With the spectacular presentation back in 2010, a well-known computer hacker, Barnaby Jack, shared his forecast about the growth in the number of logical attacks aimed at ATMs around the world. The trick, demonstrated by the established cyber burglar at the Black Hat conference in Las Vegas got the name “jackpotting” and became associated with any fraudulent actions, which resulted the reprogrammed ATM giving out full content of its cassettes to the attackers.

Eight years later, a wave of "jackpot" attacks swept the world: in Japan, Taiwan, Thailand and various parts of Latin America (in particular, in Mexico). Soon the list of countries was replenished with Armenia, Belarus, Great Britain, Bulgaria, Estonia, Georgia, Kyrgyzstan, Malaysia, Moldova, Netherlands, Poland, Romania, Russia and Spain.

A real jackpot for criminals

Technologies used by criminals to organize logical attacks of ATMs are constantly being improved: there is even a so-called Cutlet Maker, a set of tools for hacking, which can be purchased ready-made in the wide space of Darknet.

"This disastrous program is very complex," says Samir Agarwal, vice president of products and general manager, Security and Endpoint Accelerite. "This cunning software even requires an activation code in order to run the program. It is a sort of license key for bad guys as for ordinary legal software. "

The use of such tools practically does not require any special computer knowledge or skills. Cutlet Maker interacts with the software and ATM equipment, almost without encountering any obstacles.

In other cases, the burglars simply remove the ATM’s hard drive, replacing it with a drive that contains the operating system for the ATM along with the malware sometimes even with the copied logo of the ATM original software and particular model. For some machines, they use an endoscope to find the ATM’s diagnostic port, where they plug in a flash drive.

Foto: Result of fraudsters’ work in one European country

A few minutes after the completion of manipulation with the ATM, the second partner, the so-called "mule", approaches the self-service device. The first hacker remotely starts the cash withdrawal scenario, and the "mule" takes all the money from all the cassettes and leaves.

Shortly thereafter, the burglars switch the ATM to normal operation. Using this scenario, at the beginning of this year, more than a million dollars were stolen in the United States. Local law enforcement agencies announced that international criminal groups coordinated the attacks.

So how big is the threat?

Why are ATMs still so vulnerable to logical attacks eight years after the jackpot attracted the attention of ATM manufacturers?

According to Samir Agarwal, everything stops against the need for additional investment. Surprisingly, not all banks are aware of the importance of using solutions that were developed specifically to counter such threats. Some believe that it is enough to use standard antiviruses to protect the computers installed in ATM machines, while others hope for the prompt response of security services monitoring devices using video cameras. The analysis of the consequences of the hacking leads only to one logical conclusion: there is no excessive protection for self-service devices.

In its bulletin issued after a series of logical attacks, Diebold Nixdorf recommends a number of measures to counter the hacking, including restricting access to the ATM, updating the original firmware, monitoring its behavior and suspicious activities, and also, most obviously, updating the operating system, since most compromised ATMs still operate on the basis of the operating system Windows XP, whose support has ceased as early as 2014.

Vynamic™ Security Solution (Terminal Security Suite)

Diebold Nixdorf offers its multivendor software solution to protect against logical and other attacks - Vynamic ™ Security, formerly known as Terminal Security Suite. The solution consists of four modules: Access Protection, Intrusion Protection, Hard Disk Encryption and Fraud Protection.

The multi-level defense system neutralizes the majority of potential threats, including "zero-day attacks" (ie. unknown at the moment). The Terminal Security software package protects ATMs and other devices in real time, implementing the principle of total restriction on the launch of any fraudulent processes and actions. The declared principle of the protective software can be formulated as follows: only repeatedly verified processes allowed and could be started and no other. This principle ("whitelisting") allows you to protect your self-service device's processor from unauthorized use of external devices: flash cards, hard drives and other potential carriers of malicious software.

Vynamic ™ Security also establishes a set of rules using state-of-the-art sandboxing technologies, when software that has a specific purpose has a strictly defined set of resources and regulated computer access.

In addition, Vynamic ™ Security ensures the integrity of the self-service device’s working environment, controls the absence of unauthorized changes in the uniquely created ATM “ecosystem” with a specific set of technical equipment and applications. When trying to replace a hard disk, the extracted media storing confidential information will become unusable, for which Hard Disk Encryption module is the responsible, and one of the ATM alarm scenarios can start on its own. In addition, Fraud Detection module uses Big Data and machine learning technologies and allows tracking deviations in standard behavior scenarios for programs, processes and users. The information about such anomalies is transmitted in real time to security officers, after which the responsible personnel can launch one of the alarm scenarios to protect information, money and property of the bank.

All these characteristics allow asserting the advantage of Vynamic ™ Security over traditional anti-virus programs, which are so far widely used by many banks. Standard antiviruses are not only less effective against various types of attacks, but they can be, in contrast to Vynamic ™, simply disabled by the service engineer while updating the ATM software, leaving the most vulnerable part of the IT infrastructure of the bank without protection.

BS/2 is the official Vynamic ™ Security provider in the CIS and Baltic countries, as well as in other regions. Our consultants are always ready to explain in detail all the benefits of using this solution, developed by Diebold Nixdorf.