How do Hackers Breach ATMs and Cash Registers?vox.veritas.com/legacyfs/online/veritasdata/9am... ·...
Transcript of How do Hackers Breach ATMs and Cash Registers?vox.veritas.com/legacyfs/online/veritasdata/9am... ·...
1
How do Hackers Breach ATMs and Cash Registers?
Liam O’Murchu & Eric Chien Security Response
How do Hackers Breach ATMs and Cash Registers?
SYMANTEC VISION 2014
Agenda
How do Hackers Breach ATMs and Cash Registers? 2
Attacks against embedded devices 1
Anatomy of an ATM malware attack 2
ATM breach demonstration 3
Anatomy of a POS attack 4
POS breach demonstration 5
SYMANTEC VISION 2014
Attacks against embedded devices
• Increase in non traditional targets
– Routers, cars, TVs, phones, etc
– Starting to see attackers investigating these devices
• Biggest change in threat landscape since commercialization of malware creation and distribution
• To highlight the issue 2 demonstrations
• ATM malware and POS malware
• Actively being targeted – large breaches this year & last
3 How do Hackers Breach ATMs and Cash Registers?
SYMANTEC VISION 2014 How do Hackers Breach ATMs and Cash Registers? 4
1 INFECTION Attackers breaks into ATM adding malware via USB or CDROM often by booting off insecure media
SYMANTEC VISION 2014 How do Hackers Breach ATMs and Cash Registers? 5
2 Cash Extraction Attacker can control malware in many ways; keyboard, pin pad, bank card & touch screens.
SYMANTEC VISION 2014 How do Hackers Breach ATMs and Cash Registers? 6
3 Attack Takes All Risk Attacker goes to ATM in person, cashes out and walks away happy, has complete control but risks getting caught in person.
SYMANTEC VISION 2014 How do Hackers Breach ATMs and Cash Registers? 7
1 Assembly Line Infections Attacker pays for infections, often maintenance staff involved.
SYMANTEC VISION 2014 How do Hackers Breach ATMs and Cash Registers? 8
2 Use Money Mules Removes risk from Attacker. Mules know nothing, just ring attacker when at an ATM.
Hola Jefe!
Si?!
I’m at ATM no. 5!
Ok! Wait for Money!
101011111100
SYMANTEC VISION 2014
Not a theoretical attack
• Team of attackers arrested in Mexico
– Mix of Mexicans and Venezuelans
– 50 ATMs hacked and emptied
• Malware written in Spanish but now versions in English
• More related malware for other vendors and using other attacks
• Man-In-the-Middle, Pin code theft, custom bank cards
• Older ATMs only but there are a lot of them
How do Hackers Breach ATMs and Cash Registers? 9
Attack currently in use
SYMANTEC VISION 2014
Inside an ATM
How do Hackers Breach ATMs and Cash Registers? 10
What the attacker sees
SYMANTEC VISION 2014
Inside an ATM
How do Hackers Breach ATMs and Cash Registers? 11
What the attacker sees
SYMANTEC VISION 2014
ATM Attack Demonstration
12 How do Hackers Breach ATMs and Cash Registers?
SYMANTEC VISION 2014
Blog and video search for: texting atms cash symantec
How do Hackers Breach ATMs and Cash Registers? 13
14
Anatomy of Attacks on Retail Systems
How do Hackers Breach ATMs and Cash Registers?
Internet
1 INFILTRATION Attackers breaks into corporate network (e.g., via spearphishing, vulnerable servers, etc.)
Corporate Network
NETWORK TRAVERSAL Attacker searches for entry point to the PoS network
Compromised Admin Credentials
2
Corporate Network
PoS Network
Internet
3 DATA STEALING TOOLS Attacker installs malware on PoS systems to steal credit card data
Corporate Network
PoS Network
Internet
Payment Processor
4 PERSISTENCE & STEALTH Malware steals CC info after each card transaction, accumulates large amount of stolen data over time
2017 4320 5001 743
Corporate Network
9466 4320 5040 3438
1018 4562 1916 8932 1797 5690 9876 2344
7897 5690 9876 7390 1734 5690 2554 2344 2017 4320 5001 1068
3225 4320 6217 2078 7897 5690 9876 8268
1018 4562 1916 3438
PoS Network
Unencrypted Data in Memory
1734 5690 2554 2344 3584 5912 8934 7038 3225 4320 6217 2078 2017 4320 5001 1068 7897 5690 9876 8268
Internet
STAGING Attackers hijack internal system for their “staging server” – accumulates data from 1000s of PoS systems
PoS Network
Corporate Network
2017 4320 5001 3438
9466 4320 5040 3438
1018 4562 1916 8932 1797 5690 9876 2344
7897 5690 9876 7390 1734 5690 2554 2344 2017 4320 5001 1068
3225 4320 6217 2078 7897 5690 9876 8268
8297 8690 98776 8248
Hijacked Staging Server
5 Internet
Compromised FTP Server
Corporate Network
6 EXFILTRATION Collected data is exfiltrated to an external server (e.g., a compromised 3rd party server)
PoS Network
2017 4320 5001 3438 9466 4320 5040 3438 1018 4562 1916 8932 1797 5690 9876 2344 7897 5690 9876 7390 1734 5690 2554 2344 2017 4320 5001 1068 3225 4320 6217 2078 7897 5690 9876 8268
Internet
21
PoS Attack Demonstration
How do Hackers Breach ATMs and Cash Registers?
Thank you!
22
Please take a few minutes to fill out the short session survey available on the mobile app—the survey will be available in the mobile app shortly after the session ends. And then watch for and complete the more extensive post-event survey that will arrive via email a few days after the conference.
To download the app, go to https://vision2014.quickmobile.com or search for Vision 2014 in the iTunes or Android stores.
Thank you!
Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
How do Hackers Breach ATMs and Cash Registers? 23
Liam O’Murchu & Eric Chien