Hampering ATM software with logical attacks

Logical attacks are attacks on ATMs which allow cyber criminals to alter their software and thereby hamper the machine.

Cyber-criminals use external malware or electronic devices to conduct logical ATM attacks to gain physical access to the cash dispenser, and once they do, they can steal money from the ATM. The process is also known as jackpotting or cashing out.

Cyber-criminals hamper the ATM software and collect the card and details of the ATM users to prepare fake credit and debit cards. The duplicate credit and debit cards are later used to carry out fraud activities at point-of-sale terminals. Those who hamper ATM software are always looking for new ways to gain access to card data or cash. Therefore, it is essential to upgrade the ATM software regularly to stop logical attacks on ATMs.

Various logical attacks on ATM software

Man-in-the-Middle attack
A man-in-the-middle attack focuses on the communication between the host and the ATM PC. It makes use of malware, which is remotely installed within the network layer or at the highest software later of the ATM PC. Additionally, these attacks can fake the host response for transactions, without debiting money from the account.

Data Sniffing Attacks
In data sniffing attacks, the malware can only operate on specific operating systems. The malware installed on the ATM records the magnetic stripe information of the card. Cyber-criminals then use this information to conduct illegal activities.

Skimming with Spoofing
This combines two ATM cyber-attacks, namely skimming and spoofing to conduct ATM software attacks. They gain user information using the skimming attacks and then later make spoof phone calls to users to collect other essential data.

• A significant gap in audit logs, where the transaction history record is missing, is a hint of a logical attack.
• If the cash dispenser of an ATM is out of cash unexpectedly within a short amount of time, it is another indication.
• Loss of communications with the ATM security system and irregular recordings in CCTV footage are signs of illegal activity.

Physical attacks on ATMs
Physical attacks on ATMs are considered risky as they not only lead to financial losses, but also involve a risk to property and life. The physical attack involves solid and gas explosives along with the physical removal of the ATM from the site, whereby other techniques are used to gain access to the cash dispenser.

Gas attacks on ATMs
Gas attacks conducted on ATMs aim to break open the safe door. One of the gas attacks involves attaching solid explosives to the outer side of the safe doors. Gas attacks can create serious social problems and collateral damage to the building and ATM equipment.

This type of attack conducted using the combustion of gas or a solid explosive can cause damage and allow the explosive charge to inject and explode inside the ATM safe, resulting in the breakdown of the walls of the ATM safe and allowing criminals to access the cash. Some of the solid explosives used in physical ATM attacks are dynamite, C4, power gel, and gelignite.

• Various methods followed by the criminals to introduce explosives inside the ATM through a depository or dispenser interface:

Breaking or bending the shutters of ATM safes using tools, such as a crowbar, allows criminals to install explosives inside the ATM.

Cutting or drilling a hole in or beside the ATM shutters helps them to plant explosives.

• Performing an ATM transaction to open the shutter of the ATM cash dispenser, which then allows the criminals to plant the explosives.

Ram raiding
A ram raid ATM attack is an attempt to remove the ATM and its elements from its original location. The ram raids usually involve motor vehicles smashing and ripping down the ATM from its place. Criminals generally prefer the early morning when conducting ram-raid attacks.

Replenishment attacks
A replenishment attack is a physical ATM attack where the ATMs are targeted when the staff opens the ATM safe to remove cassettes or when ATM funds are transported in vehicles through insecure areas.

Measure to reduce physical attacks:
Introducing an audio alarm or screamer that detects gas attacks will notify the bank about irregular activities observed in the ATM.

• The door swipe or keypad system installed on the doors of an ATM can ensure secure transactions.
• ATMs located in remote areas can be supported by proper physical security.

A smoke/heat sensor can be installed inside the ATM, to detect the oxy-acetylene or burring bar attacks on ATMs.
CCTVs and monitoring alarms make it more difficult for criminals to tamper with ATMs.

• Durable cable plugs in the ATM will stop the insertion of gas pipes and solid explosives.
• Cladding or explosion absorbing elements can be introduced inside the ATM safe to reduce the effect of gas attacks.

To protect your ATM network from fraud, the banking security experts at NST Cyber have developed a series of hands-on vulnerability assessments that look at the entire ATM environment. We can identify software, hardware, and communication protocol vulnerabilities that can be exploited and provide remediation measures to effectively resolve them.

Please visit our website to find out more about our ATM Security Assessment Services.

