Transcription
Best Practices forPreventingATM Malware,Black Box and CyberAttacksInternational Minimum Security Guidelines andBest PracticesProduced by the ATM Industry AssociationContributors Include:
Copyright InformationCopyright 2015 ATMIA, All Rights Reserved. For ATMIA members only.e-mail Mike Lee, ATMIA's CEO, at mike@atmia.comDisclaimerThe ATM Industry Association (ATMIA) publishes this best practice manual in furtherance of its non-profit andtax-exempt purposes to enhance the security of ATM systems from malware, black box and cyber-attacks.ATMIA has taken reasonable measures to provide objective information and recommendations to the industrybut cannot guarantee the accuracy, completeness, efficacy, timeliness or other aspects of this publication.ATMIA cannot ensure compliance with the laws or regulations of any country and does not represent that theinformation in this publication is consistent with any particular principles, standards, or guidance of anycountry or entity. There is no effort or intention to create standards for any business activities. These bestpractices are intended to be read as recommendations only and the responsibility rests with those wishing toimplement them to ensure they do so after their own independent relevant risk assessments and in accordancewith their own regulatory frameworks. Further, neither ATMIA nor its officers, directors, members, employeesor agents shall be liable for any loss, damage or claim with respect to any activity or practice arising from anyreading of this manual; all such liabilities, including direct, special, indirect or inconsequential damages, areexpressly disclaimed. Information provided in this publication is "as is" without warranty of any kind, eitherexpress or implied, including but not limited to the implied warranties of merchantability, fitness for aparticular purpose, or freedom from infringement. The name and marks ATM Industry Association, ATMIA andrelated trademarks are the property of ATMIA.Please note this manual contains security best practices and should not be left lyingaround or freely copied without due care for its distribution and safekeeping.ATM INDUSTRY ASSOCIATION GLOBAL SPONSORS – 2015Copyright 2015 ATMIA All Rights Reserved www.atmia.com2015-04 FOR ATMIA MEMBERS ONLYPage 2 of 24
Table of ContentsForeword . 4Executive Summary . 5Acknowledgements . 6Chapter 1. Introduction . 7Chapter 2. ATM Malware. 92.1. OVERVIEW . 92.2. MALWARE FUNCTIONALITY. 92.3. MALWARE INSTALLATION . 92.4. ACCESSING THE ATM . 102.5. EXECUTION OF MALWARE . 102.6. DETECTION OF MALWARE . 102.7. ATM MALWARE CASE STUDY EXAMPLES . 112.7.1. Skimer-A . 112.7.2. Unknown . 122.7.3. Scrooge . 122.7.4. Siberian Malware. 122.7.5. Dump Memory Grabber . 122.7.6. Backdoor Ploutus . 132.7.7. Backdoor Ploutus, Version B/Ploutos . 132.7.8. Trojan.Skimer.18 . 132.7.9. Atmh4ck . 142.7.10. Backdoor Ploutus, Version B/Ploutus (SMS) . 142.7.11. Unknown . 152.7.12. Backdoor.Padpin . 152.7.13. Macau Malware . 152.7.14. Unknown . 162.7.15. Backdoor.MSIL.Tyupkin . 162.7.16. Trojan.Skimmer (New Variant). 16Chapter 3. Black Box Attacks . 173.1. OVERVIEW . 173.2. BLACK BOX FUNCTIONALITY . 173.3. ATTACHING BLACK BOX DEVICES . 183.4. ACCESSING THE ATM . 183.5. EXECUTING BLACK BOX ATTACKS . 183.6. DETECTING BLACK BOX ATTACKS . 18Chapter 4. Hijacking ATM Control and Authorization Systems . 204.1. OVERVIEW . 204.2. CARBANAK CASE STUDY . 204.3. MAN-IN-THE-MIDDLE CASE STUDY . 21Chapter 5. Best Practices . 225.1. MITIGATION BEST PRACTICES . 22Chapter 6. Further Reading and Links . 246.1. USEFUL READING . 246.2. STANDARDS DOCUMENTATION . 24Copyright 2015 ATMIA All Rights Reserved www.atmia.com2015-04 FOR ATMIA MEMBERS ONLYPage 3 of 24
ForewordIn October 2014, the ATM Software Security Committee released Version3 of the ATM Software Security Best Practices Guide. Containing 127pages, it provides an extremely in-depth analysis of softwarearchitectures, standards compliance, risks and mitigation factors relevantto ATM software and systems.Cyber-attacks targeting ATMs and the systems that control them hasbecome an ever important financial and reputational threat in manycountries and regions. This document specifically focuses on actualcriminal techniques known to have been perpetrated globally andidentifies best practices that can be deployed to reduce the risk of suchattacks being successful.To combat fraud, it is imperative that all ATM deployers in all regions andcountries take best practices very seriously, and implement all guidelinesand best practices contained herein to the greatest extent possible.Mike Lee, CEO ATMIAApril 2015Copyright 2015 ATMIA All Rights Reserved www.atmia.com2015-04 FOR ATMIA MEMBERS ONLYPage 4 of 24
