ATM Hackers Have Picked Up Some Clever New Tricks:
At last week's Black Hat and Defcon security conferences, researchers dug through recent evolutions in ATM hacking. Criminals have increasingly tuned their malware to manipulate even niche proprietary bank software to cash out ATMs, while still incorporating the best of the classics—including uncovering new remote attacks to target specific ATMs.
During Black Hat, Kevin Perlow, the technical threat intelligence team lead at a large, private financial institution, analyzed two cash-out tactics that represent different current approaches to jackpotting. One looked at the ATM malware known as INJX_Pure, first seen in spring 2019. INJX_Pure manipulates both the eXtensions for Financial Services (XFS) interface—which supports basic features on an ATM, like running and coordinating the PIN pad, card reader, and cash dispenser—and a bank's proprietary software together to cause jackpotting.
[...] Perlow also looked at FASTCash malware, used in jackpotting campaigns that the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency attributed to North Korean hackers in October 2018. North Korea has used the malware to cash out tens of millions of dollars around the world, which coordinated groups of money mules then collect and launder. FASTCash targets not the ATMs themselves but a financial card transaction standard known as ISO-8583. The malware infects software running on what are known as "payment switches," finance infrastructure devices that run systems responsible for tracking and reconciling information from ATMs and responses from banks. By infecting one of these switches rather than attacking an individual ATM, FASTCash attacks can coordinate cash-outs from dozens of ATMs at once.
"If you can do this, then you no longer have to put malware on 500 ATMs," Perlow says. "That's the advantage, why it’s so clever."
[...] "What has fundamentally changed between when Barnaby Jack presented and now?" Red Balloon's Cui says. "The same types of attacks that would have worked against laptops and laptop operating systems 15 years ago largely wouldn't work now. We've leveled up. So why is it that the machine that holds the money has not evolved? That’s incredible to me."
(Score: 2) by driverless on Wednesday August 19 2020, @04:49AM (1 child)
From the technical side of things, the switches have to support a bunch of 30 to 40-year-old payment standards that each bank implements slightly differently at a rate of thousands of transactions a second with, ideally, zero downtime ever. It's not like you can roll out a bunch of patches every few weeks, with half-hour-long outages while they're applied, and risk bricking half your payment gateways every time (thinking Microsoft here), this stuff is operating under severe technical constraints. In particular outages are a far bigger loss factor for banks than fraud.
(Score: 1) by fustakrakich on Wednesday August 19 2020, @05:52AM
For the banks, fraud is profit factor, depending who is conducting it
La politica e i criminali sono la stessa cosa..