WIXLIB

HACKING NEXT-GEN ATMS:FROM CAPTURE TO CASH-OUTWeston Hecker, Senior Security Consultant with Rapid7@westonheckerAbstractTo build better protection methods and safeguard ATM networks, I spent the past year analyzing and testing new methodsthat ATM manufacturers implemented to produce “next-generation” secure ATM systems. This presentation explains thata motivated attacker could bypass anti-skimming/anti-shimming methods introduced to the latest generation ATMs, andperform EMV/NFC long-range attacks that allow real-time card communication from over 400 miles away.I will demonstrate how a 2,000 investment can perform unattended “cash-outs,” also touching on past failures with EMVimplementations and how credit card data of the future will most likely be sold with the new EMV data, with a short life span.I will introduce “La-Cara,” an automated cash-out machine that works on current EMV and NFC ATMs. La-Cara is an entirefascia placed on the machine to hide the auto PIN keyboard and flash-able EMV card system that silently withdraws moneyfrom harvested card data. This demonstration of the system can cash-out around 20,000- 50,000 in 15 minutes. Our hope isthat revealing these methods will drive mitigation of these types of attacks.IntroductionCriminals of the credit card theft underworld will face a challenge as the world switches entirely to Europay, MasterCard andVisa (EMV), or chip and pin transactions. Magnetic card data will be limited to 40 USD in the coming year, which is pushing alarge amount of fraud onto online Card Not Present (CNP) theft, such as online transactions.This research idea came to me while I was exploring carder sites used by criminals. I was writing web-based software totrack and monitor online databases of Bank/Issuer Identification Numbers, or BINs/IINs. BINS/IINs consist of only the first 6digits of the card and indicate the issuer of the card. For example, 000000 is the Weston Bank of Manhattan.While searching for this information, I noticed that BIN/IIN box lists were being discussed on several of the harder-to-visitforums. BIN/IIN box lists are Assumed POS (Point of Sale) limits of cards and ATM limits based on the issuer. This information was being harvested from cash-out crews and reported back to the people on top. This led me to think about what thebad guys’ next step(s) will be. So I started researching EMV protocols and standards, looking at how they have changed overthe years and been modified to compensate for fraud.EMV is a very in-depth and progressive method of conducting credit card transactions. Originally conceived in the mid ‘80sand integrated in Europe several years ago, it is also used in several other countries, except the United States, which isexpected to adopt the change in several phases, the first of which occurred in 2015. Several other liability shifts will happenover the next few years, and a reference to a list of relevant dates is provided at the end of this paper. These “milestones” areexplained in more detail, but the gist is that stores and other entities will become increasingly liable for damages that occurfrom theft and fraud from a variety of sources.With this paper and lecture, I hope to improve the overall knowledge of financial institutions and ATM manufacturersregarding the lengths that carders will go to in order to use stolen credit card data. My goal is to encourage proper maintenance and communication with fraud backend systems, in order to reduce the negative impact of attacks against thesesystems. Rapid7.comHacking Next-Gen ATMs1

