[IMGCAP(1)]
With the recent discovery of malicious software installed inside ATMs in Russia and Ukraine, Trustwave, a data-security company, urged U.S. banks to have their machines analyzed to determine whether crooks installed malware to steal customer-card information. Thieves use the stolen data to make counterfeit debit cards to loot customer accounts.
Trustwave issued the advice after its SpiderLabs security team examined 20 ATMs owned by banks in Russia and Ukraine, Nicholas Percoco, Trustwave senior vice president and head of SpiderLabs, tells ATM&-Debit News.
SpiderLabs provides application security, responds to compromised ATMs by conduct ing tests to determine that the network is secure, he says. Trustwave also conducts application tests. Application- and network- tests involve "ethical" hacking of a computer application or a network to determine if there are any vulnerabilities.
Percoco declined to name the banks, but he says bank officials contacted SpiderLabs, which has offices in Chicago and London and forensics experts in South America, North America, Asia and Europe.
"Bank officials knew something was not right" he says. "Losses due to fraud were taking place, and the losses were affecting large numbers of bank customers." Percoco and his team learned that the affected bank customers used the same ATMs. Affected consumers used the same ATMs.
SpiderLabs subsequently discovered that thieves installed malware inside the ATMs to collect card data.
How thieves install the malware is a matter of conjecture. Some security experts and others speculate they buy keys that lock the ATMs from the manufacturers' employees. They then use the keys to open the rear of the machines, which enables them to install the malware.
Thieves tend to install malware in ATMs that run on the Windows XP operating system because that is what the ATM vendors support.
Windows XP has been the most-popular ATM operating system in Central and Eastern Europe since 2006, according to Retail Banking Research Ltd., a London-based strategic-marketing firm. Some 85% of deployers have migrated to Windows XP, Retail Banking Research said in a May 20 report "Russia Leapfrogs The West To Become Europe's Largest ATM Market."
Once crooks install the "sniffer" software, the malware begins to collect cardholder data, often for a very long time before being discovered, Percoco says. "It can be several months at the minimum to two years," he says. Thieves retrieve the data by inserting a "trigger" card in the machine that prompts the malware to print collected card information on a receipt, Percoco says. Malware is the latest way in which thieves are attacking ATMs.
Years ago, criminals would yank ATMs off their foundations, load the ATMs onto flatbed trucks and speed away to an isolated location where they would try—often unsuccessfully—to open the machine. A missing ATM ripped from its foundation is easy for police and bank employees to spot, but with malware the software "camps out," undetected, Percoco says.
"ATM thieves have evolved from cave men to high-tech criminals," he says. DeAnn Zackeroff, a spokesperson for Diebold Inc., a North Canton, Ohio-based ATM manufacturer, agrees.
"The thieves are much more sophisticated, much more aggressive, and they are well-funded criminal organizations," she says.
Criminals also can e-mail the malware to compatriots in other parts of the world, and the software is vendor agnostic, meaning it can be used in any type of ATM, Trustwave says.
In January, Diebold discovered thieves installed malware inside an undisclosed number of its machines throughout Russia. The software changed the machines' internal controls, such as password-management numbers, says Jim Pettitt, Diebold director of security strategy and planning (ADN, 4/30).
Russian police arrested the thieves, and the U.S. Secret Service is working with Diebold to investigate the theft ring. Diebold did not disclose the location of the ATMs except to say they are in Russia.
The manufacturer also would not say how much money the thieves stole. Trustwave believes malware is a serious danger, although ATMs made before 2004 are the most vulnerable because they use software to encrypt card data, which malware can intercept before encryption occurs. "With newer models of ATMs, the barrier to entry is much higher because the newer machines are PCI compliant," and the ATMs encrypt card data at the keypad, says Percoco, adding that newer model ATMs also should be checked for malware. ATM
