Key Vulnerability: Many ATMs Still Run Versions of Windows XP Jeremy Kirk (jeremy_kirk) • July 15, 2016    

The theft of $2.2 million from dozens of ATMs in Taiwan, executed using malicious software, defies a years-long effort by banks and software vendors to strengthen the security controls of ATM fleets.

See Also: Achieving Advanced Threat Resilience: Best Practices for Protection, Detection and Correction

Investigators suspect two Russian nationals may have remotely commanded a specific kind of ATM made by Wincor-Nixdorf to dispense thick wads of cash, Reuters reports. As a precaution, some of the country's biggest banks suspended withdrawals from 1,000 ATMs of the same kind.

Since 2009, researchers have warned that hackers were developing malicious software for ATMs. The malware is designed to cause ATMs to disgorge bills, known as jackpotting, or collect details of payment cards used at a machine.

Just the Latest ATM Attack

The most famous jackpotting demonstration came in July 2010 at the Black Hat security conference. The late security expert Barnaby Jack exploited security flaws in two ATMs, causing the machines to spew a flurry of bills onstage.

The ATM thefts come as the banking industry has faced increasingly bold and well-planned attacks. Bangladesh Bank lost $81 million in February after hackers compromised its credentials for the SWIFT interbank payment system (see Bangladesh Bank Attackers Hacked SWIFT Software ).

Then in May, fraudsters in Japan stole $19 million from South Africa's Standard Bank in a quick, coordinated attack using counterfeit cards at ATMs (see Lessons From ATM Cash-Out Scheme in Japan).

3 Types of Malware

Three types of malware were used in the Taiwan thefts, which affected First Bank, Reuters reported, citing Ministry of Justice's Investigation Bureau. The dispensing of the cash could have been triggered by a mobile phone, a laptop or a hacked PC at First Bank, the bureau told the news agency.

The malware wasn't named, but the description could fit ATM malware called Ploutus. Once the malware is installed on an ATM, an attacker can command the machine to dispense cash by sending a text message, according to a May 2014 blog post by Symantec.

Aging software

ATMs are widely viewed as vulnerable because nearly all run aging software. They're complex, networked devices that have many potential weaknesses if not carefully configured, updated and physically secured.

About 90 percent of the world's ATM machines still run Windows XP, according to Kaspersky Lab. Microsoft stopped providing security updates for XP in April 2014, although extended support was available for some special embedded versions through this year.

Steve Wilson, a principal analyst with Constellation Research, says critical infrastructure - from ATMs to medical devices to internet-connected vehicles - should simply not be built using commercial operating systems that "are barely adequate to run word processors.

"It's just asking for trouble," he says. "It's amazing that this [ATM malware thefts] doesn't happen more often."

When Microsoft ended support for Windows XP, it posed a major problem for ATM vendors. The manufacturers had to ensure their ATMs were compliant with the Payment Card Industry Data Security Standard and were not vulnerable to malware.

Most ATM manufacturers continued to use Windows XP, bolting on other security software while trying to lock down the OS to protect cardholder data. Others migrated to Windows 7.

As the deadline for the end of XP support approached, Wincor-Nixdorf released software called PC/E Terminal Security, which could be layered on top of XP. The security software ensured ATMs were PCI-DSS compliant and hardened the OS against unauthorized access.

Wincor-Nixdorf's product catalog gives insight into the operating systems its ATMs currently support. The ProCash 280, for example, lists its compatible software as Windows XP Professional SP3, Windows POSReady 2009 and Windows 7.

The model of the ATM breached by the hackers in Taiwan has not been identified, and Wincor-Nixdorf officials couldn't immediately be reached for comment.

Hacking an ATM

There are a variety of ways to attack an ATM. Installing malware would require either physical or remote access to the ATM's computer. ATMs generally have two cabinets: one that contains the cash, which is heavily secured, and the other that contains the electronics.

Access to the cabinet containing the ATM's computer is often protected by a single lock. It's not uncommon for the same key to open an entire fleet of ATMs to make it easier to access the devices for servicing. If that key is obtained, an attacker could open up the ATM and install malware by slipping a USB key into an open port or by using a CD-drive.

Some manufacturers guard against this type of attack. Triton Systems, which makes stand-alone ATMs, only allows trusted executables to run, a process known as whitelisting, says Henry Schwarz, the company's software projects director. The digital signatures of any updates for the ATM's software are verified as well. If an attacker breached the ATM's door, it means that unauthorized code should not run.

ATMs need a network connection in order to communicate with banks, so remote attacks are also a possibility. A network configuration mistake could be all that a hacker needs to get in. Some ATMs have wireless modems or Wi-Fi enabled and communicate over the public internet. Others have dedicated connections.

