ATM malware lets criminals steal data and cash

Malware has been found on ATMs in Eastern Europe and elsewhere that allows criminals to steal account data and PINs and even empty the machine of its cash, a computer forensics expert said.

About 20 ATMs have been compromised in that manner, mostly in Russia and Ukraine, but there are "early indications" of compromised ATMs in the U.S., said Nicholas Percoco, vice president and head of SpiderLabs at Trustwave, which provides data security and payment card compliance services.

Nicholas Percoco heads up Trustwave's SpiderLabs, the forensics team that discovered the malware on the ATMs.

(Credit: Trustwave)

Percoco said he could not elaborate further on where the compromised ATMs were located and how they were used.

Someone had to manually install the malware on the machines, so it's likely that an insider is responsible; either an employee at the bank, the ATM vendor, a company that services the machines or someone close to an insider, Percoco said in a telephone interview late on Wednesday.

The machines, all running Windows XP, had an executable on them that was masquerading as a legitimate Windows protected storage service, he said. The malware looks at all the data being processed by the ATM and records account information that is stored on the magnetic stripes on cards inserted into the machine and encrypted PIN blocks that are generated when someone types in their personal identification number, he said.

Although the PINs are encrypted, criminals could potentially intercept the encryption keys exchanged with the bank and use them to decrypt the PINs, he added.

Once the malware has been hidden on the ATM for a period of time, the criminal can return to the machine and use a special "trigger" card to control the ATM and print out the stolen data directly from the machine or instruct the ATMS to dispense all the cash it has, according to Percoco. ATMs can hold as much as $600,000 at a time, he said.

"There is evidence that (trigger) cards were used," he said, adding that he could not comment on the number of accounts affected or amount of money stolen. The malware was first installed on at least one of the machines in July 2007, he said.

This is not the first time malware has been discovered on ATMs, Percoco said. "But this is probably the most sophisticated malware found on an ATM," he said. "In all the versions we've looked at (the criminals) are enhancing the application as they go. They must be getting feature requests from someone."

The latest version of the malware code found on some of the machines includes a function for writing the stolen data onto a card with a memory chip on it, which are commonly used in Europe, he said. However, that function does not appear to work, he added.

Although the malware was installed on the ATMs manually, it's possible that future attacks would involve the propagation of the malware through the ATM network, he said.

Consumers should avoid using any ATM that does not "look right," Percoco said, for instance, if the screen has a different interface or strange commands.

Also, criminals use "skimmers" over the slot where the card is inserted that steal the data that way and can record PINs with a hidden video camera positioned nearby.

[Police_States_of_America]

paragraph 5 says it all

[catch23]

How's that? If it is an inside job, any OS is as equally vulnerable.

Please get a little educated about how computers work before making idiotic comments.

[SwissJay]

Yeah, drove up to ours in town before and it had a Windows crash screen on it ;) I don't understand why software is used to run these ATMs that is available to the public at large. If it were closed source code, it would be a whole lot harder to write and debug malware that will run on these machines. But since it's windows, I can just fire up Visual Studio and go at it!

[Police_States_of_America]

> any OS is as equally vulnerable.

i guess it doesnt help much that the most talented malware writers are so familiar with XP then does it?

[ralfthedog]

Not true. Windows is a general use operating system. ATM's need to run the most stripped down operating system they can. A very minimalistic version of Linux or even better BSD that has built in public private key code signing would be the best bet. You would also want to put a hash on every bit of code that runs and have the hash report back to the owners of the ATM software. The privately compiled OS and the code for the ATM it's self would need to exist only in ROM. RAM and hard drive would only exist for state and transaction logging.

I don't think you can do this with Windows or even Mac OS. It is quite easy with Linux or BSD.

[TamarC]

And you're probably not even aware, being a fanboy and all, that there's also windos embedded, which is mostlikely what they were using, which you can stripdown and lock down aswell as any unix based os. This isn't an exploit, the operating system has nothing to do with it. If you have physical access to the hardware, there's no amount of security that would help.

