New Sophisticated ATM Attack Could Be Coming To A POS Near You
Written by Evan SchumanIn the history of data breaches, attacks are often first tried on bank ATM machines (because that’s where the money is and the units are often outside 24×7) before migrating down to retail POS. But if the ATM assaults work well, don’t think they won’t migrate. Mention this because of a fiendishly clever series of ATM attacks in Russia and the Ukraine where cyberthieves “insert customized cards into the machine in order to retrieve encrypted PIN and magnetic stripe data,” according to payment newsletter The Nilson Report.
“Once the malware had been installed into the ATM’s transaction-processing application, it was able to respond to cards designed to trigger the appearance of a screen menu listing illicit actions,” the newsletter reported. “These included the ability to write the stolen data onto the trigger card’s magnetic stripe or to print it as hard copy, in an encrypted format, from the receipt printer. A multifunction card also had the ability to eject cash cassettes loaded from the front of the machine.” Imagine what such a breach could do with a retail chain’s full payment and POS databases?
-Marc
June 20th, 2009 at 5:02 pm
The way this story is worded makes it sound much worse than it really is. The “customized card” did not attack the ATM. It did not install the malware. And the card certainly did not have some magical ability to eject cash cassettes or print track data – those were all functions of the malware, and were only triggered by the presence of the card. The malware was installed earlier.
The purpose of the custom cards was to give them to “mules”, low-level criminals whose job is to do the risky work of actually appearing in front of the cameras and dumping the mag stripe data. The mules likely know nothing except that they’ll be paid for following instructions and giving the printed receipts to some other guy, probably waiting in a nearby car. This is the same M.O. that we see used by professional boosters.
The criminal even encrypted the track data printed on the receipts so that the mules wouldn’t be able to steal them!
The real question is why the criminal would go to all this trouble if he had network access to the equipment in the first place? If he could hack the machine on-line and install his malware remotely, he wouldn’t have to send a mule to recover the track data – he’d just connect to the machine at a later time and dump it. To me, this implies he never had network access to the ATMs, so he developed the software to be physically installed by an accomplice, either working for the bank or working for an ATM maintenance company.
On its face, this seems an unlikely threat to a PCI compliant retailer’s POS systems. I have to believe most past instances of retail card theft took place on-line; the vast bulk of stolen data was certainly retrieved via networks. However, with retailers following PCI advice to segment and isolate their POS systems, the equipment becomes less vulnerable to network attacks. Physical Trojan horse attacks (such as this type of malware loaded onto a USB key and surreptitiously plugged into the back of an unattended POS register, or installed by an insider, and later triggered by a special credit card) might become a novel attack vector. But for some reason I doubt that we will see it as a generic widespread attack.