(Credit:
Black Hat)
Last year it was smartcards and this year it's ATMs.
It's almost security conference season in Las Vegas and with one month to go, a presentation has been pulled from Black Hat and Defcon.
Juniper Networks says it pulled a talk about a flaw in ATM software that one of its researchers was scheduled to give at the security conferences, after the ATM vendor complained.
In his presentation entitled "Jackpotting Automated Teller Machines," Barnaby Jack was planning to discuss local and remote attack vectors on ATMs and provide a live demonstration of an attack on an unmodified ATM.
The description of the talk, which was posted on the Defcon Web site but appears to have been removed, said: "The most prevalent attacks on Automated Teller Machines typically involve the use of card skimmers, or the physical theft of the machines themselves. Rarely do we see any targeted attacks on the underlying software. This presentation will retrace the steps I took to interface with, analyze, and find a vulnerability in a line of popular new model ATMs."
In a statement, Juniper Networks said the company "believes that Jack's research is important to be presented in a public forum in order to advance the state of security. However, the affected ATM vendor has expressed to us concern about publicly disclosing the research findings before its constituents were fully protected. Considering the scope and possible exposure of this issue on other vendors, Juniper decided to postpone Jack's presentation until all affected vendors have sufficiently addressed the issues found his research."
Juniper Networks is reaching out to other ATM vendors to help them address any security risks uncovered in Jack's research, the statement said.
The company did not disclose which manufacturer makes the ATMs that were to be referenced in the talk. Jack could not be reached for comment.
Security issues related to ATMs are a hot topic. Last month, a computer forensics expert revealed that he had discovered malware on ATMs that allowed criminals to steal account data and PINs. Three people were arrested last year after allegedly breaking into Citibank's ATM network inside 7-Eleven stores and stealing PIN codes.
This is the second year in a row that a scheduled presentation at one of the two security conferences was pulled. Last year, a talk on hacking smartcards used in the Boston subway system was blocked after a federal judge granted the Massachusetts transit authority's request for an injunction. The lawsuit was later dismissed and the three MIT students who were muzzled eventually ended up agreeing to help the transit system improve its fare collection system.
And other researchers have encountered problems after giving their talks. In 2005, a security researcher was able to give his presentation at Defcon on how attackers could take over Cisco routers, but hours later Cisco Systems filed a lawsuit against him. The suit was ultimately settled.
Things were more dramatic in 2001, when the FBI took Russian crypto expert Dmitry Sklyarov into custody at his Las Vegas hotel the day after he gave his Defcon talk about insecurities in e-book security software.
(The ATM talk cancellation was first reported by Risky.Biz.)
Malware has been found on ATMs in Eastern Europe and elsewhere that allows criminals to steal account data and PINs and even empty the machine of its cash, a computer forensics expert said.
About 20 ATMs have been compromised in that manner, mostly in Russia and Ukraine, but there are "early indications" of compromised ATMs in the U.S., said Nicholas Percoco, vice president and head of SpiderLabs at Trustwave, which provides data security and payment card compliance services.
Nicholas Percoco heads up Trustwave's SpiderLabs, the forensics team that discovered the malware on the ATMs.
(Credit: Trustwave)Percoco said he could not elaborate further on where the compromised ATMs were located and how they were used.
Someone had to manually install the malware on the machines, so it's likely that an insider is responsible; either an employee at the bank, the ATM vendor, a company that services the machines or someone close to an insider, Percoco said in a telephone interview late on Wednesday.
The machines, all running Windows XP, had an executable on them that was masquerading as a legitimate Windows protected storage service, he said. The malware looks at all the data being processed by the ATM and records account information that is stored on the magnetic stripes on cards inserted into the machine and encrypted PIN blocks that are generated when someone types in their personal identification number, he said.
Although the PINs are encrypted, criminals could potentially intercept the encryption keys exchanged with the bank and use them to decrypt the PINs, he added.
Once the malware has been hidden on the ATM for a period of time, the criminal can return to the machine and use a special "trigger" card to control the ATM and print out the stolen data directly from the machine or instruct the ATMS to dispense all the cash it has, according to Percoco. ATMs can hold as much as $600,000 at a time, he said.
"There is evidence that (trigger) cards were used," he said, adding that he could not comment on the number of accounts affected or amount of money stolen. The malware was first installed on at least one of the machines in July 2007, he said.
This is not the first time malware has been discovered on ATMs, Percoco said. "But this is probably the most sophisticated malware found on an ATM," he said. "In all the versions we've looked at (the criminals) are enhancing the application as they go. They must be getting feature requests from someone."
The latest version of the malware code found on some of the machines includes a function for writing the stolen data onto a card with a memory chip on it, which are commonly used in Europe, he said. However, that function does not appear to work, he added.
Although the malware was installed on the ATMs manually, it's possible that future attacks would involve the propagation of the malware through the ATM network, he said.
Consumers should avoid using any ATM that does not "look right," Percoco said, for instance, if the screen has a different interface or strange commands.
Also, criminals use "skimmers" over the slot where the card is inserted that steal the data that way and can record PINs with a hidden video camera positioned nearby.
The FBI is looking for suspects caught on video cameras who allegedly used cloned payroll debit cards to withdraw money from ATMs in a multi-city crime spree late last year, according to the Chicago Tribune.
The FBI in Chicago released surveillance photos of two suspects at ATMs allegedly participating in a worldwide scam using cards created by hackers who breached the computer of RBS WorldPay, a firm in Atlanta that processes financial transactions. Money from 100 accounts was withdrawn during a 10-hour period on November 8, the report said.
Fox 5 News reported earlier this week that as much as $9 million was withdrawn using the cloned cards from more than 130 different ATMs in nearly 50 cities.
RBS WorldPay announced in December that its computer network had been breached, exposing data of as many as 1.5 million cardholders and 1.1 million Social Security numbers.
Another payment processor, Heartland Payment Systems, reported on Inauguration Day last month that its network had been breached. That breach has led to a lawsuit.
- prev
- 1
- next
