Research released at Black Hat USA last week shows that one of our best defenses for the future of payment card and ATM security isn’t infallible. Here’s why.
The late Barnaby Jack showed us in 2010 how cyberattacks could persuade ATMs to part with their cash, in what he called “jackpotting” attacks. Years later, hackers and their well-organized teams of money mules are indeed having a grand time with jackpotting attacks, encouraged by ATM operators’ slow adoption of EMV technology, lax physical security, reluctance to upgrade outdated hardware, poorly maintained embedded systems, middleware that creates a new attack surface, and insufficient motivation to change.
Trend Micro reported in April that ATM malware is on the rise. Recent attacks have shown with a combination of hacking and large teams, ATM operators, banks, and account holders are collectively getting slammed with millions of dollars in losses over the course of just a few hours.
And just last week, research released at Black Hat by Rapid7’s Weston Hecker showed that one of our best defenses for the future of payment card and ATM security isn’t infallible, either.
ATMs Being Robbed Via Smartphone
In July, another coordinated group lifted a large sum of cash from ATMs in a short period of time, but the particularly noteworthy aspect was that instead of inserting payment cards in the machines, they appeared to use smartphones.
According to the South China Morning Post, a coordinated group of two-person teams stole NT$83.27 million (~$2.67 million USD) cash from 41 First Bank ATMs in Taiwan. Police have arrested three individuals in connection with the attack — citizens of Moldova, Latvia, and Romania — but believe they were part of a 16-person team, most of whom fled the country. Police have recovered most of the money, according to the Morning Post.
How the attackers carried out their theft, possibly via smartphone, remains unclear. Two years ago, Symantec researchers outlined ATM malware called Ploutus that would cause an ATM to spit out cash after being sent a command via SMS message. The malware first had to be installed by physically opening up the ATM machine and attaching the phone to the hardware via USB. No information has been released saying that Ploutus was used in this attack, but police were quoted as saying that they suspected that malware was installed on the ATMs at an earlier date.
Regardless, a report in ABC News Australia said investigators discovered not just one, but three malware programs on the compromised ATM machines.
Traditional Organized Crime Getting In On Cybercrime
In May, a coordinated group of as many as 100 people in Japan stole 1.4 billion yen (about $12.8 million USD) in less than three hours, by simply withdrawing it from 7-Elevens. They used counterfeit credit cards that were created using stolen data on roughly 1,600 account holders from Standard Bank in South Africa; 7-Eleven ATMs were apparently popular for the attack because they accept foreign-issued debit cards.
Japanese police have made multiple arrests in connection with the theft, including a member of a yakuza associated with Japan’s largest organized crime syndicate, according to a report in Japan Today.
New ATM Malware Strains
In May, Kaspersky Lab discovered evidence that new variants of the ATM malware Skimer were compromising devices across the globe.
The malware can be installed either directly onto the device, or remotely, by first exploiting the network that the ATM connects to. Once Skimer is installed, it sits idly by until the attacker visits the ATM and sets the program into motion with a series of interactions that, to the careless observer, wouldn’t look strange at all.
The attacker inserts a “magic card” into the machine, instead of a regular debit or credit card. Skimer both harvests prior ATM users’ magstripe data or dispenses cash, in response to commands issued by the attacker. If it downloads data, that can either be stored on the card or printed out on what appear to be normal receipts.
Skimer exploits XFS, a Windows-based technology created to standardize ATM software. So, it affects multiple ATM makes and models.
“La Cara” — Exploiting EMV for Cash in Near-Real Time
The EMV technology replacing magnetic stripes is improving payment card and ATM security — albeit, very slowly in the United States, where adoption has been sluggish. However, when the magstripe trade ceases to turn a profit, adaptable attackers will be able to exploit EMV, too.
At the Black Hat USA conference last week, Hecker, Rapid7’s senior security consultant, showed how EMV could be exploited and what this next-generation carding network would look like.
Nowadays, carders and fraudsters can happily buy and sell magstripe card data with a relatively high degree of confidence that it will be usable, because magstripe data is all static. EMV card transactions, however, include dynamic data. Banks generate one-time codes for each transaction, so any stolen transaction data may only be valid for one minute or less. If carders want to continue to have a business once EMV becomes the norm, they’ll need a way to not only transmit that dynamic data to their buyers in real-time, but enable their buyers to monetize it in real- or near-real time.
Hecker created a way:
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio