Do you use an ATM? Does your business have a freestanding ATM?
Barnaby Jack, Director of Security Testing at IOActive Labs, presented at the Black Hat Conference in Las Vegas. In his presentation, Jack hacked into two freestanding ATMs. The first was done remotely and the other using a USB thumbdrive. Both of the ATMs ran on Windows CE. In the article, it is point out that “Those attacks required an insider, such as an ATM technician or anyone else with a key to the machine, to place malware on the ATM.” (wired.com) After reading the article and watching the presentation, I thought I would share this on the blog.
“To conduct the remote hack, an attacker would need to know an ATM’s IP address or phone number. Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine’s proprietary protocol.” (wired.com)
The good news for a bank is that you can get a pretty good idea if you are vulnerable during an annual FDIC vulnerability assessments/penetration tests (VA/PT) and direct the ATM vendor to look at this issue. If you want to be more diligent you can augment the annual PT with a quarterly VA at relatively modest cost. A network architecture review is also helpful to ensure that you have segregated your ATMs from other critical systems, so that an ATM attack wouldn’t impact transaction processing or another mission critical function.
I know this is a lot of information, so if you have any questions please don’t hesitate to give us or a call or email.
Article: Researcher Demonstrates ATM ‘Jackpotting’ at Black Hat Conference http://www.wired.com/threatlevel/2010/07/atms-jackpotted by Kim Zetter – wired.com