Kerry Davis, CEO of award-winning Abatis-HDF, was asked for his expert advice following the recent warning by Kaspersky Lab that a criminal gang is using “Skimer” malware to turn whole ATMS into skimming devices.
How does the malware get into the ATM?
The malware gets into the ATMs in two possible ways;
Either, through an illicit introduction of the software at the ATM – probably through a physical attack against the ATM – opening the back of the device and introducing the malware via USB or other media – this requires collusion from the owner of the premises where the ATM is located or a skilled, physical attack without being discovered.
The second way to introduce the malware would be at the central secure operations centre / network operations centre (SOC/NOC) of the bank. An employee of the bank could introduce the malware and ‘push’ it from the central point to 1 or many of the ATMs. This clearly requires the bank operator to have turned rogue. Criminal gangs have been known to plant people in organisations that they wish to gain illicit access to and have them work as normal employees for months or longer to get the trusted access required to be able to subvert the bank’s procedures. Good practice in the bank should require separation of duties and two-person-rule control such that it requires collusion on the part of two people to subvert the security of the bank. Some banks perhaps do not follow such good practice – and recent evidence of the successful attacks against SWIFT funds transfer network show that it is often the weaker banks that act as routes into the secure network – in the same way they could be the weak links that allow malware into the ATM network.
How can banks can protect against this sort of attack?
a) Physically secure the ATM to prevent access to the devices that allow malware to be inserted at the ATM – make sure that the USB, CD drive, floppy(?), etc are all secured to prevent illicit use. Host Integrity Technology such as Abatis HDF takes total control of all I/O channels in order to prevent illicit use.
b) Install lightweight protection software that can prevent illicit use of these i/o devices and which has been proven by several evaluations to “prevent all attempts to write malware to the permanent storage of the device regardless of system privilege” such as Abatis HDF.
c) Rigorously enforce procedural controls at the SOC/NOC centre to prevent illicit introduction of the malware. Introduce and enforce two-person-rule control over software update of the ATMs, enforce separation of duties in order to make it as hard as possible for a single rogue individual to subvert the security of the system. Again, security software such as Abatis HDF can be used to prevent introduction of malware by unauthorised individuals.
Does this affect old versions of Windows more than newer versions?
Older versions of Windows will have more vulnerabilities that are known by attackers than newer ones and if they are very old there may be NO AV software that can run on these old versions. Many ATMs run on Windows XP embedded which is no longer supported by Microsoft which means that a new vulnerability found in later OS such as Windows 7 becomes effectively a zero day attack against that OS. New operating systems such as Windows 10 can present their own security risks as well of course, that is why it is sometimes better to use a slightly less ‘bleeding-edge’ OS like Windows 7 and to protect it with suitable security tools like HDF.
How does it evade detection?
Malware very often hides inside other innocuous looking files or is obfuscated using tools known as packers. This approach can often successfully hide the malware from traditional AV products because the ‘signature’ of the malware does not match any signature contained in the AV database. Tools such as HDF do not use signatures but rather look at the intrinsic nature of malware and use the ring based architecture of the operating system to detect and prevent introduction of the malware or even the ‘dropper’ that usually precedes the full payload.
For further information about Abatis-HDF Contact Us