Verifying the effectiveness of various ATM attack prevention solutions with ATM Penetration Testing

Banks have long relied on Automated Teller Machines (ATMs) as the primary agent for basic banking services such as balance checks, cash withdrawals, account statements, and more. Today, with over 3.5 million ATMs planted worldwide, banks and customers greatly benefit from the convenient and instantaneous 24/7 service that ATMs bring. But as is the case with most things convenient (and instantaneous), ATMs are placed with drawbacks in the form of severe security risks and potential exploitability by hackers and criminal agents. Banks are thus left to adapt, with new measures and prevention mechanisms to eliminate these risks.

One of the main challenges when it comes to ATM software attack prevention is understanding a particular attack vector and picking the suitable vendor solution that is specific to its corresponding threats. In this article, we discuss the various attack prevention methods and tools that are available from different vendors. These include vendor solutions for ATM logical attack prevention, ATM application whitelisting, ATM Blackbox attack prevention, ATM Ram raid prevention, ATM host OS Security and communication security, and the necessity of inspecting the status of their effectiveness with comprehensive ATM Penetration Testing.

1. ATM Logical Attack Prevention
A logical attack on an ATM network is a coordinated set of malicious actions performed by criminals or groups to gain access to ATM computer systems for obtaining cash or sensitive data from ATMs. ATM malware attacks are the sub-category of logical attacks. These attacks involve the deployment of software in the ATM, which runs in the background when the ATM operates. Various prevention solutions for ATM logical attacks are as follows:

1.1 NCR SPS with Skimmer Detect and Alert Monitoring
NCR Skimming Protection Solution (SPS) uses multiple jammers that generate random signals, preventing any criminal attack from isolating and recording data using the card’s magnetic strip. In NCR SPS SelfServ ATMs with DIP card readers, detection is available as the primary feature.

1.2 NCR Anti-Eavesdropping kit:
Eavesdropping attacks can be prevented by modifying the existing ATMs with a physical barrier around the internal card reader. NCR has an anti-eavesdropping kit that offers a simple and inexpensive protective measure. The SelfServ 80 series family has no card orientation window which removes the chances of drilling into the ATM.

1.3 NCR Card reader device detection firmware, third-party anti-insert kits:
Criminals have developed techniques to install a Deep Insert Skimmer inside a motorized card reader such that the ATM platform software cannot detect it. NCR suggests using the Tamper Resistant Card Reader as the prevention mechanism for Deep Insert Skimming and Eavesdropping Skimming techniques. The NCR SPS (Skimming Prevention Solution) is built with a field-programmable framework. This framework enables the functionality of the ATMs and prevents deep insert skimmer attacks.

1.4 Cash degradation solutions such as ink staining or glue solutions:
An Intelligent Banknote Neutralization System (IBNS) is a process that protects money against unauthorized access by making it unusable when an attempted attack on the system is detected.

• Ink-stain Technology: In the case of the identified attack, the ink-stained technology installed in the ATM will release indelible or permanent security ink that will stain the banknotes, making them unfit for use.
• IBNS using glue: In case of an attack, the glue fusion module glues all the banknotes in the cash cassette together immediately, leaving nothing but the worthless, solid brick of paper. If an attacker tries to peel off a single banknote, it will tear into small shreds immediately.

1.5 Gas Detection/Neutralization solutions:
The gas detection and neutralization system is a second-generation product that includes advanced monitoring and an alarm system, totally hidden from view. A microprocessor built within the device interprets and measures the change in the environment and discharges the contents for neutralizing the gas. On detecting the gas, an alarm is triggered, alerting the local police about the attack immediately on detection. The option of an audible siren can also be provided, and it is also possible to connect to a third-party alerting system.

1.6 Sabotage and Shimming attack prevention
The SPS anti-tamper sensor will detect and alert on a wide range of tamper conditions, including simple disabling attacks similar to sabotage attacks.

The recommended solution for this type of attack is to integrate an SPS solution with a skimmer detect and alert system.

• Ensure that the host network checks for a card verification code in both chip-based and magnetic strip card transactions.
• Ensure that the Integrated Card Validation Code (ICVC) of the EMV chip is different from the magnetic stripe card’s CVV value.

1.7 CCTV and ATM built-in camera Tampering prevention:
Tamper detection is an option within your IP camera that will alert you if the camera has been tampered. If the attacker tries to knock off the camera or block its view, the alert system will notify the security which handles the video management system to monitor the situation.

1.8 ATM BIOS Hardening:
The Basic-Input-Output-System (BIOS) is a set of programs that consist of code and configuration settings. The BIOS enables an ATMs Central Processing Unit (CPU) to communicate with peripheral devices. Safeguarding the BIOS is fundamental to the security of the ATM.

2. ATM APPLICATION WHITELISTING SOLUTIONS
Whitelisting is a concept in which no action occurs in the ATM unless it has been previously identified as legitimate. It includes all possible activities in the ATM workstation that can be controlled from the operating system. Below is the list of common ATM application whitelisting solutions and a brief look into their processes.

2.1 KX Security solution for ATM Application whitelisting:
KX security is a framework that allows you to design, develop, and deploy high-performance, enterprise-grade data capture systems. The KX platform is built on top of the world’s leading column-oriented database, Kdb+, to capture, store, and analyse real-time and historical data. Kx security contains a secure parser that ensures all queries are strictly based on permissions at a functional level when enabled.

2.2 Windows AppLocker for ATM Application whitelisting:
AppLocker is a software whitelisting tool introduced by Microsoft to restrict normal users only to execute specific applications. In Windows 10 version 1709, Microsoft introduced a feature known as Controlled Folder Access, which aims to prevent ransomware from encrypting files within folders. The ATM workstation with windows AppLocker can protect sensitive files from unauthorized access.

2.3 GMV Checker ATM security suite for application whitelisting:
GMV Checker provides a set of tools to create, install, and maintain the security policies on the server-side and the required tools to implement their application on the ATMs. These security policies can be designed in a flexible way, permitting a standard policy for an entire ATM Network.

2.4 NCR’s Solidcore Suite for APTRA:
The Solidcore Suite for APTRA is focused on two critical, but historically opposed issues facing IT and banking institutions:

• To eliminate the business risk posed by internal security threats or network perimeter breaches.
• To reduce growing information security operating costs while facing increasingly strained IT resources.

Solidcore Suite for APTRA addresses both these issues simultaneously by only allowing authorized code to run on a protected ATM.

2.5 McAfee Solidcore for ATMs:
NCR offers Solidcore Suite for APTRA using the McAfee e-Policy Orchestrator (McAfee e-PO) platform, which guards and simplifies security through end-to-end network visibility and automated delivery of security responses.

3.ATM BLACKBOX ATTACK PREVENTION
An ATM black-box attack is a banking-system crime in which the attacker bores holes into the top of the ATM to gain access to its internal infrastructure. The cash dispenser is disconnected and attached to the external black box, which bypasses the need for card or transaction authorization to release money. Preventions of these types of attacks are listed below:

3.1 OS to Dispenser data protection solutions:
To prevent Black Box attacks, ATM vendors recommend using the latest XFS versions for strong encryption and physical authentication between the OS and dispenser. When physical authentication is present, encryption keys are sent only when legitimate access to the safe has been confirmed.

3.2 NCR USB Encryption Suite:
Encrypting the communications line between the ATM core and the dispenser will prevent black-box attacks. Only commands from the ATM software will be authenticated and processed by the dispenser. NCR uses the USB CDM software component from APTRA XFS 06.03.00 or later to encrypt the communication line.

3.3 Cerber Lock:
ANSER PRO has developed a safety device called Cerber NCR Lock, which will protect the ATM dispenser from the Black Box attacks. Cerber NCR Lock is compatible with ATM series NCR Persona, NCR SelfServ, and any ATM in which the dispenser is connected via USB.

The connector of the Cerber lock is installed between the ATM PC and the ATM dispenser. The Control unit of the Cerber Lock is in the ATM safe along with the dispenser to prevent its detection and hacking. In case of unauthorized connection to the ATM dispenser, the Cerber lock blocks the dispenser from releasing currency.

3.4 Wincor USB Encryption
Wincor has released a cryptographic device designed to prevent viruses from triggering unauthorized cash withdrawals at ATMs. The SCOP (Secure Cash Out Procedure) module prevents viruses from triggering any non-permissible withdrawals within an ATM’s control module dispensing the currencies. The system ensures complete security checks in combination with a central point of authorization.

4. ATM ram raid prevention
Ram-raiding is a type of robbery in which a heavy vehicle is driven into the windows or doors of a building, usually ATMs, jewelry shops, and department stores, allowing attackers to steal funds. There are various solutions to prevent ATM ram raids which are as follows:

4.1 GPS devices and ATM trackers:
The primary purpose behind most individual businesses or organizations going for GPS tracking systems and devices is real-time tracking. If the machine is impressed or moved unauthorized, the tracking device triggers the silent alarm. The ATM is configured to sense motion, and when the machine is moved, the device acts accordingly.
It also signals to the control room whenever the ATM becomes interfered with by attackers. The device’s dynamic feature will help the authorities inform law enforcement about the crime.

