks do in such a situation? Diebold itself makes the following recommendations to protect its ATMs:
· Do not use default administrative passwords and change them regularly
· Disable Windows Desktop
· Use the Symantec personal firewall that comes with Diebold software
· Use a specially configured, secure Windows operating system that again offers Diebold to its customers.
It is difficult to recommend something to clients. Do not give up the use of bank cards. Someone recommends using the card only in the branches of their bank and carrying out all transactions through tellers, bypassing ATMs in principle. Not the most convenient option, especially if you are on vacation or business trip abroad. Another recommendation is to put the minimum required amounts on the card. Also not always applicable; for example, in the case of a vacation. Moreover, the attackers can withdraw money not immediately, but several months after the theft. The third recommendation is quite simple - enable notification of all transactions via SMS. Paradoxically, not too many people take this opportunity. Apparently paying about 60 rubles a month for this service is more expensive for them than losing all the money from a bank card. Of course, such a precaution will not protect you from theft of your PIN and card number through a hacked ATM, but it will help you to call the bank in a timely manner and report the fraud. This will enable the bank to block the transaction and the card so that it can no longer be used. True, then you will have to confirm your call in writing (at least, this is the requirement in my bank).
The most unpleasant thing in this situation is that the affected clients (even in the case of timely notification of the bank) may not return their money back. The fact is that in almost any agreement for banking services that we sign without reading, there are clauses that: the bank is not responsible for any actions of third parties; the bank is not responsible for unauthorized actions with the PIN code you received and a card (this also applies to a password, session keys and EDS in the case of Internet banking), and it is very difficult to prove their unauthorized access you acknowledge any transactions made with your card.
The difficulty is that if you decide to go to court, then even hiding behind the law on the protection of consumer rights, you most likely will not find understanding from the judge. As the initiator of civil proceedings, you, not the bank, will have to prove your case. You have no evidence of an ATM break-in. References to the fact that you were in Russia when they tried to withdraw money from your card, for example, in London or Zagreb, will not convince the judge, because you could easily transfer your card to a friend who withdrawn the money (there are many such cases). On the other hand, the contract clearly states that all responsibility lies with you. Such disappointing conclusions are confirmed by one of the SecurityLab visitors, as well as the vice president of Transcreditbank, Andrey Kruptsov.
