Since the recent Black Hat DC conference has received more than its share of website and blog coverage, I thought it would provide a great source for content regurgitation. Furthermore, it was the topic of my previous entry, which means I still have it stored in my mental RAM (EDO RAM), and I know that no one reads the same blog every day.
Billy Rios and Nitesh Dhanjani gave a presentation titled, “Bad Sushi”, that exposed the amazingly unsophisticated and incredibly large subculture of phishing. This talk revealed the surprisingly amateurish construction of sites used to fuel the $3 billion economy of phishing. However, their findings have been thoroughly discussed throughout the security community. While the statistics of financial loss from phishing is staggering, it doesn’t really scare me, personally.
Although, they did discuss one thing that scares the bejesus out of me…ATM skimming. Aaaaahhhh! Seriously though, this potentially affects a significant portion of the population. It’s not a Windows vulnerability, you don’t even have to be one of those geeky Linux users…just have an ATM card and an account with some cash.
For years, I have followed (just followed) the doings of ATM hackers. It has always made perfect sense to me: an ATM is basically a computer, it has networking capabilities for account authorization, and finally, it contains cold, hard, cash. Others, also making this connection, have developed many creative methods in their attempts for ATM exploitation.
The most comical and primitive attempts started with individuals making their own fake ATM machines and placing them in various stores. How you just wheel a fake ATM into some store? I have no idea.
But the technical aspect used with these fake ATMs, was its ability to read your card and record your PIN. With this information at hand, they were able to clone the cards and use them at legitimate ATM machines.
Another simple method used, required only a search engine or some social engineering. After identifying the make and model of the machine, requesting, or downloading, a copy of the manufacturer’s user and/or service manual is a trivial task. These little booklets provide all types of useful information, such as how to enter the diagnostic mode and default password settings. Armed with this information, someone successfully reprogrammed an ATM in Virginia Beach to dispense money at a fourfold increase. Sites containing organized lists of default passwords for network products by most manufacturers, simplify this task. While the manuals always recommend changing the default passwords, we all know how often that occurs in the security world.
My personal favorite, is one using network exploitation. Since ATMs must dial in to the bank for all transactions, one group tapped in to the phone line it used. They recorded all of the data communication tones sent, using an MP3 player (and recorder), and then analyzed, decoded and reconstructed the information, to reproduce the account information…and then went shopping.
The “Bad Sushi” talk at Black Hat discussed ATM skimming. Of which, there are basically two types. Both involve using a separate magnetic card reader, or tape, that steals a user’s ATM card information. The first type, in which the card is swiped through the rogue reader, steals the card’s data and returns a message claiming the machine is not working. However, with time and poor implementation, this often results in suspicion, and is usually unsuccessful. The second type works in a similar manner, except, the rogue reader is placed over the legitimate one. The financial transaction occurs as usual, with the user receiving money, but the account information is secretly captured by the fraudulent reader.
One anti-skimming security mechanism developed to prevent this threat, implements an approach using “jitter” technology. Basically, this works by generating a series of random reading intervals, or stop-start movements (hence, “jittering”), that interferes with the bogus card readers.
While providing some optimism, as companies are addressing ATM security, there are still a lot of issues that require attention.
Considering that an estimated 70% of ATMs are simply kiosks built upon DOS, Widows XP, or a Windows-like OS (that’s just what one vendor told me), security is still a big concern. Furthermore, a recent analysis of ATM network traffic revealed that, with the exception of the PIN number, the data was unencrypted.
What good is an automated teller machine (remember, that’s what ATM stands for), when we have no way of identifying and verifying the identity of the teller?
Lastly, to verify some of this information, I employed some good old fashion social engineering of my own yesterday. Calling an ATM vendor, as an inquisitive potential buyer, I discovered that for $2000, one could buy a free standing ATM machine. However, I was also told that it ran Windows XP, contained a regular SD card slot, and was provided with the manufacturer of the router that upgrades its dialup to Ethernet. Just about every technical question I asked, was answered without knowing who I was.
When I directly questioned the sales rep about the security of the machine, and how it communicates through the dangers of the internet securely, he answered, “It’s very secure…you have nothing to worry about…. it’s what we use.“
My PIN is 1234. My ATM card can be cloned at greyhat@computer.org
Copyright © 2008 IDG Communications, Inc.
