The Server of Hitachi Payment Systems Infected ATMs of India and compromised millions of cards
In mid-2016 one of the servers of Hitachi Payment Systems was attacked by malicious software, by which the criminals got data from the ATMs of State Bank of India, HDFC Bank, ICICI Bank, Yes Bank and Axis Bank. Currently, 19 banks and 641 customers noticed fraudulent activities with the cards. To reduce risks the banks have blocked compromised cards and advised its customers to change the PIN.
In a statement Hitachi Payment Systems said that after the injection the malicious software worked undetected, eliminating all traces of its existence. To detect its activity allowed the audit, conducted by SISA Information Security.
“The reason why such cyber-attacks are happening today is because of the ineffective implementation of the payment security standards,” SISA Chief Executive Officer Dharshan Shanthamurthy said. “With demonetisation, and with an increase in the number of digital payments, such attacks are going to get worse. In the name of innovation, corners are being cut. That's a matter of concern,” he added.
Getting a certificate of compliance for PCI DSS or other security standard is a starting point for the banks to introduce new card products to the market. This is inevitable connected with the introduction of new functionality in the payment applications, deploying new software, making changes in the network configuration. At the same time, the very practice of the preparation of the audit as an annual reception: "general cleaning – furniture permutation - a reception" conceals dangerous consequences. The protection system, designed for occasional demonstrations for auditors often does not have sufficient degrees of freedom. In the first place during the audit for PCI DSS compliance is assessed the ability to withstand attacks and preserve the integrity of the system.
But business requires changes, and to implement them it is necessary to remove stiffeners - to disable to protection system for a while. And the next task is to bring the new system in a secure condition that requires adaptation of IS tools, which is impossible without highly qualified specialists and understanding the principles of the protection system. Wanting to reduce the cost of the technical staff and quickly bring new products to market, financiers proclaim: "Business first, security after." The statistics show that banks are attacked within 2-3 months after the date of annual audit. Introducing a new bank product is a signal to hackers to start their activity because they know about weak protection in this period.
It is important not just to provide a static condition of information security and integrity for ATMs. It is crucial to establish a process which helps to make changes securely, to keep the system safe during operation on all the stages of the software lifecycle:
- Check distribution kits for infiltrations by famous "garbage" malware. Often, the infected files are added to applications during software development or assembling the distribution kit for delivery. Libraries, downloaded from untrusted sources, codecs and players for advertising content, drivers and third-party service tools often can become the source of infection.
- Check software code for vulnerabilities. Now it is much easier. You can do it yourself with specialized tools and techniques or ask laboratories which specialize in this kind of analysis.
- When you make sure that the software you are going to use is clean, the task is to keep it this way. That is why you need strictly define installation methods and a list of approved installers.
To provide a full protection for the bank infrastructure it is necessary to pay attention not only to mission-critical 'central part', but also to the safe operation of each network element. The vector of attack, the source of infection in a network can be totally unexpected.
In 2015 we analyzed the consequences of the incident, where the attack on ATMs was occurred from a bank processing server. After the attack the malware self-destructed, and to determine the source of infection was possible thanks to the presence of a legend on attacked ATMs. After the malware had an unsuccessful "rebound" on one of the devices, it showed signs of incorrect operation of the software. An engineer re-installed the software of the ATM from a "golden image". However, within an hour after reconnecting to the terminal the attack resumed. That helped to understand that the attack came from one of the servers.
The source of infection can be everywhere: trusted software vendors, updates in the network or installation mistakes.
One of the ways out of this situation is to integrate protection mechanisms at the stage of online service development. This approach is popular in the Middle East and Asia, because when safe operation is laid in the basis of a service, it allows you to quickly bring to market new products, without compromising the level of protection. In the rest of the world this approach is still not widespread because it is difficult to abandon so called "add-on" protection. But growing number of cyber-attacks and increasing size of damage are about to change the situation.
Keywords: PCI DSS, ATM Integrity, attacks to ATM, card compromised