The spate of attacks on Automated Teller Machines (ATM) has called for concerns with security experts giving solutions on how to combat the situation.>>>CONTINUE FULL READING HERE
Cyber security expert, Adeniji Ilerioluwase said that the most commonly used malware by cyber criminals is known as Tyupkin. This malware makes ATMs dispense cash on demand without the use of cards. This malware is one of the various builds used by cyber activists to hack ATMs.
Padpin and Plotus are very strong strains of malware that came to light in 2013 and have been used to steal cash in millions of dollars from ATMs.
Hackers are getting very creative and employ different techniques and methodologies to steal user’s confidential information. It is no surprise that the baking sector is a major target for cyber hacktivists, as hackers need money to fund their attack vectors.
Different tools and malware are being used to steal personal information, and card data, or even bypass authentication for user bank accounts. The US intelligence in 2008 estimated thefts from ATMs at over a billion dollars. These cybercriminals have in the past used phony number pads and skimmers which are malicious devices that are attached to an ATM so that when a user uses their card on the ATM, the skimmer creates a copy of your card and also captures your PIN. Cameras are also attached to the targeted ATM to remotely capture the PIN when it is being entered and this is transmitted back to the cybercriminals through emails or phone lines. These cyber criminals risk being detected and caught, as they have to attach a device to the ATM and also go back to remove it while also attempting to avoid being seen by surveillance devices installed on ATMs. Depending on the skill level of the malicious hacker, different tools can be used to avoid being detected.
In developing countries like Nigeria, where no serious background check is done on employees before hiring, these hackers can even get jobs with ATM servicing companies as this gives them direct access to the ATM to perpetrate their attacks. This access ensures that they are being masked when they are installing malicious codes or attaching malicious devices to these ATMs and also helps them to remove these devices after the attack has been done to avoid detection. These criminals exploit the bank’s wireless Internet connection which is often used to monitor the ATM cash levels.
Remote hacking of ATMs occurs frequently and is a great threat to the financial sector of any economy. The devices used in perpetrating ATM hacks are readily available in underground markets and can be sophisticated enough to be well hidden when installed on ATMs. Some of the malicious codes used to hack ATMs are even sometimes free on the Internet. It is often said that anyone with a bit of technical knowledge, malicious code, access to an ATM or help from an insider can easily hack an ATM.
In 2013, it was discovered that attackers cut out parts from the body of ATMs to expose the USB ports on the machines to give access to plug-in devices that are carrying malicious codes. In the said year, hackers were able to steal the highest-value notes on machines to minimize the duration of the attack and reduce the risk of exposure. Holes made on these ATMs were also patched back to cover up any evidence of the theft.
Investigations into these thefts revealed that the infected ATMs were hacked by sophisticated malicious code well-written by very high-level skilled developers. They also had vast knowledge about ATMs, which means that they would have had at least one to test on and reverse engineer the cash client before the attacks, or possibly even had help from someone on the inside.
After the malware has infected the ATM, this malware is triggered by an access code that is typed in by the attacker, and the malicious software launches its interface. This malware can display the available cash in the ATM and also the denominations available with other functions and can also instruct the machine to pay out money in whatever denomination.
Due to the level of distrust among these hackers, they sometimes employ double-factor authentication before money can be successfully stolen from an ATM. This means that after a team inputs the first code, the other back-end team also has to put in a code before the ATM can dispense cash, as a measure of control and to be sure of how much is stolen. If this hack is not successful, the machine will return to its normal mode of operation, usually after three minutes. This malware can also be used to steal user confidential such as PINs but is rather often used to dispense immediate cash for the hackers. The name of the key file in this malware was named hack.bat and it is also feared that this malware would be widely used across different continents.
In the past, cybercriminals have compromised ATMs with card skimmers that intercept card information, recently cybercriminals have been showing much preference for hacking an ATM with malicious codes. This approach makes it possible for ATMs to be compromised to dispense cash without using cloned credit cards. This variant of malware named Tyupkin, a code name by Kaspersky Lab has infected thousands of ATMs and was majorly used to exploit machines running Windows 32-bit version. Tyupkin has been discovered to exploit ATMs in Europe and spread to other countries like the US, China, India, and African countries.
In March 2014, a variation of malware named Plotus was discovered to be able to exploit vulnerabilities in Windows XP-based ATMs. This allows attackers to steal cash from ATMs by just sending text messages (SMS) to the targeted machine. The most recent variant of Plotus is dubbed Backdoor Plotus B, this allowed attackers to send a text message to a compromised machine and then the attacker walked up to the ATM to pick up cash dispensed.
This attack requires cyber criminals to have physical access to the targeted machine to connect a mobile phone via a USB port that allows the phone and the ATM to share a network connection through USB tethering. Once the connection is established, the attacker will send SMS commands to the phone attached or hardwired to the machine. The phone being connected to the ATM’s USB port also means that the phone draws power from the machine to charge the phone’s battery. This ensures that the phone is always powered up. There are variants of Plotus that can steal customer card data and PINs and some that can execute a man-in-the-middle attack successfully.
Measures taken to improve security and combat cyber attacks on ATMs include: Replacing all locks and master keys on the upper hood of ATMs and put away all default keys provided by the manufacturer. Change the default BIOS password
Implement full disk encryption to prevent disk tampering.
Review physical security in place for ATMs and banks should invest in quality security solutions. Lockdown the BIOS to prevent booting from rogue mobile devices such as CD ROMs and USB sticks. Ensure that ATMs have up-to-date antivirus solutions
Provide adequate physical security for the machines
Upgrade ATM operating systems and make sure that the version of operating systems is supported.
Install efficient CCTVs, alarms and ensure they are in good working conditions; attackers behind Tyupkin only attacked machines that had no alarm installed. Ensure cameras are visible also to serve as a deterrent.
Periodically review the state of Physical and logical security deployed for ATMs. Check ATMs from time to time for signs of manumissions such as the Deployment of skimmers.
Install a system lockdown solution
The machine should be securely fastened to the floor with an anti-lasso device
Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
Could you turn off and remove unnecessary services? By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have fewer avenues of attack.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall.>>>CONTINUE FULL READING HERE