"There's all sorts of options, and some are more secure than others," Schwarz says. "In the trade-off between convenience and security, a small sacrifice in security can be all that an attacker needs to get their foot in the ATM's door."

Breach Preparedness , Cybersecurity , Data Breach

Arbor's Sam Curry on Re-Thinking How We Approach Cybersecurity Tom Field (SecurityEditor) • July 15, 2016    

As CSO and CTO of Arbor Networks, Sam Curry is in a rare position: He can set security strategy and then go out and find the tools to execute it.

See Also: Detecting Insider Threats Through Machine Learning

"It's an unusual situation," Curry says. "There's no hypocrisy here. I can say I need something, and then I have to deliver it, and I only have myself to hold accountable."

Part of Curry's ongoing challenge is to find the right tools to fight cybercrime. But a big part of it is also to ensure that the right people are focused appropriately on the task.

"The first problem we have is: How do we free up more discretionary budget to invest in new technologies that can actually stop the bad guys?" Curry says. The second issue then becomes: How do we get people to use these technologies? "How do we help them catch faster and with higher reliability the bad guys before information is affected or lost?"

In an interview at the Boston Fraud and Breach Prevention Summit, Curry discusses:

His unique CSO/CTO role; How to account for the human factor in cyber conflict; New ways to envision a cybersecurity strategy.

Curry has spent his career focused on the intersection of deep technology and solving customer problems. As Arbor's chief technology and security officer, he leads the development and implementation of the company's product strategy and innovation roadmap. Previously, he held the roles of senior vice president of research and development and CISO at MicroStrategy. Prior to that, Curry held a number of roles at RSA, including general manager, CTO and senior vice president of product management. He has also held a number of leadership roles at McAfee and Computer Associates, among others, and has founded two companies. A frequent speaker and widely quoted subject matter expert in technical and industry forums during the course of his career, Curry has more than 20 patents and is on the board of several companies and organizations.

Fraud , Mobility

RSA's Angel Grant on How to Work with Customers to Curb Losses Tom Field (SecurityEditor) • July 15, 2016    

In just two years' time, RSA analysts have seen a 170 percent rise in incidents of fraud via the mobile channel. What's behind the spike, and what can security leaders do to help their organizations and customers curb fraud losses?

See Also: 2016 Enterprise Security Study - the Results

Angel Grant, a principal manager at RSA, discusses the surge and how to respond to it in this video interview.

To put the 170 percent increase in some context, Grant offers color commentary: "170 percent is pretty dramatic, and when you break it down today, the amount of fraud transactions we see ... 60 percent of all the fraud transactions we see come from the mobile channel."

And within that 60 percent, she adds, the latest trend is to see more fraudulent transactions via mobile apps rather than mobile browser.

Beyond the rise in mobile fraud, Grant also is concerned about recent ransomware incidents, as well as the growing trend of fraudsters targeting specific individuals. "A lot of times, individuals are being targeted in their personal lives, so they can be [pursued] in their professional lives, too, so we're seeing those types of blended attacks," she says.

In an interview at the Boston Fraud and Breach Prevention Summit, Grant discusses:

The latest fraud trends; Four best practices to fight fraud; How to empower users and customers to fight back against fraudsters.

Grant is a principal manager in RSA, The Security Division of EMC's Identity Protection and Verification group. She has more than 15 years of experience in the security and financial services industries and is responsible for a variety of initiatives which protect organizations against fraud and identity theft. Prior to joining RSA, she was an online banking senior product manager at P&H Solutions, where she helped launch one of the industry's first online corporate cash management applications. Previously, she managed a mortgage division inside sales and service team for a large financial institution.

An analysis of the record of the U.K.'s new prime minister, Theresa May, on cybersecurity and online privacy and a report on efforts to create an antidote to ransomware highlight this edition of the ISMG Security Report.

In this episode, you'll hear:

Scotland-based DataBreachToday Executive Editor Mathew J. Schwartz explain how May's tenure as home secretary - where she pushed legislation to increase online surveillance - could shape her decision-making as the U.K. head of government; ISMG Managing Editor for Security and Technology Jeremy Kirk describe researchers' efforts to develop software that could mitigate the damages caused by ransomware; Highlights from congressional testimony on the challenges of implementing - and enforcing - international norms of responsible state behavior in cyberspace; and A description of why the Israel Defense Forces has banned Pokémon Go from its bases.

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Be sure to check out our July 8 and July 12 reports, which respectively analyze the fierce battle between endpoint protection product makers and President Obama's concerns about the state of federal government IT security. The next ISMG Security Report will be posted Tuesday, July 19.

Theme music for the ISMG Security Report by Ithaca Audio under Creative Commons license.