ATM Malware: Sign of New Trend?Attacks in Mexico Exploit Common Vulnerabilities
A group of ATMs in Mexico was recently targeted by a new malware strain known as Ploutus as part of an attack that allowed hackers to remotely manipulate the cash denominations the ATMs dispensed.
See Also: 12 Immutable Rules for Observability
But while this new type of targeted malware attack against ATMs poses a serious fraud risk, skimming is still a far greater threat, security experts say. And many of the same tried-and-true security precautions should be applied to mitigate risks associated with both ATM threats, they say.
Most ATM compromises result from insufficient physical and network security, says Ryan Linn, a managing consultant at information security and compliance firm Trustwave. If locks used on the ATM's enclosure are easy to break or if network connections fail to encrypt ATM transaction data, then cardholder data is invariably at risk, he says.
"We still see that the locks used on ATMs are insufficient to physically protect the devices, or that, in some situations, the alarms are not triggered when the devices are opened - so a machine could be tampered with and no one would know," Linn says. "We test a lot of different ATMs and other point-of-sale devices, and we still see a lot of traffic that is not encrypted, as well. It's still more prevalent that should be."
But Jerry Silva, an ATM fraud expert and analyst at the advisory firm International Data Corp., says the new malware attacks could signal a shift in ATM fraud trends.
"I think malware is a much more insidious and potentially more dangerous crime," Silva says. "While we have technology that can minimize skimming, and can educate the customer around safe behavior at the ATM, malware is hidden and out of our control."
ATMs, POS Devices at Risk
In a just-published report about POS and ATM security, Trustwave includes testing research about the security of a number of different ATM makes, models and operating systems. And regardless of the brand, Trustwave found that a number of ATMs are susceptible to remote attacks, like the one that struck ATMs in Mexico, because of poor security of the ATM's computer system and/or the lack of encrypting ATM-transaction protocols, such as NDC and 912.
"In our testing, we were able to change transactions without having physical access to ATMs," Linn says. "We just had to have knowledge of the network that the ATMs were transacting on."
Though the vulnerabilities noted by Trustwave in its recent research appear to be different than those exploited in the Mexican ATM attacks, Josh Grunzweig, a security researcher at Trustwave, says the recent compromise resulted in similar results.
The attacks in Mexico resulted from a physical compromise first - the ATMs were infected when CDs loaded with Ploutus were inserted into the terminals' CD-ROMs, says Grunzweig, who analyzed the Ploutus malware in his lab and blogged Oct. 10 about the Mexico attacks discovered by Russia-based security software SafenSoft.
"In most cases, we just see generic malware, like memory scrapers, used in attacks against POS devices," he says. "This one actually gave them the ability to dispense cash and allowed them to choose the types of bills they wanted to dispense. There also was a special keycode that was required to activate the GUI on the malware. This malware may have been designed for a certain brand of ATM, but other ATMs would be vulnerable."
But Ploutus-like attacks aren't likely to impact branch ATMs, says fraud expert Al Pascual, an analyst with consultancy Javelin Strategy & Research. The attacks against ATMs in Mexico required physical access that would be more difficult to achieve within a bank or credit union, he says.
"This would only really be practical with stand-alone ATM machines, as the criminal would need extended access, and that would certainly raise suspicion at bank-installed units," Pascual says.
Ploutus was created to compromise ATMs at the software level, and all of the known attacks so far have only affected off-premises ATMs - those located in retail locations, not in banking centers or branches, says SafenSoft's chief technology officer, Stanislav Shevchenko.
The anti-virus software on the ATMs infected with Ploutus malware files had been disabled, SafenSoft notes, which allowed fraudsters to launch their attacks.
"The only ways to prevent the installation of malware is either disabling external storage devices, which is not always possible, or using specialized protective software preventing modifications in the ATM operating system and using its own self-defense mechanism to avoid being disabled outside of normal procedures," SafenSoft states.
"Malware like this allows the cybercriminals to skip the whole process of cash withdrawal they have to take part in after using traditional ATM Trojans and skimmer-like devices to steal the plastic card information. Additionally, by spreading malware like that, criminals can easily bypass the traditional antivirus-based protection on the ATMs. If that Trojan gets massively distributed, any bank without specialized protection software on its ATMs will have hard times ahead," the company states.
Skimming Trumps Malware
Andreas Baumhof of online security firm Threatmetrix says that while emerging ATM and POS malware risks are concerning, skimming remains a greater concern because it's so easy and requires little skill.
"Both attacks [malware and skimming] have increased in sophistication ... over the last few months and years," Baumhof says. "Malware attacks are more effective, but harder to deploy."
John Buzzard, who oversees FICO Card Alert Service, says while the Ploutus attack may have been successful in Mexico, it would be hard to pull off in the U.S.
"It still appears to require special conditions to be met in order for the malware to be introduced," he says. "A remote location, unbridled access to the inner workings of the ATM, and ... a significant amount of time and skill to introduce the malware and test it. This infection has to circumnavigate the security procedures that are in place on the acquirer side as well. You can't just disable firewalls and virus scans today as easily as you could a few years ago."
Skimming, on the other hand, is relatively easy to pull off, Buzzard says.