Active Research PhaseWhile there is no lack of publishedEMV protocol exploits and relay attacksonline (and there are links to severalat the end of this report), I had neverseen a situation where carders hadsuccessfully used EMV attacks on ATMmachines. Looking at other research,it is clear why: the volatility and timeconstraints associated with thesetransactions. There is a very smallwindow of time available for the attackto actually occur.The first step of this research requiredconstructing a real-time deliverysystem, as most of the cards issuedin the United States at the time ofthis paper do not use static cards. Fordetailed explanations of the differentEMV chips—including SDA (Static DataAuthentication), DDA (Dynamic DataAuthentication), or CDA (CombinedData Authentication)—several onlineresources are listed at the end of thisreport. These methods have evolvedbecause of their effectiveness atfighting fraud due to counterfeiting.The second step of my researchincluded reading the standards relatedto the EMV protocol. After gainingan understanding of how everythingworked, I explored previous researchby the University of Cambridge SecurityGroup1, among others, that demonstrated relay attacks on point of sale(POS) systems in the past. I looked atwhat was still working from the attacksand, with that information and anunderstanding of some of the changesto the standards that had occurredduring my own research, I could understand the current attack surface andwhat would be needed to apply some ofthe same methods to ATM machines.converted and upgraded it with an“EMV-ready kit,” which includedhardware and software updates to thesystem. The ATM that is used in thedemo is unmodified, aside from thehardware being switched from a (DIP)Magnetic Card Reader to a (DIP) EMVcard reader.For some of the other testing, I alsofitted the device with a third-partyForeign Object Detection (FOD)system, which is a device for detectingskimmers installed on the ATM; itputs the device into service mode ifsomething is detected on the machine.This ATM, as stated, is unmodifiedaside from the upgrade I performed.The only thing necessary to put thisATM into a full production environmentwould be DES keys to associate with theGateway Provider, which is the first stepin communication with banks and theaccounts associated with the banks.The fourth step in the researchincluded looking at open sourcesoftware used to read some of thesmartcards and EMV cards that are onthe market. After I felt like I had a graspof the EMV transaction limitations, Ibought some hardware to start relayingthe transactions over short distances.The first device I purchased was oneused for relaying a card and the information associated with the smart cardto other rooms in the house.This concept may seem simple, butsome of what this device evolved intoonce it was switched to longer rangeand modulated for transfer overEthernet becomes a bit more difficultto understand. I will be doing presentations on the hardware associated withthis in additional research papers andtalks in the future.Along with some of the previousmethods used to pass off EMVtransactions, I focused on the“skimmer” portion. When performedon EMV cards, it is a process called“shimming2,” as the device is setin-between the contacts of device A andrelayed to contacts on device B on thecash-out side.I built a simple “Pong” approach totest how the device handled datapassed from one pin in one machineto another. The pong tool I build cantest the effect of data when latency andother factors are introduced also viewsome of the limitations that come withdevices, including distance errors andpercentage rates associated with thenature of electromagnetic data. Thisshould have provided enough information to move on to the next phaseof the attack: the distribution of stolencard data.2 himmer-found-inmexico/The third step was acquiring an ATMthat would work for the purposes ofmy testing. I chose an ATM that wasaffordable but still in wide production.After the ATM was purchased, I1 /relay/ Rapid7.comFigure 1: Image showing contacts where information is relayedHacking Next-Gen ATMs2

System That Allows Transactions to Be Delivered inReal-TimeFor these transactions to be monetizedby malicious parties, the way creditcard fraud is performed needed acomplete redesign. The current methodinvolves skimmed batches of creditcard data, which is used to createcloned credit cards. The magneticstrips originally found usage on modernday credit cards in the ‘60s and ‘70s.The high amount of fraud and ease ofduplication is what led to the standardfor EMV.Figure 1 shows what is required tomonetize transactions that have aone-minute life span. It includes whatinformation is sent, along with theactual card and transaction data. Thisincludes instructions for PIN entry intoan Arduino-based motor system likeon La-Cara, the automated methoddemonstrated on stage at Black Hat.Today, the system for Live Transactionsales – made up of carder purchasepages and the delivery platform – donot work as they did for carder sitesof the past. Previously, you simplypurchased static data; however, thenature of EMV transactions means thisno longer works as they have data thatis not static – it evolves through eachtransaction and requires communication with the cashout ATM.So as carders would buy specific bankand ATM limits they now buy transaction timeframes or blocks of timewhen their transactions, along withthe previous field cart information, willbe passed to their required cashoutdevice.Before this card data can be passedoff in real time, secure communications need to be established to ensurethat there are no lags or windows oftime that are missed. It takes aboutseven seconds to construct the tunnelneeded for the transaction to be passedthrough the secure fraud network.Before the cashout ATM even readsthe initial conversation with the remoteshimmed card, the transaction ispassed off to a protected network.The device is on a protected DMVPN(Dynamic Multipoint Virtual PrivateNetwork) network for several secondsbefore the transaction takes place.There is encoded information providedin the payment blockchain; details ofother transactions are sent through toinitialize the tunnel. This is the pointwhen the initial challenge conversationfrom the cash out ATM is passed to theshimmer for the hijacking of the transaction. It is the initial secure connectionthat allows secure real time communication to take place.sign the keys to the device to register itas the device of that transaction. So inaddition to the VPN tunnel informationgenerated off the passwords, there arealso device keys generated to add thedevice to the fraud network. This is sodevices on the fraud network can formtrust to their assigned skimmer andnot other devices on the network.Figure 2 shows an example of thefunctionality that will most likely beadded to the carder sites once theability to sell shimmed EMV transactions is more wildly explored. Thereare already indicators of the cardersheading down this path, as they seemto be researching the settings and flagsfor each of the financial institutions asthey probe the devices. When thinkingof the concept behind the page, Ithought of what the current systemsoffer and what will be needed to deliverlive data of this nature, as well as someof the shortcomings they would comeacross and how the third generation ofthe sale and the transmission of stolendata would progress in the neverending cat-and-mouse game betweenthe good guys and the bad guys.This leads to the second requirementwhen the carder is checking out, whichis two passwords: one to establish aVPN tunnel to the device and another toFigure 2: Example of carder site once EMV transactions become a method of cash-out. Rapid7.comHacking Next-Gen ATMs3