1

How do Hackers Breach ATMs and Cash Registers?

Liam O’Murchu & Eric Chien Security Response

How do Hackers Breach ATMs and Cash Registers?

SYMANTEC VISION 2014

Agenda

How do Hackers Breach ATMs and Cash Registers? 2

Attacks against embedded devices 1

Anatomy of an ATM malware attack 2

ATM breach demonstration 3

Anatomy of a POS attack 4

POS breach demonstration 5

SYMANTEC VISION 2014

Attacks against embedded devices

• Increase in non traditional targets

– Routers, cars, TVs, phones, etc

– Starting to see attackers investigating these devices

• Biggest change in threat landscape since commercialization of malware creation and distribution

• To highlight the issue 2 demonstrations

• ATM malware and POS malware

• Actively being targeted – large breaches this year & last

3 How do Hackers Breach ATMs and Cash Registers?

SYMANTEC VISION 2014 How do Hackers Breach ATMs and Cash Registers? 4

1 INFECTION Attackers breaks into ATM adding malware via USB or CDROM often by booting off insecure media

SYMANTEC VISION 2014 How do Hackers Breach ATMs and Cash Registers? 5

2 Cash Extraction Attacker can control malware in many ways; keyboard, pin pad, bank card & touch screens.

SYMANTEC VISION 2014 How do Hackers Breach ATMs and Cash Registers? 6

3 Attack Takes All Risk Attacker goes to ATM in person, cashes out and walks away happy, has complete control but risks getting caught in person.

SYMANTEC VISION 2014 How do Hackers Breach ATMs and Cash Registers? 7

1 Assembly Line Infections Attacker pays for infections, often maintenance staff involved.

SYMANTEC VISION 2014 How do Hackers Breach ATMs and Cash Registers? 8

2 Use Money Mules Removes risk from Attacker. Mules know nothing, just ring attacker when at an ATM.

Hola Jefe!

Si?!

I’m at ATM no. 5!

Ok! Wait for Money!

101011111100

SYMANTEC VISION 2014

Not a theoretical attack

• Team of attackers arrested in Mexico

– Mix of Mexicans and Venezuelans

– 50 ATMs hacked and emptied

• Malware written in Spanish but now versions in English

• More related malware for other vendors and using other attacks

• Man-In-the-Middle, Pin code theft, custom bank cards

• Older ATMs only but there are a lot of them

How do Hackers Breach ATMs and Cash Registers? 9

Attack currently in use

SYMANTEC VISION 2014

Inside an ATM

How do Hackers Breach ATMs and Cash Registers? 10

What the attacker sees

SYMANTEC VISION 2014

Inside an ATM

How do Hackers Breach ATMs and Cash Registers? 11

What the attacker sees

SYMANTEC VISION 2014

ATM Attack Demonstration

12 How do Hackers Breach ATMs and Cash Registers?

SYMANTEC VISION 2014

Blog and video search for: texting atms cash symantec

How do Hackers Breach ATMs and Cash Registers? 13

14

Anatomy of Attacks on Retail Systems

How do Hackers Breach ATMs and Cash Registers?

Internet

1 INFILTRATION Attackers breaks into corporate network (e.g., via spearphishing, vulnerable servers, etc.)

Corporate Network

NETWORK TRAVERSAL Attacker searches for entry point to the PoS network

Compromised Admin Credentials

2

Corporate Network

PoS Network

Internet

3 DATA STEALING TOOLS Attacker installs malware on PoS systems to steal credit card data

Corporate Network

PoS Network

Internet

Payment Processor

4 PERSISTENCE & STEALTH Malware steals CC info after each card transaction, accumulates large amount of stolen data over time

2017 4320 5001 743

Corporate Network

9466 4320 5040 3438

1018 4562 1916 8932 1797 5690 9876 2344

7897 5690 9876 7390 1734 5690 2554 2344 2017 4320 5001 1068

3225 4320 6217 2078 7897 5690 9876 8268

1018 4562 1916 3438

PoS Network

Unencrypted Data in Memory

1734 5690 2554 2344 3584 5912 8934 7038 3225 4320 6217 2078 2017 4320 5001 1068 7897 5690 9876 8268

Internet

STAGING Attackers hijack internal system for their “staging server” – accumulates data from 1000s of PoS systems

PoS Network

Corporate Network

2017 4320 5001 3438

9466 4320 5040 3438

1018 4562 1916 8932 1797 5690 9876 2344

7897 5690 9876 7390 1734 5690 2554 2344 2017 4320 5001 1068

3225 4320 6217 2078 7897 5690 9876 8268

8297 8690 98776 8248

Hijacked Staging Server

5 Internet

Compromised FTP Server

Corporate Network

6 EXFILTRATION Collected data is exfiltrated to an external server (e.g., a compromised 3rd party server)

PoS Network

2017 4320 5001 3438 9466 4320 5040 3438 1018 4562 1916 8932 1797 5690 9876 2344 7897 5690 9876 7390 1734 5690 2554 2344 2017 4320 5001 1068 3225 4320 6217 2078 7897 5690 9876 8268

Internet

21

PoS Attack Demonstration

How do Hackers Breach ATMs and Cash Registers?

Thank you!

22

Please take a few minutes to fill out the short session survey available on the mobile app—the survey will be available in the mobile app shortly after the session ends. And then watch for and complete the more extensive post-event survey that will arrive via email a few days after the conference.

To download the app, go to https://vision2014.quickmobile.com or search for Vision 2014 in the iTunes or Android stores.

Thank you!

Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

How do Hackers Breach ATMs and Cash Registers? 23

Liam O’Murchu & Eric Chien