ATM malware appears, Diebold issues security update

Share this article:
If you thought you were safe from cybercriminals just by staying off your computer, think again: ATM malware may be one of the next attack frontiers.

Security firm Sophos reported this week that it received three samples of a trojan that was customized to run on Diebold-manufactured cash machines in Russia, said Graham Cluley, Sophos' senior security consultant. The malware was able to read card numbers and PINs -- then when the attacker returned to the ATM, he inserted a specially crafted card that told the machine to issue him a receipt containing the stolen information.

"Basically [the malware] would be spewing out the identity information," Cluley told on Wednesday. "It's a really cunning scheme. You need to know how to talk to the ATM. It was working with the Diebold DLL (dynamic-linked library). It knew what API (application programming interface) calls to make, which is information, I suspect, not normally in the public domain."

Diebold this week disclosed that it issued a security update in January for its ATMs running a Windows-based operating system to address the problem. Diebold told its customers in a letter that a number of its machines in Russia were infected -- but the company did not reveal specifics on the attacks.

Researchers, though, cautioned that this attack is not something most hackers can pull off. The culprits were required to have intimate knowledge of how the Diebold ATMs function and likely needed physical access to them, Cluley said.

"It would suggest that hackers gained insider access to the ATM or managed to intercept the ATM in the production line to install the software," he said.

But Kishore Yerrapragada, a CTO at Solidcore, which makes anti-tampering solutions for ATM manufacturers, said the criminals, in this case, may have been able to succeed just by somehow gaining access to the network of the bank that owns the machine -- and then exploiting a Windows vulnerability.

He said the malware writers customized the code so that when the crook returned to the ATM, the malicious card he inserted triggered the malware to run the machine in "service mode," which turned off encryption and other security controls and enabled him to receive the stolen data in clear text.

Diebold, in its update, said that the risk of such an attack is "significantly increased" when the machine is not running a hardened version of the Windows platform, when the provided firewall software is disabled or not properly configured, or when the Windows administrative password is compromised.

But Yerrapragada told that machines need run-time control software to ensure nothing can tamper with authorized applications.

"You could have firewalls and hardening, but...if those things are not patched, you are out of luck," he said.

Diebold also has been called to task on the voting machines it makes. In July 2007, the California Secretary of State's Office issued a report, contending that the company's touch-screen voting machines were susceptible to malicious software, which could sabotage election results. Machines made by Sequoia and Hart also were found to have flaws.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Next Article in News

Sign up to our newsletters

More in News

LEADS Act addresses gov't procedure for requesting data stored abroad

LEADS Act addresses gov't procedure for requesting data ...

Senators introduced the legislation last week as a means of amending the Electronic Communications Privacy Act (ECPA).

Report: Intrustion prevention systems made a comeback in 2013

Report: Intrustion prevention systems made a comeback in ...

A new report indicates that intrusion prevention systems grew 4.2 percent in 2013, with growth predicted to continue.

Mobile device security sacrificed for productivity, study says

Mobile device security sacrificed for productivity, study says

A Ponemon Institute study, sponsored by Raytheon, revealed that employees increasingly use mobile devices for work but cut corners and circumvent security.