Trojan Horse Invades ATM Machine
For some time now we’ve been reporting that identity theft is going high-tech, with techno-savvy thieves creating more and more ways to target and rob their victims.
As computer-operated machines, ATMs have not been immune. Familiar ways to steal information from ATM cards include withholding and skimming, both of which involve the placement of mechanisms on the machine to read a card’s data, and the installation of tiny cameras to watch customers input their PINs.
But now ID thieves have kicked their crooked technology up a notch—by installing a Trojan virus to hack victims’ information from the inside.
The Discovery
The hacking was reported by security solutions products company Sophos and blogged by Graham Cluley. The information was immediately snapped up by reports that gave details to the hacking, how it was done and what this ominous step forward in criminal technology could mean.
What was revealed was that malware (spyware created and installed with negative intent, particularly theft) had been installed on Diebold Opteva ATMs, which run on Windows operating systems.
And what’s really worrisome is that Diebold had advance notice that this type of hacking was indeed possible and had in fact updated certain security features to prevent it—unsuccessfully, as it turns out.
Advance Warning
In fact, in January, Diebold announced that ATMS in Russia had physically been broken into and installed with a Trojan virus.
At that time, “We immediately notified our customers globally of the malware risk and sent a precautionary software update,” a Diebold spokesperson told reporters.
The spokesperson explained, “The criminal gained physical access to the ATMs at site locations, and the malware was installed by someone with high-tech knowledge and expertise.”
This changes the face of the typical identity thief from someone watching furtively at the gas pump as victims enter their PIN numbers or a shmoozing salesperson sending out bogus e-mails, to a much more sophisticated criminal mind.
Brainy Theft Needs Brainy Solutions
As Graham Cluley noted in his blog, “(The hackers knew) the API calls and understood how the cash machine works. We haven’t seen that before…This is not something the average hacker on the street would have access too.”
Cluley also postulated that either former experience with such machines, or a tie-in with someone on the “inside,” is necessary in order to accomplish this tricky, high-tech operation.
“(Such criminals) need physical access to the ATM—they need to have someone on the inside or involved with the manufacture of these devices to gain access and install the software.”
And needless to say, they need knowledge of malware in general.
As daunting as these reports are, they reveal pitfalls in ATM security, some experts insist, and could ultimately lead to better security and prevention in the future. This could include more secure procedures from the beginning of the transaction.
“I’d like to see ATMs sending their information back to the payment processor encrypted over an SSL VPN (virtual private network) or some sort of encrypted VPN link,” commented Network Box security analyst Simon Heron.
But perhaps Cluley said it best when he pointed out that security needs to start from the manufacture process, where the most damage could be begun. “(ATM machines) need to be handled securely like you would handle diamonds from Africa. You need to make sure from when it’s being mined and is brought into the jewelry store that the diamonds haven’t been switched or tampered with.”
