How to protect ATM from jackpotting: Vynamic Terminal Security
With the spectacular presentation back in 2010, a well-known computer hacker, Barnaby Jack, shared his forecast about the growth in the number of logical attacks aimed at ATMs worldwide. The trick, demonstrated by the established cyber burglar at the Black Hat conference in Las Vegas, got the name “jackpotting” and became associated with any fraudulent actions, which resulted in the reprogrammed ATM giving out the full content of its cassettes to the attackers.
Eight years later, a wave of “jackpot” attacks swept the world: in Japan, Taiwan, Thailand, and various Latin American parts (particularly in Mexico). Soon the list of countries was replenished with Armenia, Belarus, Great Britain, Bulgaria, Estonia, Georgia, Kyrgyzstan, Malaysia, Moldova, Netherlands, Poland, Romania, Russia, and Spain.
A real jackpot for criminals
Technologies used by criminals to organize logical attacks of ATMs are constantly being improved: there is even a so-called Cutlet Maker, a set of hacking tools, which can be purchased ready-made in the wide space of Darknet.
“This disastrous program is very complex,” says Samir Agarwal, vice president of products and general manager, Security and Endpoint Accelerite. “This cunning software even requires an activation code to run the program. It is a sort of license key for bad guys as for ordinary legal software. ”
In other cases, the burglars remove the ATM’s hard drive, replacing it with a drive containing the operating system for the ATM and the malware, sometimes even with the copied logo of the ATM original software particular model. Some machines use an endoscope to find the ATM’s diagnostic port, where they plug in a flash drive.
A few minutes after manipulating the ATM, the second partner, the so-called “mule,” approaches the self-service device. The first hacker remotely starts the cash withdrawal scenario, and the “mule” takes all the money from all the cassettes and leaves.
Shortly thereafter, the burglars switch the ATM to normal operation. Using this scenario, more than a million dollars were stolen in the United States at the beginning of this year. Local law enforcement agencies announced that international criminal groups coordinated the attacks.
So how big is the threat?
Why are ATMs still so vulnerable to logical attacks eight years after the jackpot attracted ATM manufacturers’ attention?
According to Samir Agarwal, everything stops against the need for additional investment. Surprisingly, not all banks are aware of the importance of using solutions developed specifically to counter such threats. Some believe that it is enough to use standard antiviruses to protect the computers installed in ATMs. In contrast, others hope for the prompt response of security services monitoring devices using video cameras. The analysis of the hacking consequences leads only to one logical conclusion: there is no excessive protection for self-service devices.
In its bulletin issued after a series of logical attacks, Diebold Nixdorf recommends several measures to counter the hacking, including restricting access to the ATM, updating the original firmware, monitoring its behavior and suspicious activities, and also, most obviously, updating the operating system, since most compromised ATMs still operate based on the operating system Windows XP, whose support has ceased as early as 2014.
Vynamic™ Security Solution (Terminal Security Suite)
Diebold Nixdorf offers its multivendor software solution to protect against logical and other attacks – Vynamic ™ Security, formerly known as Terminal Security Suite. The solution consists of four modules: Access Protection, Intrusion Protection, Hard Disk Encryption, and Fraud Protection.
The multi-level defense system neutralizes the majority of potential threats, including “zero-day attacks” (i.e., unknown at the moment). The Terminal Security software package protects ATMs and other devices in real-time, implementing the total restriction on the launch of any fraudulent processes and actions. The protective software’s declared principle can be formulated as follows: only repeatedly verified processes allowed and could be started and no other. This principle (“whitelisting”) allows you to protect your self-service device’s processor from unauthorized use of external devices: flashcards, hard drives, and other potential carriers of malicious software.
Vynamic ™ Security also establishes a set of rules using state-of-the-art sandboxing technologies, when software that has a specific purpose has a strictly defined set of resources and regulated computer access.
Also, Vynamic ™ Security ensures the integrity of the self-service device’s working environment, controls the absence of unauthorized changes in the uniquely created ATM “ecosystem” with a specific set of technical equipment and applications. When trying to replace a hard disk, the extracted media storing confidential information will become unusable. The Hard Disk Encryption module is responsible, and one of the ATM alarm scenarios can start on its own. The Fraud Detection module uses Big Data and machine learning technologies and allows tracking deviations in standard behavior scenarios for programs, processes, and users. The information about such anomalies is transmitted in real-time to security officers. The responsible personnel can launch one of the alarm scenarios to protect the bank’s information, money, and property.
All these characteristics allow asserting the advantage of Vynamic ™ Security over traditional anti-virus programs, which are so far widely used by many banks. Standard antiviruses are less effective against various types of attacks. Still, in contrast to Vynamic ™, disabled by the service engineer while updating the ATM software, leaving the most vulnerable part of the bank’s IT infrastructure without protection.
BS / 2 is the official Vynamic ™ Security provider in the CIS and Baltic countries and other regions. Our consultants are always ready to explain all the benefits of using this solution, developed by Diebold Nixdorf.