News
According to a survey carried out by ATMIA across 37 countries, cyber attacks were rated the third top threat to bank ATMs in 2011.
Traditional skimming still tops the list and second comes illegal break-ins to bank premises where ATM’s are installed and physical removal of the machines. However, cyber attacks are rising while traditional threats are waning.
"Card data that can be stolen from ATMs through software-based attacks is becoming more valuable than the cash held in the ATM itself," Peter Kulik, technical editor of ATMIA's latest manual on ATM best practices wrote in its foreword. "Further, software-based attacks are a 'silent crime' - difficult to detect and far less dramatic than other forms of ATM crime - and so we expect the extent of this crime is likely underestimated by our industry today."
The losses:
A case of a hacked retailer of prepaid debit cards that occurred in Canada in 2011 illustrates the trend. The fraud was surprisingly simple and effective. A group of criminals acquired several dozens of debit cards all over the world, depositing $15 on each account. Then, the bank system was cracked and the tool regulating minimum card balance was amended. The fraudsters increased balances on their cards to dozens of thousand dollars. Over the following couple of days they withdrew about one million dollars from ATMs all over the world.
Several months later a similar attack was carried out on another bank using just 22 debit cards to steal up to $13 million.
No arrests have been made in either case.
At a recent conference in Moscow Oleg Kazakevitch, Security Adviser to the President of the Russian Banks Association, said that damages to Russian banks from bank card frauds are estimated at 2.5 billion Rubles (US $35 million) per year. 55 million Rubles (US $1.8 million) was stolen in a single attack on a major Moscow bank in September 2011.
Speaking of the number of attacks, Mr Kazakevitch said that Russian telebanking systems are attacked between five and seven times each week. The attackers' goals range from simple cash withdrawal to racketeering and blackmailing.
Traditional safe-breakers and hold-up men must be awed by the amounts withdrawn by cyber robbers. Occasionally, reporters covering the topic get in contact with this or that person from "gangland" who appears willing to tell what made a certain cyber robbery possible. They all agree that banking software has numerous flaws that permit criminals to access a system and gain control of it.
The more complicated bank software grows, the more potential access points it offers to robbers.
Therefore, ATMIA’s Peter Kulik strongly recommends that everyone involved in ATM installation and maintenance should study the ATMIA Guide. To fight criminals effectively, he says, all entities worldwide have to take the guide extremely seriously and to adopt all the experience that ATMIA has meticulously collected for them.
The software threat:
ATMIA's specialists point out that an ATM is basically a computer controlled by an operating system and a set of pre-installed programs. A system can be hacked at the software level to make the machine act at a criminal's will and a hacker may remain unnoticed for a long period of time.
ATMs get cracked as hackers manage to analyse the structure of software installed there and to find out how it operates. The rest is a matter of technique.
Dmitry Suchkov, Technical Director with SafenSoft Company (a developer of security software for computers and networks), maintains that the vast majority of software contains errors or development faults, some of which may be serious.
He said: "In practice, when software is used, vulnerable points a criminal may profit from are detected sooner or later, deliberately or incidentally. Patches are issued throughout a program life cycle to fix errors but it is not uncommon that patches remedying certain existing faults bring in new ones. It is a cyclical process; even programs having numerous patches released remain vulnerable".
The ATMIA Guide points out that if a criminal can alter the operating system on your ATM, it's not your ATM anymore; if you allow a criminal to upload programs to your ATM, it's not your ATM anymore; and if a criminal can persuade you to run his program on your ATM, it's not your ATM anymore.
Eliminating vulnerability:
Industrial experience indicates that complete elimination of errors and gaps in software is impossible. If hackers use such vulnerable points to access systems, it is necessary to hide these points from hackers.
Today's criminals use reverse engineering to detect errors. According to ATMIA, reverse engineering is now one of the most popular and expanding ways to analyse and crack software.
The latest virtualisation technologies provide new opportunities for software reverse engineering and creation of malware for ATM attacks, says item 19 of the ATMIA Guide summary.
Reverse-engineering is the process of discovering the technological principles of a system through analysis of its structure, function and operation. In terms of software it can also be seen as ‘going backwards through the development cycle’. The purpose is to deduce design decisions from end products with little or no additional knowledge about the structure and algorithms of the investigated application. Once software algorithms become clear, they can be altered to add criminal functionality.
To prevent tampering with ATM software, ATMIA specialists advise applying best professional practices and specialized protection solutions.
The document also gives a list of means that can prevent tampering with ATM software. ATMIA's experience shows that the following methods can help ATM software developers prevent reverse engineering:
- Obfuscation: transformation of a source or executable code in order to impede its analysis, algorithm understanding and its modification in the course of decompilation with no impact on functionality (from Wikipedia.org).
- Virtual machine (VM) technology: a software system emulating software or hardware (from Wikipedia.org). VM is an isolated, secure implementation executing a fragment of software code.
- Application of behavioural analysis: malware tends to obtain access to system elements operating at the kernel of an operating system. This behaviour can be considered suspicious in a program outside of the white list of authorized programs. This method allows detecting malware that may have already penetrated the system.
- Isolation of specific system processes: similar to the previous item but isolation is applied to a single process that appears to be suspicious, not to the whole program.
- Encryption of client-server traffic: used to impede intrusion into a connection channel and capturing of data transferred between an ATM and bank server.
Even a relatively inexperienced criminal can crack an unprotected program in hours or minutes. However, studying a complicated, mixed code written in a proprietary language, compiled via a custom compiler and operating from a virtual machine is quite a complicated task. Hackers are known to have taken years to crack well-protected software.
Software solutions can be massive and complicated with thousands of functions. Alexander Zatsepin, Technical Director with StarForce Technologies (a developer and integrator of solutions preventing software code from hacking and reverse-engineering), believes that "a hacker is not interested in program modules that, say, draw GUI dialogs on an ATM screen. Migration of processing functions or card data collection and transfer functions to a virtual machine is enough to render access to these critical areas extremely complicated".
He also points out that once protection is implemented, program analysis and detection of vulnerable points become very effort-, time- and money-consuming.
White lists:
The ATMIA document points out that creation of white lists, as suggested above, is one of the most effective ways to prevent launch of malware within a system. However, if a program from the white list was previously tampered with by a fraudster, it will still be launched and executed fully: once a program is launched on a machine, it executes its pre-defined instructions, even if it is malware, says the guide.
This highlights the fact that a comprehensive approach needs be applied with various protection tools used. No single technology is a panacea; a comprehensive, holistic approach is needed to ensure ATM security.
Using their statistics, ATMIA representatives forecast increased interest in code protection systems from financial and credit institutions that have their software systems exposed to hacker attacks.
The cost of trust:
Apart from financial losses incurred through frauds, reputation risks are also significant. Reputation is the core factor when it comes to handing your money to a third-party. Banks work hard to win customer trust – it is the first step to customer acquisition.
Leaks of personal data, money theft from accounts and unstable services can cause a loss of customer trust.
Obviously, solid protection of ATMs that have become the main means of bank-to-customer communication is an investment in building a bank’s reputation and in maintaining the trust of existing and potential customers.
Dmitry Gusev, Deputy Marketing Director with StarForce Technologies
