By Mike Baker, Founder and Principal Mosaic451
The recent ATM jackpotting attacks in Europe and Asia beg the question:
Do ATM networks have the level of protection necessary to defend against today’s malicious cyberattacks?
Organized crime groups are using technology to commit bank robberies and make off with millions of dollars – without ever setting foot inside a branch.
Earlier this year, hackers used stolen credentials to the SWIFT network, a secure messaging system used by financial institutions, to steal $81 million from the Central Bank of Bangladesh.
Now, Russian security firm Group-IB is reporting that a hacker group, code-named Cobalt, has stolen millions of dollars from banks throughout Europe by “jackpotting” ATMs, or manipulating them into dispensing very large amounts of cash.
This comes on the heels of two jackpotting incidents in July, where $350,000 was stolen from a state-run bank in Thailand and another $2.5 million from Taiwan’s First Bank.
ATMs are ubiquitous in our society.
There are approximately three million of them worldwide, and about 432,000 in the U.S., a number expected to rise to 438,000 by 2019.
Even though mobile banking is exploding in popularity, a whopping 75% of U.S. consumers still use ATMs as a part of their daily banking activities.
As important as ATMs are to banks, the consumers who use them, and our entire economy, it would be logical to assume that they have very tight cybersecurity protocols.
However, ATMs came into existence long before the Internet, and their design hasn’t progressed very far since.
They were built to protect the cash inside their safes from people trying to physically access it, not protect the computer systems that control the machines from hackers.
As a result, ATMs pose very serious cybersecurity issues that could end up undermining consumers’ trust in them.
How Does Jackpotting Work?
The term “jackpotting” was first used by late hacker and security expert Barnaby Jack, who demonstrated the procedure at a Black Hat Conference in 2010.
Jackpotting is accomplished by accessing an ATM machine, either physically or remotely, injecting it with malware, rebooting the machine to install the malware, and then commanding it to dispense large sums of money.
Both standalone “island” ATMs, as well as ATMs located inside banks, are at risk of attack.
(Barnaby Jack – Jackpotting Automated Teller Machines Redux, Nov 8, 2013. Courtesy of DEFCON Conference and YouTube)
For all the cash they contain, ATMs are incredibly vulnerable to card skimmers, jackpotting, and other cyberattacks, such as installing malware that reads customer debit card and PIN numbers.
Physically accessing an ATM’s system unit is not difficult; unlike the money, which is secured in a metal safe, the system unit is usually enclosed in a plastic cabinet with a simple lock.
Sometimes, USB ports are even located on the outside of the cabinet. Once inside, hackers encounter standard system units that are identical to those found inside home computers, along with simple software configurations – often running Windows XP, which Microsoft stopped supporting in 2014.
While jackpotting has been going on for several years, until now, attacks have been confined to relatively small numbers of machines; the logistics of traveling from ATM to ATM and emptying each one without getting caught have proven to be a barrier to wide-scale attacks.
Group-IB believes that Cobalt compromised the European ATMs by taking control of them remotely, by using the security-testing tool Cobalt Strike (hence the group’s code name), in conjunction with phishing emails, to hack into the banks’ networks and making their way to the servers that control the ATMs.
This allowed them to target far more machines far more quickly, in “smash and grab”-type operations where teams of “money mules” traveled to each ATM and collected the money that a remotely located hacker had commanded it to spit out.
(Learn More, courtesy of Kaspersky Lab and YouTube)
What can banks do to beef up ATM security?
There are several technical controls banks should implement immediately to defend their ATM machines:
- Upgrade all machines running Windows XP and all other old, unsupported operating systems and software to eliminate zero-day vulnerabilities
- Remove any software that the ATM does not need to operate; some banks install unnecessary software on their ATM machines, such as Acrobat Reader, Radmin, and TeamViewer, which opens up the machines to even more possible exploits
- Install endpoint security software on Linux and Windows-based ATM’s
- Harden ATM systems to a minimum of NIST 800-53 standards
- Install hardware firewalls on completely remote, “island” ATMs
- Disable all “extraneous” ports on the embedded systems (USB/serial/parallel)
- Centralize log correlation for all ATM system and network events
- Use tripwires and honeypots to help detect and quarantine malicious network activity
- Implement documented maintenance schedules as well as dispatch logging for ad-hoc maintenance and money drops
However, even if some or all of these elements may be in place, they will be of little help unless someone is collecting and watching all of this data, interpreting it, and taking appropriate action.
While a Security Information and Event Management system (SIEM) can collect and retain system and network logs, without an intelligent, well-trained human tuning and watching the SIEM, ATM systems will remain vulnerable to malicious attacks.
For this reason, banks should enlist the help of a managed security services provider (MSSP) to provide both on-site staff and remote monitoring.
By deploying staff to work side-by-side with the bank’s IT and ATM network staff, an MSSP can examine and understand patterns and help secure critical networks.
This embedded team, working in tandem with remote 24/7 monitoring, can help bridge cyber-world of device and endpoint logs with the physical world of surveillance and maintenance.
This full view of the lifecycle of an ATM can help to not only mitigate current remote electronic tampering and physical tampering vectors, but also keep systems protected from as-yet undiscovered and undocumented malware.
While the recent spate of jackpotting incidents has so far been confined to Europe and Asia, hackers know no borders.
Using remote hacking capabilities, criminals would never have to set foot in the U.S.; all they need do is hack into a U.S. bank’s network and recruit money mules locally to collect the cash. It’s only a matter of time before jackpotting crosses the pond and threatens American banks and consumers.
Mike Baker is founder and Principal at Mosaic451, a bespoke cybersecurity service provider and consultancy with specific expertise in building, operating and defending some of the most highly-secure networks in North America.