There are few targets that attract criminals as much as automatic teller machines (ATMs) do, unlike banks or armored vehicles, they have the least surveillance and no protective devices. Therefore, ATMs become the target of various attacks.
In Europe, attacks on ATMs have been rising for the fourth consecutive year, with a 27% increase from 2017 to 2018. The losses caused by various attacks in 2018 exceeded 36 million euros (40.5 million US dollars), an increase of 16% over 2017. It is estimated that by 2020, there will be more than 3.5 million ATMs in use worldwide, meaning criminals will have more opportunities.
Criminals use a series of techniques to steal cash from ATMs, from breaking into safes to attacking networks or software. In one case, after an entire ATM was missing for several months, ATMs of the same model series suffered significant cash losses. Therefore, the bank hired IBM Security's experienced hacker team X-Force Red to test its ATM environment. During the test, X-Force Red discovered a zero-day vulnerability that thieves used to install custom malware.
Banks are very aware of the attraction of ATMs to criminals and are increasingly committed to strengthening the security of their ATMs. From 2017 to 2018, global banks increased ATM security testing by 300%, and vulnerabilities in machines and their connected infrastructure were often found in these tests.
Five major ATM security vulnerabilities
The following are the five major ATM vulnerabilities discovered during many years of ATM penetration testing. Almost all tested ATMs have at least one of these weaknesses.
1. Backhoes
ATMs are highly susceptible to physical threats, such as using excavators (Backhoes) to steal the entire ATM machine.
There are some technologies that can make physical attacks more difficult, such as using wall-in models, guard columns, etc. But excavators are large enough to steal ATMs out of concrete. However, when using excavators, criminals are easily captured by cameras, and the risks are also great.
2. Weak physical locks
Most ATMs are divided into two cabinets. The lower part is a safe containing the ATM and the deposit receiver, while the upper part contains computers, card readers, password keyboards, receipt printers, and other equipment. The safe itself is very secure.
However, the upper cabinet is usually protected by a very weak password lock, which can be bypassed in a few seconds. Although bypassing the protection does not allow direct access to cash, it does allow physical access to the computer components of the ATM. ATMs usually have USB interfaces, so direct access to the computer can lead to a series of other attacks, ultimately executing commands to withdraw cash.
3. Unsecure network communication
Many financial institutions still believe in what they call a 'trusted network', however, this is an outdated concept and extremely unsafe in today's threat environment. Thirty years ago, most systems ensured their security through physical isolation, with only a few administrators able to access the system, and the technology used at that time was not public. However, this kind of security protection is no longer secure. Once hackers gain access to the ATM network, they can use man-in-the-middle attacks to disrupt ATM settings.
1. Attackers can initiate passive monitoring, which may lead to the theft of customer information.
2. Attackers can install malicious hardware/software on ATMs, modifying network traffic to force them to empty the cash dispensers as instructed.
3. Remote attacks cause the bank's server to reject approval requests, and any amount of cash is transferred to the attacker's bank card.
4. ATM Operating System
The content displayed on the ATM screen by customers is like any other program on the computer. If attackers can insert a keyboard and mouse, they can close the program and try to interact with the underlying operating system (OS).
Over the past 20 years or so, operating system vendors have strengthened servers multiple times: disabling unnecessary services, using host firewalls, requiring authentication, etc. However, it is still very difficult to strengthen the operating system to resist attacks, as there are still many ways that allow attackers to directly interact with the underlying operating system.
5. Disk Encryption
Without strong disk encryption, criminals can steal the ATM's hard disk and check for vulnerabilities.
Considering that ATMs need to push updates for all devices remotely, it can be understood why financial institutions may delay implementing full disk encryption plans on all ATMs.
A bank manages thousands of ATMs in the region, and in order to reduce costs, remote automation is needed to update the software, usually with limited bandwidth. Deploying disk encryption may require managers to physically access the machines offline to fix problems. For example, the ATM may be interrupted during the critical step of initial disk encryption. After deploying disk encryption, it will increase the complexity of the boot process and make troubleshooting more difficult.
By limiting encryption, the maintenance budget that managers can save by physically accessing the machines to solve problems can be saved. In this case, if the attacker really targets the disk, the bank will face greater challenges that will affect many ATMs in the bank's infrastructure. Even with disk encryption, vulnerabilities such as improper key protection, supplier algorithm flaws, and configuration errors will put ATMs at the same risk.
II. Enhancing ATM Security Protection
Some financial institutions may think that it is unreasonable to deploy expensive security equipment in their ATMs if they have not been attacked and suffered significant losses. However, ATM security should be an integral part of the bank's overall security plan, and ignoring potential vulnerabilities is not a reasonable security protection strategy. Security tests should be regularly conducted on ATMs to identify and fix vulnerabilities. It should also be ensured that ATMs have been updated with the latest patches to minimize attacks.
*Author: Kriston, please indicate the source as FreeBuf.COM when转载.
评论已关闭