Home News Blogs and Opinions Expert Panel Marketing Jobs Directory Training Contact Us Free_Ebook protect-you-mac-from-virus-2-slider While High School Freshmen Hack ATM, Indirect Attacks Grow More Stealthy ATM I read with interest the news that two 9th graders (14-yr olds) in Canada found an online manual for a Bank of Montreal (BMO) ATM machine, and hacked in to Operator mode. The “damage” these two inflicted was to change the ATM surcharge (the amount the ATM owner charges the consumer during the transaction) to one cent. No money was extracted, and given their intent and honesty, what they did could be viewed as a “Robin Hood” moment. BMO’s response was minimal, as they issued the usual comment that “steps will be taken” to ensure it does not happen again. What that presumably means is they will change the default password to stop idle access from anyone with the spare time to google “ATM OPERATING MODE MANUAL” and follow a few links. ATM Default Passwords Readily Available These days it’s very simple to find this information online. In about 30 seconds, I found a link to one ATM manufacturers’ manual, and in another 30 seconds, on page 16, all three default passwords (albeit with a caveat saying they should be changed). The critical issue is what Operator Mode can do. Operator Mode can, for example, allow you in to Test Mode. Test mode allows you to ensure, for example, that the Cash Dispenser actually works (by dispensing a bank note). There are some safeguard in place, so that the ATM will dispense a single note to the Reject Bin, inside the ATM behind a lock and key, to reduce the fraud possible in test mode. So all’s well then? Not entirely. The manuals also provide guidance on how to override the Test Cycle parameter, to run the test continuously, instead of once (ie a single note). But the notes will still go from the Dispensing Bin to the Reject Bin, so in this case, everything is still fine. But what if you could change a few lines of code, to change the parameter that routes money during the test to the dispenser, instead of the Reject Bin? Combined with the unlimited Test parameter? Bingo! You cash out. How likely is it that the code on ATMs can be changed? You only have to look to the Target breach to see an example of that sort of indirect attack. In that case it was POS terminals, infected with malware code that collected the credit/debit card information for over 70M people. Another example happened about 18 months ago, where fraudsters over-rode the daily limits of debit cards to make unlimited withdrawals from cash machines. The loss was $40M in 10 hours, and part of the attack was enacted by simply changing a parameter on a database that tells the ATMs what to do and how to behave. This was one of the drivers behind the recent Advisory from the FFIEC in April concerning ATM and Card Authorization Systems. http://www.fdic.gov/news/news/financial/2014/fil14010.html Indirect Attacks of Even More Concern Indirect attacks are the new battleground. So many organizations have bolstered their security around the direct form, while ignoring the indirect. In 2012 for example, Microsoft reported that PCs were being shipped with malware already installed. If they can infiltrate the PC manufacturing process, it’s not hard to believe they can do the same with ATMs or POS terminals. When it comes to banks, direct attack defenses are usually via 2nd factor authentication, device identification and behavioral analysis engines. To date, banks have had fewer options to defend against indirect attacks, especially if they want to integrate these with their direct attack defenses. The indirect attack broadly falls in to two categories – phishing and malware – with the former often being the pre-cursor to the latter. This was the case with the RSA breach 3 years ago where a phishing email “from HR” loaded malware via an excel sheet – giving attackers access to many RSA customers. Phishing today also increasingly uses social media (fake posts and false “tiny” URLs), and is more prevalent than ever. According to the Anti-Phishing Working Group, over 111,000 unique phishing sites launched just in the last three months of 2013. http://docs.apwg.org/reports/apwg_trends_report_q4_2013.pdf Sophisticated fraudsters do not care about if their victim have direct attack defenses in place. They’re leaving the direct hacks to the 14-yr olds, and increasingly leveraging cleverly deployed malware to conduct stealth attacks. In the modern era, organizations have to expect indirect attacks in many guises. The more they can prevent an attack at the outset from a solution that offers shared intelligence, flexible layers of resilience, the less reliance they have to put on traditional defenses – defenses that can be circumvented by 9th graders who are good at using Google. Jeremy Boorer, Director – Europe, Middle-East & Africa, Easy Solutions ABOUT EASY SOLUTIONS Easy SolutionsEasy Solutions delivers Total Fraud Protection® to over 150 clients, with over 40 million end users. The company’s products protect against phishing, pharming, malware, Man-in-the-Middle and Man-in-the-Browser attacks, and deliver multi-factor authentication and transaction anomaly detection. For more information, visit http://www.easysol.net, or follow us on Twitter @goeasysol. inShare2 Please Share: Share on Tumblr Digg Email June 23, 2014 Cyber Attack Forces Code Spaces Out Of Business Back Leave a Reply Your email address will not be published. Required fields are marked * Name * Email * Website Comment Notify me of followup comments via e-mail. You can also subscribe without commenting. Notify me of follow-up comments by email. Notify me of new posts by email. advertisement1 Sign Up To Our Newsletter! advertisement2 Popular Latest Today Week Month All Serious WordPress Issue Bypasses The Two-Factor Authentication Serious WordPress Issue Bypasses The Two-Factor Authentication Cyber Attack Forces Code Spaces Out Of Business Cyber Attack Forces Code Spaces Out Of Business How To Be Anonymous On The Internet How To Be Anonymous On The Internet 10 Steps For Safely Banking Online 10 Steps For Safely Banking Online Security Everywhere: One Unmanaged Desktop Is All It Takes Security Everywhere: One Unmanaged Desktop Is All It Takes advertisement3 In Other News… CoinDesk- 500 Million Dogecoins Mined by Unknown Hacker in Malware Attack Use The Board - How Hackable Is Your Life and Learn To Protect Yourself Secure Honey - Creating An Antidote For Android Simplelocker Ransomware advertisement4 Offical Stuff Terms & Conditions Privacy Policy Disclaimer Copyright Notice Contact Us Top 25 Female Infosec Leaders to Follow on Twitter Infosec Job Board