[Random_Walk]

"which you can stripdown and lock down aswell as any unix based os."

http://www.techsupportforum.com/security-center/general-computer-security/356721-windows-xp-professional-embedded.html

...and I quote: "I have a client that has been using their XP Embedded CCTV controller as a web browsing station and now has it contaminated beyond repair. I'm going to be receiving a restore disk from the vendor of the device to reinstall the system. I'm trying to determine if there are some anti-virus products that anyone has experience with that support the XP embedded product. I know that CA has one, but it's seems to only be available to vendors of embedded products. Any information would be appreciated."

[ti99_forever]

Give me an ATM whose software is not layered on top of a "general-purpose" OS, like perhaps Forth.

[pentest]

Exactly right.

Even a desktop linux is overkill, although it is many orders of magnitudes more secure.

[inachu]

It does not take an insider.
It could be some tech who has an infected usb thumb drive and infects the OS.

I bet 100% that the ATM has ZERO protection.
At this point a 1 enterprise software soloution is not the answer and you could end up using up to 8 different tools to clean the OS of any infection/modifications.

[gertruded]

Windows again, and again, and again. Why would anyone with a critical operation use Windows? To clam it could equally be any other OS that got hacked is just nonsense.

The problems with Windows are increasing each year.

[monkeyfun14]

XP is an old OS..

We are on Vista now the problem has most likely been solved.

[gertruded]

Monkey, there are 10, that is 10 new security patches including for Vista coming for next week. The Windows patching will continue for a long time.

[monkeyfun14]

@gertruded

I was referring to this problem there has been 7 service packs just for OSX Leopard Apple users don't have any right to talk.

Ubuntu patches regularly as well 10 full OS releases in 5 years each with its own set of occasional patches...

[Vegaman_Dan]

XP replaced OS2/Warp on ATM systems back around 2000 because nobody supported OS2 anymore as an obsolete system.

[ikramerica--2008]

ATMs running a full OS are created by lazy people who are not serious about security. You should not buy from this vendor.

ATM interfaces are far from complicated. Umpteen DOS games were more graphically and functionally complex. Same with "cartridge" games that don't run on an OS at all. The ATM company can program their machines directly without any OS overhead, including the ability to phone home and to be monitored remotely securely, with no IP addresses, and with no internet access as we know it. They are just too lazy, or the banks aren't willing to pay for the security.

[Vegaman_Dan]

I can see based upon your comments that you have never worked in the IT banking industry at all. ATM's *all* run a version of a full OS. Embedded systems aren't so limited as you might be mistaken to think. It is much more cost effective to write your drivers and a few scripts for a common OS than to pay to have an OS written solely for you or your hardware, not to mention the hideous support nightmare that would cause as well by having your own proprietary setup.

They aren't lazy, and the FDIC won't allow them to do what you suggest.

[ikramerica--2008]

Uh huh. Whatever you want to say to convince yourself that it isn't all about cost for the sake of security.

ATMs did NOT, when they first arrived on the scene, run a commercially available OSes. This is a later development, a decision that was improperly arrived at based on your logic, and ultimately, it hasn't decreased IT nightmares nor increased security, nor have ATMs gotten any additional functionality. But the interface does look a bit nicer.

[Vegaman_Dan]

I have had to work on ATM systems before and it's just a nightmare. As they are run by the bank, the bank's own IT group isn't allowed to make any changes to the systems before getting federal government (FDIC) approval using test labs for months prior to any change or update.

As a result, these systems run pretty much bare to the world. No OS updates or patches are deployed until approved by the FDIC process management and that can take typically 12-18 months *after* the patch comes out from the OEM.

Thankfully these machines are not on the internet directly, and communicate to a server in the bank branch itself that then uplinks from that point. The only real way to get to an ATM's actual OS is to have physical access to the machine and that means an inside job or infection from untrusted sources.

The machines are commonly locked down with no admin access, temporary one hour/one day only passwords, etc. The FDIC is pretty picky about how these are run, but they are a governmental agency so that 12-18 month delay is very frustrating for anyone in the banking IT industry.

[gggg sssss]

then again, those things in gas stations in texas and Moscow are not bank owned.