4.2 ATM Software Distribution attack prevention:
Software distribution attacks in an ATM is a network-based attacks. Attackers use the network access points to connect to the bank’s internal network and gain access to ATMs locally. Once inside the system, they can attack the software distribution server as the means to deliver the malware to ATMs.

A software distribution capability with best practices, including security controls, authorization, and built-in authentication to make it safe, is an essential layer that maintains the confidentiality, integrity, and availability of the ATMs. It is also crucial to have remote software distribution capabilities within the ATM.

If malware is launched or suspected to be on an ATM, software distribution will accelerate the clean-up and update the malware signature files across the ATM. The APTRA Vision Software Distribution and NCR View 360 are some of the NCR recommended software features recommended to protect against software distribution attacks.

5. ATM HOST OS SECURITY:

5.1 ATM OS Hardening solutions:
The ATM host’s OS should be strengthened by removing unnecessary services and applications, securing weak default settings, and having updated security patches. The host OS must also have anti-virus software, firewall/intrusion detection tools, logging and auditing controls, and proper backup policies or tools.

5.2 Hard disk encryption:
Installing complete hard disk encryption protects the integrity of the ATM hard disk and offline attacks. NCR secure hard disk encryption is widely recommended.
By encrypting the hard disk, the ATM is protected against:

• Malware attacks when the ATM hard disk is offline.
• Attackers reverse engineering software on the ATM hard disk.
• Attackers collecting data from the hard disk of the ATM.
• The hard disk being visible when an ATM is booted from removable media.
• The hard disk is removed from the ATM and mounted as a secondary drive.
• The core is removed from the ATM.

The NCR secure hard disk encryption:

• Protects ATM against attackers deploying malware onto the hard disk of the ATM.
• Makes hard disk contents unreadable to protect against offline attacks, reverse engineering of code, or data harvesting.
• Prevents attackers from deriving or harvesting the decryption keys locally to circumvent encryption technology.
• Remote authentication prevents the encryption key from being derived or harvested from the local hard disk.

6. Communication security (ATM terminal ATM switch):
The transmission of sensitive cardholder data across every network must be encrypted. Cybercriminals may be able to intercept transmissions of cardholder data over networks, so it is vital to prevent their ability to read this data. Encryption is a technology that can be used to distribute transmitted data unreadable by any unauthorized person.

6.1 Network Sniffing prevention with NCR TLS 1.2:
The PCI DSS requirement suggests using strong cryptography and security protocols to protect sensitive cardholder information during transmission over open, public networks. SSL and TLS encryption have been demonstrated to have weaknesses that can be exploited and must not be used to meet PCI requirements.

NCR Secure TLS Encrypted Communications supports TLS version 1.2 and is more robust when combined with the environment’s hardening guidelines. NCR Secure TLS Encrypted communication never sends unprotected cardholder data by the end-user messaging technologies like e-mail, instant messaging, SMS, and chat.

Need for effective checking of ATM software attack prevention solutions with ATM Penetration Testing

In a changing technological landscape, it is enormously important for banks and financial institutions to overlook the various threats targeting ATMs. There has been a constant rise in physical attacks on ATMs over the last 5 years. In fact, there is a year-on-year growth of 16% since 2015 on reported ATM software attacks.

This makes it essential to have a thorough and periodic security assessment of ATMs, investigating the possibilities of physical and logical attacks along with ATM malware, logical, and terminal-related testing.
NST Cyber provides a proven and comprehensive assessment framework for ATM, CDM, Service Kiosk, ITM, Bitcoin Teller Machines and other types of terminal testing, our security assessment services being second to none.

With a comprehensive testing portfolio for ATMs, derived from a combination of advanced hardware and software tools, coupled with vast experience in cyber threat management, NST Cyber delivers assurance and peace of mind to banks around the world.

About NST Cyber

NST Cyber is an emerging leader in the Cyber Threat Management space as we provide a portfolio of Security assessment, Control validation, Defensive, and Detective Security advisory to Enterprises. NST Cyber collaborates with several business verticals like Banking and Finance, Oil and Gas, Retail, Manufacturing, and Healthcare to assess their current security posture and continuously improve resilience against targeted cyber-attacks. With profound technical expertise and commitments, NST Cyber works with several esteemed Banks and FinServ companies to improve Enterprise-wide security posture and meet compliance requirements from regulators.

For more information, contact us at info@netsentries.com
All product names, brands and trademarks referred to in this article are property of their respective owners.