ATM malware has always been a 'silent killer' in the ATM world but it is getting more and more publicity nowadays. Some ATMs in Mexico were recently targeted by a new malware strain known as Ploutus which remotely manipulates denominations of the cash dispensed. Less publicity also means lack of or unreliable data about losses incurred from these kinds of attacks.

ATM Malware Cases Getting More Publicity

Everyone keeps talking about skimming as the greatest threat and it is obviously true if we count a number of incidents but one malware-based story can cause more losses than a series of skimming attacks. The first malware case (a worm, in fact) in the ATM world (Welchia) was recorded back in 2003 when it took a number of ATMs out causing a Denial of Service attack. Another famous but still publicly underestimated and the first trojan for ATMs Troj.Skimer is still in the wild since 2008 despite of being announced about in March 2009. Prevalent in Russia, Ukraine and some other CIS countries it evolved through time developing its functionality focusing nowadays on dispensing all or some cash from ATMs using a designated supervisor's card although being capable to steal data as well.

So why is it still possible to infect ATMs?

They do not (God help, if they do) have any direct access to the Internet so it leaves remote admin access and USB ports as the only viable routes. Would a standard black-list based anti-malware solution solve a problem? The main problem with black lists is that the vendors will never know about a new malware until someone detects and reports it. If you think about it from the major anti-malware vendors' perspective, there are close to 2.5 million ATMs in the world which is a drop in a bucket versus a number of PCs and servers worldwide.

Proper ATM malware is always written for specific ATMs running some vulnerable software or missing some OS patches making it easy to install. For example, Windows XP SP1 has Autorun functionality enabled by default making it a perfect target for malware infection via USB port if not hardened (Hint: Troj.Skimer's favourite).

It appears that ATM malware threat requires an approach specific to ATM industry

This means that standard black-list based anti-malware solutions will most definitely not do the job and application white-listing, file integrity monitoring and host-based IDS if implemented properly will make malware-based attacks cumbersome and unviable for fraudsters. System hardening and patching will also make sure prevention of ATM malware is at the sufficient level. This is also reflected in ATM Security guidelines published by PCI Security Standards Council in September 2012.

The document does not mention traditional black-list anti-malware measures at all, there are no requirements for regular signature updates and so on. Instead, the focus is on system hardening and intrusion detection on different levels using measures such as integrity checks. This is surely the right approach but the PCI Data Security Standard (DSS) still requires automatic signature updates and periodic scans for anti-malware solutions (Section 5) and ATMs are systems that process cardholder data.

It may sound confusing so if you have any questions on ATM Security or how to meet PCI DSS requirements for ATMs, don't hesitate to contact Advantio, we do have a great ATM Security Training that we can deliver onsite at your location. 

Sources

Some ATMs in Mexico were recently targeted
Troj.Skimer
Trojan Targets march 2009
ATM Security guidelines 

Irmantas Brazaitis

Written by Irmantas Brazaitis

PCI QSA and Information Security professional with a vast experience within payment card industry, I have got a sound experience in ATM security having worked for global payment service provider alongside the Fraud team, involved in end-to-end fraud prevention process (from monitoring of suspicious transactions to seizure of criminals).

Certified as Qualified Security Assessor (QSA) by PCI Security Standards Council.