I read with interest the news that two 9th graders (14-year olds) in Canada found an online manual for a Bank of Montreal (BMO) ATM machine, and hacked in to Operator mode. The “damage” these two inflicted was to change the ATM surcharge (the amount the ATM owner charges the consumer during the transaction) to one cent. No money was extracted, and given their intent and honesty, what they did could be viewed as a “Robin Hood” moment.
BMO’s response was minimal, as they issued the usual comment that “steps will be taken” to ensure it does not happen again. What that presumably means is they will change the default password to stop idle access from anyone with the spare time to Google “ATM OPERATING MODE MANUAL” and follow a few links.
ATM Default Passwords Readily Available
These days it’s very simple to find this information online. In about 30 seconds, I found a link to one ATM manufacturer's manual, and in another 30 seconds, on page 16, all three default passwords (albeit with a caveat saying they should be changed).
The critical issue is what Operator Mode can do. Operator Mode can, for example, allow you in to Test Mode. Test Mode allows you to ensure, for example, that the cash dispenser actually works (by dispensing a bank note). There are some safeguards in place so that the ATM will dispense a single note to the reject bin, inside the ATM behind a lock and key, to reduce the fraud possible in Test Mode.
So all’s well then?
Not entirely. The manuals also provide guidance on how to override the Test Cycle parameter, to run the test continuously, instead of once (i.e., a single note). But the notes will still go from the dispensing bin to the reject bin, so in this case, everything is still fine.
But what if you could change a few lines of code to change the parameter that routes money during the test to the dispenser, instead of the reject bin? Combined with the unlimited Test parameter? Bingo! You cash out.
How Likely Is It That the Code on ATMs Can Be Changed?
You only have to look to the Target breach to see an example of that sort of indirect attack. In that case, it was POS terminals infected with malware code that collected the credit/debit card information for more than 70M people.
Another example happened about 18 months ago, where fraudsters over-rode the daily limits of debit cards to make unlimited withdrawals from cash machines. The loss was $40M in 10 hours, and part of the attack was enacted by simply changing a parameter on a database that tells the ATMs what to do and how to behave. This was one of the drivers behind the recent Advisory from the FFIEC in April concerning ATM and Card Authorization Systems.
Indirect Attacks of Even More Concern
Indirect attacks are the new battleground. So many organizations have bolstered their security around the direct form, while ignoring the indirect. In 2012, for example, Microsoft reported that PCs were being shipped with malware already installed. If they can infiltrate the PC manufacturing process, it’s not hard to believe they can do the same with ATMs or POS terminals.
When it comes to banks, direct attack defenses are usually via 2nd-factor authentication, device identification and behavioral analysis engines.
To date, banks have had fewer options to defend against indirect attacks, especially if they want to integrate these with their direct attack defenses.
The indirect attack broadly falls into two categories - phishing and malware - with the former often being the pre-cursor to the latter. This was the case with the RSA breach three years ago where a phishing email “from HR” loaded malware via an Excel sheet – giving attackers access to many RSA customers.
Phishing today also increasingly uses social media (fake posts and false “tiny” URLs), and is more prevalent than ever. According to the Anti-Phishing Working Group, more than 111,000 unique phishing sites launched just in the last three months of 2013.
Sophisticated fraudsters do not care if their victims have direct attack defenses in place. They’re leaving the direct hacks to the 14-year olds, and increasingly leveraging cleverly deployed malware to conduct stealth attacks.
In the modern era, organizations have to expect indirect attacks in many guises. The more they can prevent an attack at the outset with a solution that offers shared intelligence and flexible layers of resilience, the less reliance they have to put on traditional defenses – defenses that can be circumvented by 9th graders who are good at using Google.