Are ATMs sitting ducks for WannaCry-style cyberattack?
When WannaCry ransomware recently froze thousands of computers running on older versions of Windows, I wondered about ATMs.
A few years ago, when Microsoft retired Windows XP, banks were slow to upgrade their ATMs to Windows 7 because of the costs and time involved in installing the new software. Upgrading operating systems on an ATM fleet is more complicated than changing them for a company's PCs, partly because ATMs are unattended and therefore have to be thoroughly tested.
Today, most large banks and credit unions have migrated to Windows 7, according to David Tente, executive director of the ATM Industry Association.
But the picture is less clear for smaller financial institutions, he said.
“Many, if not most, of the 12,000 financial institutions with only one, two or three ATMs are still running Windows XP,” Tente said. ATM manufacturers are just now beginning to make Windows 10 available on their equipment two years after its release.
So with Windows XP and Windows 7 the primary targets, are ATMs sitting ducks for WannaCry and its cousin WannaCrypt? And if so, could hackers succeed in crippling them?
“Any device running a version of Windows that is vulnerable to the server message block exploit is vulnerable to ransomware like WannaCry — and worse, frankly,” said Avivah Litan, vice president of Gartner. “We have heard about other attacks that exploit this vulnerability that are far more lethal than ransomware.”
David Pollino, deputy chief security officer at Bank of the West, also sees a risk.
“If it could happen to the San Francisco Municipal Transport Agency on their payment machines, it conceivably could happen to an ATM network,” he said. The transport agency was hit in November with ransomware and a demand for 100 bitcoin. The ransom wasn’t paid and everybody got to ride public transportation for free that day.
To be clear, Pollino said he doesn’t believe ATMs are more vulnerable than other computers, however.
“I’m just saying anyone who discounts the possibility of something bad happening is not preparing for it,” Pollino said. “At the end of the day, an ATM is a computer that in many cases does run Windows on what should be considered a highly sensitive network.”
Nothing to see here
Bill Nelson, CEO of the Financial Services-Information Security Analysis Center, the industry’s cyberthreat information sharing group, said he has not received any reports of ATMs being hit with ransomware.
“When Microsoft stopped supporting the XP operating system, we had a mad scramble among our community banks and credit union members, trying to figure out what to do,” Nelson recalled. “We came up with a series of recommendations, many of which have been followed.”
One was that ATM networks should be segregated from other systems at a financial institution.
“This provides protection from malware that comes in over the internet, so it’s no longer part of the network of the financial institution,” Nelson said.
Other recommendations included establishing a layered defense, using antivirus software, requiring dual authentication to download software onto an ATM, and only allowing software that’s been whitelisted to run on an ATM.
The FS-ISAC also urged members to apply the patch Microsoft recently issued for Windows XP-powered ATMs which fixes the Windows vulnerability WannaCry hackers have been exploiting.
Nelson, like other security experts, also recommended that applications and operating systems be patched and updated automatically.
“You shouldn’t give the user a choice,” he said. “People who don’t understand that will get hit. You may have 100,000 computers in your enterprise. It only takes one to not be patched or upgraded to be in trouble and that’s happened time and time again.”
Unsurprisingly, Nelson sees information sharing as a critical part of threat detection prevention and response.
“It doesn’t always equal knowledge — you need to know about not just the shared threat indicators, the IP addresses, the patches, which are shared pretty quickly, but also how to address this and improve defenses for the future,” he said.
Where the threats are
Overall, ATMs don’t make sense for a ransomware attack, Nelson said.
“They’re looking for money,” he said. “To make this a fungible asset, most of them require you to send the money in bitcoin or some other digital currency that can’t be traced. Going to an ATM cash-out scheme for ransomware doesn’t make a lot of sense because if you are going to an ATM, your picture is being taken, or the money mule’s picture is being taken.”
And the computers that were most vulnerable to WannaCry and WannaCrypt, Nelson noted, were running pirated operating systems that did not receive patches because the operators didn’t legally own the software.
“But it’s not a policy of Western financial institutions to buy pirated software and install it,” he observed.
ATMs are still subject to other types of cyberattacks, however. Several ATM cash-out schemes have hit large banks in the U.K. and the Middle East in recent years, in which criminals extracted millions of dollars, for example.
“Hackers got in, and took over the credentials for the administrator,” Nelson said. “It’s almost classic account takeover, except this time they’re not taking money wiring ACH money, they’re using ATMs, changing the controls for how much money you can take out for each account, and having the money-mule network set up to bleed them dry. Brilliant!”
Paying closer attention
ATMs have risen higher on banks’ security priority lists, Pollino said.
“An ATM is basically a vault with a computer attached to it, so we treat it as a highly critical system, Pollino said. “We have multiple layers of security to ensure that nothing bad happens. We have plans in place, so that if something bad does happen, we can respond to it.”
Banks are also starting to care more about operating on out-of-date systems.
“They’re cognizant of fact that when an operating system or application is coming up on end-of-life, that’s a real date, that software needs to be commercially supported, and when it’s not, eventually bad things could happen,” Pollino said.
Pollino pointed out that it’s easier to secure something like an ATM where the equipment and use serve a specific purpose, versus a computer that might be used for different things.
“The fact that it’s a well known and understood environment leads it to be very straightforward in putting appropriate safeguards in place,” he said.
When any security incident hits the news, banks check their own controls to make sure they could withstand a similar attack, he said. Pollino’s team analyzes information coming from the FS-ISAC and inspects partnerships to make sure those third parties aren’t vulnerable to the threat.
“If there is an issue like WannaCry or the denial-of-service attacks that occurred earlier in the year, the first thing we always try to do is understand what’s going on in the cybersecurity environment,” Pollino said. “We look in the mirror and say, if this happened to us, would we have been vulnerable? What would our response have been? We try to take advantage of what happens to make ourselves stronger.”
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.