Alert: Indian ATMs Face New AttacksNCR Issues Advisory About USB 'Black Box' Attacks
ATM manufacturer NCR has released a security warning regarding a new series of so-called "jackpotting" attacks being conducted against ATMs in India. The company released the alert on March 19 and says that its investigation into the attacks remains ongoing.
The alert states that criminals are gaining access to the "top box" of ATMs to connect a device to a USB port. Thus far, the device remains unidentified, NCR says. By using this USB "black box," the attacker can connect a keyboard, issue commands to the ATM, and tell it to dispense cash at will.
Attacking ATMs is big business. Indeed, a report issued in February by anti-virus vendor Kaspersky Lab estimates that one notorious cybercrime gang - called the Anunak or Carbanak gang, in reference to the malware it uses - has caused up to $1 billion in fraud, based in part on using ATM jackpotting malware against machines in Russia, the United States, India and beyond.
In the series of attacks against Indian ATMs, NCR says that it is continuing to gather additional digital forensic data from hacked machines. But an NCR spokesman tells Information Security Media Group that based on its initial findings, the attackers could be using a variant of a type of ATM malware that's been seen in previous examples of these types of "cashout" or jackpotting attacks. "There has been a wide variety of malware used in attacks on all manufacturers' ATMs," he says, adding, however, that over the past six months, the financial services industry worldwide has seen a rapid increase in these types of "logical" attacks.
The NCR spokesman notes that this series of attacks has been focused on a wide variety of locations throughout India, and in particular on standalone ATMs in unattended locations, which underscores the importance of maintaining strong physical security in such locations.
The NCR alert details the vendor's guidance and recommendations for protecting against these types of black-box attacks. NCR says that as a priority, ATM operators must ensure the following:
- Block all attempts to boot the ATM hardware, using removable media - such as USB black boxes.
- Password-protect all access to the BIOS and have robust password management in place.
- Deploy an effective anti-virus mechanism.
What CISOs Recommend
But Agnelo D'Souza, the CISO of Kotak Mahindra Bank, questions how many of these NCR-recommended controls are feasible and cautions that they might not be sufficient to foil a dedicated attacker. As an additional defense, he says, "banks should consider implementing active whitelisting software on the ATMs that can be monitored centrally" to prevent any malicious code from being allowed to run.
Another CISO at a leading Indian multinational bank, speaking on condition of anonymity, says that many similar alerts about ATM schemes have been arriving through various channels, including government agencies, such as India's computer emergency response team, CERT-In - and not just for NCR-built machines.
But banks are not the only organizations in India responsible for keeping ATMs secure. In general, half of the ATMs on a bank's network are owned by the banks themselves, while half get managed by service providers, according to the CISO who requested anonymity. "NCR is just one of the ATM types that we use on our network, and various mitigations are already available on ATM network to deal with such exploits," he says.
In the case of his bank, the CISO says that the organization proactively monitors all of its ATMs, and that any unauthorized attempt to install rogue software on a device will trigger an alert in the bank's central control room, following which the ATM is deactivated from the bank's network, which he says renders it unable to dispense cash. "Taking a leaf out of other such attacks taking place across the globe - such as in Eastern Europe, Russia, the U.S., etc. - most Indian banks, to the best of my knowledge, have put proactive controls in place to deal with ATM fraud," he says.
But in the wake of NCR's new alert, it's not clear if existing controls are adequately defending against such attacks. NCR also declined to provide more details about the attack campaign - including specifics relating to any malware, the black boxes, or exactly how the attackers were hacking into that ATM hardware or operating system - pending the results of its investigation.
Based on the details provided to date by NCR, however, the latest attacks appear to be similar to a proof-of-concept attack demonstrated at Black Hat Europe in 2014, in which researchers showed how an ATM's computer could be bypassed by attaching a tiny credit-card-sized Raspberry Pi computer, which then tells the cash-dispensing hardware to begin dispensing money.
Regardless of the attack technique, security experts have also long warned that when locking down ATMs, operators must also pay close attention to the physical environment and related security. For example, locating ATMs in unattended public locations puts them at greater risk of being attacked. And for any ATMs in such locations, NCR recommends that operators always install an alarm that will alert a central control room in the event that the ATM's top box gets opened.