Information Security Blog

ATM Jackpotting and how to proactively protect them

Code Shield Do you use an ATM? Does your business have a freestanding ATM?

Barnaby Jack, Director of Security Testing at IOActive Labs, presented at the Black Hat Conference in Las Vegas. In his presentation, Jack hacked into two freestanding ATMs. The first was done remotely and the other using a USB thumbdrive. Both of the ATMs ran on Windows CE. In the article, it is point out that “Those attacks required an insider, such as an ATM technician or anyone else with a key to the machine, to place malware on the ATM.” (wired.com) After reading the article and watching the presentation, I thought I would share this on the blog.

“To conduct the remote hack, an attacker would need to know an ATM’s IP address or phone number. Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine’s proprietary protocol.” (wired.com)

The good news for a bank is that you can get a pretty good idea if you are vulnerable during an annual FDIC vulnerability assessments/penetration tests (VA/PT) and direct the ATM vendor to look at this issue. If you want to be more diligent you can augment the annual PT with a quarterly VA at relatively modest cost. A network architecture review is also helpful to ensure that you have segregated your ATMs from other critical systems, so that an ATM attack wouldn’t impact transaction processing or another mission critical function.

I know this is a lot of information, so if you have any questions please don’t hesitate to give us or a call or email.

Scott

Article: Researcher Demonstrates ATM ‘Jackpotting’ at Black Hat Conference http://www.wired.com/threatlevel/2010/07/atms-jackpotted by Kim Zetter – wired.com

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

How to deal with increasing threats
How to manage multiple regulatory requirements
How to handle client requests for attestation
To validate that significant changes did not have unanticipated results

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

Substantiate the net effectiveness of a mature control environment
Prove to a third party that an environment is secure/trustworthy
Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
To validate that significant changes did not have unanticipated results