Executive SummaryPlease note that this Executive Summary cannot replace reading the wholemanual. The summary is merely a guide as to the content and mainprinciples of these best practices.The aim of this guide is to help ATMIA members identify and mitigatesophisticated attacks against ATMs from malware, black box electronicsand other cyber-attack methods.1. Over the last few years there has been an increase in reportedincidents of ATM fraud involving malicious software (malware)running on ATMs, sophisticated electronic (black box) devicesattached to ATMs, the hijacking of ATM control systems and theinterception and modification of ATM transaction authorizationmessages (man-in-the-middle attacks).2. A common purpose of ATM malware is to force the dispenser todeliver all or some of the cash held within the ATM. Otherpurposes include interception and storage of cardholder data andother sensitive information.3. Black box electronics attached directly to an ATM can allow theperpetrator to exert control over the functioning of the ATM.4. Black boxes designed to control the dispenser allow the perpetratorto dispense cash without the need to perform a transaction using acard and PIN.5. If a perpetrator gains access to an organization’s ATM control andauthorization systems, the perpetrator has the potential to takefull control of the system, including account balances andwithdrawal limits; in addition, the perpetrator may be able todirectly manipulate specific ATMs in the network.6. ATMIA members concerned about ATM malware, black box andother cyber-attacks can adopt a range of best practices to helpmitigate risk.Copyright 2015 ATMIA All Rights Reserved www.atmia.com2015-04 FOR ATMIA MEMBERS ONLYPage 5 of 24
AcknowledgementsATMIA is indebted to the individual contribution of the following experts:Technical Editor:Douglas Russell, DFR Risk Management Ltd.Contributor:Juan Jesus Leon Cobos, GMVContributor:Irmantas Brazaitis, Smart Card Security Ltd.Finally, we wish to thank the original contributors to Version 3 of theSoftware Security Best Practices guide from which this document hasevolved:Henry Schwarz, TritonJuan Jesus Leon Cobos, GMVIrmantas Brazaitis, Smart Card Security Ltd.Jim Tomaney, Q-ATM Ltd.Douglas Russell, DFR Risk Management Ltd.Copyright 2015 ATMIA All Rights Reserved www.atmia.com2015-04 FOR ATMIA MEMBERS ONLYPage 6 of 24
Chapter 1. IntroductionOver the last few years there has been an increase in reported incidents ofATM fraud involving the following: ATM Malware – malicious software running on ATMs Black Box Electronics – sophisticated electronic devices attached toATMs Hijacking of Control Systems Man-In-The-Middle Attacks – the interception and modification ofATM transaction authorization messagesThe primary objectives of such attacks include: Compromising data (including cardholder information); Forcing the ATM dispenser to deliver cash without the need to usea genuine card and PIN to perform a transaction (jackpotting andcash-out attacks); and Obtaining more cash than is debited from an account.Attacks have been successful against various ATM models from differentsuppliers running different versions of ATM software and equipped withdifferent levels of fraud protection solutions.As a result of the increase in reported incidents, financial institutionshave increased their awareness of cyber-attacks. In addition, the April2014 end-of-life status for MS Windows XP, and the resultingdiscontinuation of security patches for the XP operating system (OS), hasraised awareness of security issues. On a positive note, the increasedawareness has encouraged knowledge and understanding of cyber-threats,thereby paving the way for better protection.However, it should be noted that no published attacks to date have madeuse of OS vulnerabilities; therefore, no significant impact in the incidenceof cyber-attacks due to XP end-of-life is expected in the short-term. Thisconclusion is supported by the following: Experience from NT end-of-life: no attacks that specificallyexploited NT vulnerabilities took place; yet a considerable numberof NT installations remained in the field after end-of-life, some ofwhich are still in existence. Regular patching of an ATM OS is usually subject to extensivetesting, which requires planning and time. Because timeframes forMicrosoft patch releases and ATM software deployment vary, theATM OS is typically behind the most current security patch level.Copyright 2015 ATMIA All Rights Reserved www.atmia.com2015-04 FOR ATMIA MEMBERS ONLYPage 7 of 24
ATM Malware, Black Box and Cyber-AttacksHowever, we also expect that risks due to OS vulnerabilities will gainimportance in the future for two main reasons: While they were relatively uncommon and poorly organized at thetime of NT end-of-life, cyber-attacks are now on the rise. We knowthat cyber-mafias are behind many attacks today. Theseorganizations will likely consider all possible attack
3. Black box electronics attached directly to an ATM can allow the perpetrator to exert control over the functioning of the ATM. 4. Black boxes designed to control the dispenser allow the perpetrator to dispense cash without the need to perform a transaction using a card and PIN. 5. If a perpetrator gains access to an organization’s ATM .