[balpetegim]

thanskksss

The day I saw a Microsoft virus, I mean OS on a BoA machine I changed banks. New hardware, and it took 2-3 times as long to do any transaction. Typical MS product, and I assumed it wouldn't be long before this story was posted as well.

[gggg sssss]

and that other bank runs what? Looking for clues with both hands in teh dark

[Vegaman_Dan]

Or it could be that the network was slow in general, the bank's own systems were slow, lots of customer traffic was happening at that moment, or any number of things that you didn't stop to consider.

XP isn't the most dominant of ATM OS's, by the way... it's Linux. Guess what BoA uses- and it's not a Microsoft product.

Care to try your comments again?

[Dalkorian]

No Dan, it's not the network was slow, or the banks systems were slow, or lots of customer traffic or any nonsense like that. I too am a BofA customer and I understand what blank here is saying - though I was wondering where he got the idea it was M$ virusware at fault (in fact I'm still wondering where he got that idea).

Our local branches replaced older and simpler machines with these Diebold monstrosities. I guess they're pretty cute in that they can scan checks and read the check amount themselves, but they literally take at least twice as many keystrokes as the older machines to do the same transactions. I used to be able to be no more than a minute at the ATM getting cash out, now the same action takes upwards of 3 minutes depending on how flakey the idiotic touchscreen feels like being. The new systems are prettier, but drastically slower to deal with not because the systems are slow but because they have added so many more screens to navigate. There may be physical keys correlating with all the onscreen functions, but I haven't been able to figure out the key mapping. It's "easier" to hammer on the stupid screen for 5 seconds to get it to react than it is to start pressing random keys and hope you don't screw up your account.

I have no idea what OS these atrocities of nature run and as long as they're not on the internet themselves I'm not sure it matters. But when you try one of these things you'll agree they are an affront to mankind and deserve to be blown to tiny little pieces.

Why doesn't it matter? Because physical access is God - what was custom created for these machines could have been written for and planted in any OS (including Linux and Unix). It wasn't a particular winblows weakness that was exploited, it was the physical security of the machine itself.

[stevicus]

where's spock?

[Dalkorian]

He got beamed up.
;-)

[johnfranks1234]

Most companies enjoy ?security? insofar as they haven?t been targeted yet, or suffered a human error resulting in a catastrophic exposure . We practice Disaster Awareness, Preparedness and Recovery (DAPR). Basically, best practice dictates that you first strive to prevent disaster (awareness, preparedness) ? and have things in place for any contingencies (recovery). DR sounds ? and is - reactive. DAPR's principles state that "In the realm of risk, unmanaged possibilities become probabilities."
Under this statement, any IT leader can then show risk to business, and make the logical case to Business (that is, IT Governance) for some measure of budget. Price Waterhouse Cooper and Carnegie-Mellon?s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: www.businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has a great chapter on security, and also reinforcing elements in many other chapters. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action. Once awareness is in place, prevention is leveraged to the degree that you achieve an accrual of returns: Much more effort and budget can go for contingencies. We were naked before we found this book.
In the realm of risk, unmanaged possibilities become probabilities ? read the book BEFORE you suffer a bad outcome.

[jennywren1420]

I absolutely detest those new machines, the ones that eat up your checks, that have no envelope and no deposit slip, that don't always return a receipt and more. I have had similar problems, too, with touch screens. The whole thing makes no sense to me. And all this is happening at a major bank! There was no need for the complications (not everyone can even understand what they need to do to work the things) or the expense involved in replacing a perfectly good kind of ATM with those monstrosities.

Not a Luddite; I just know that "when it's not broke, don't fix it" applies to big business like banks as well as to everyday realities.

[SkyFader]

We recomend 3 steps:

remote location of a physical Hard Disk Access (Physical Security)
remote access application (Terminal Server o Cytrix) emulation
Crypto the hard disk information

Why ? ( ATM are physical vunerability , in LatinoAmerica ATM are removed from a physical location)
And the focus of these new tendence is the INFO ON A HARD DISCK and the Software.

Some info of the ATM Criminals tendence are in http://skyfader.blogspot.com (sorry are in spanish)


SkyFader@gmail.com