Iron boxes with money standing on the streets of the city cannot but attract the attention of lovers of quick money. And if in the past purely physical methods were used to empty ATMs, now more and more skillful tricks related to computers are being used. Now the most relevant of them is the "black box" with a single-board microcomputer inside. We will talk about how it works in this article.
Head of the International Association of ATM Manufacturers (ATMIA)
A typical ATM is a set of ready-made electromechanical components placed in one housing. ATM manufacturers build their iron creations from a banknote dispenser, card reader and other components already developed by third-party vendors. A sort of LEGO constructor for adults. Finished components are placed in the ATM case, which usually consists of two compartments: the upper compartment (“cabinet” or “service area”), and the lower compartment (safe). All electromechanical components are connected via USB and COM ports to the system unit, which in this case acts as a host. On older models of ATMs, you can also find connections via the SDC bus.
The evolution of ATM carding
ATMs with huge amounts inside invariably attract carders to them. At first, carders exploited only gross physical flaws in ATM security - they used skimmers and shimmers to steal data from magnetic stripes; fake pin-pads and cameras for viewing pincodes; and even fake ATMs.
Then, when ATMs began to be equipped with unified software that works according to common standards, such as XFS (eXtensions for Financial Services), carders began to attack ATMs with computer viruses.
Among them are Trojan.Skimmer, Backdoor.Win32.Skimer, Ploutus, ATMii, and numerous other named and unnamed malware that carders plant on the ATM host either via a bootable flash drive or via the remote control TCP port.
ATM infection process
Having captured the XFS subsystem, the malware can issue commands to the banknote dispenser without authorization. Or give commands to the card reader: read / write the magnetic stripe of a bank card and even extract the transaction history stored on the EMV card chip. EPP (Encrypting PIN Pad; encrypted pinpad) deserves special attention. It is generally accepted that the PIN code entered on it cannot be intercepted. However, XFS allows you to use the EPP pinpad in two modes: 1) open mode (for entering various numerical parameters, such as the amount to be cashed out); 2) safe mode (EPP switches to it when you need to enter a pincode or encryption key). This feature of XFS allows the carder to carry out a MiTM attack: to intercept the safe mode activation command that is sent from the host to the EPP, and then tell the EPP pinpad that work should continue in open mode. In response to this message, EPP sends keystrokes in plain text.
The principle of operation of the "black box"
In recent years,
ATM attack via remote access
Antiviruses, blocking firmware updates, blocking USB ports and encrypting the hard disk - to some extent protect the ATM from virus attacks by carders. But what if the carder does not attack the host, but connects directly to the periphery (via RS232 or USB) - to a card reader, pin pad or cash dispenser?
The first acquaintance with the "black box"
Today, tech-savvy carders
"Black box" based on Raspberry Pi
The largest manufacturers of ATMs and government intelligence agencies, faced with several implementations of the "black box",
At the same time, in order not to shine in front of the cameras, the most cautious carders take to the aid of some not very valuable partner, a mule. And so that he could not appropriate the "black box" to himself, they use
Modification of the "black box", with activation via remote access
How does it look from the point of view of bankers? On the recordings from video cameras-fixators, something like the following happens: a certain person opens the upper compartment (service area), connects the “magic box” to the ATM, closes the upper compartment and leaves. A little later, several people, seemingly ordinary customers, approach the ATM, and withdraw huge amounts of money. The carder then returns and retrieves his little magic device from the ATM. Usually, the fact of an ATM attack with a "black box" is detected only after a few days: when an empty safe and a cash withdrawal log do not match. As a result, bank employees are left with only
Analysis of ATM communications
As noted above, the interaction between the system unit and peripheral devices is carried out via USB, RS232 or SDC. The carder connects directly to the port of the peripheral device and sends commands to it - bypassing the host. This is quite simple because the standard interfaces do not require any specific drivers. And proprietary protocols, according to which the peripherals and the host interact, do not require authorization (after all, the device is located inside the trusted zone); and therefore, these insecure protocols, over which the peripheral and the host communicate, are easily eavesdropped and easily amenable to a replay attack.
That. carders can use a software or hardware traffic analyzer, connecting it directly to the port of a specific peripheral device (for example, to a card reader) to collect transmitted data. Using the traffic analyzer, the carder learns all the technical details of the ATM operation, including undocumented functions of its periphery (for example, the function of changing the firmware of a peripheral device). As a result, the carder has full control over the ATM. At the same time, it is rather difficult to detect the presence of a traffic analyzer.
Direct control over the banknote dispenser means that the ATM cassettes can be emptied without any fixation in the logs that the software deployed on the host normally makes. For those unfamiliar with ATM hardware and software architecture, this is really how magic can look like.
Where do black boxes come from?
ATM vendors and subcontractors develop debugging tools to diagnose the ATM hardware, including the electromechanics responsible for cash withdrawals. These utilities include:
ATMDesk control panel
RapidFire ATM XFS control panel
Comparative characteristics of several diagnostic utilities
Access to such utilities is normally limited to personalized tokens; and they only work when the ATM safe door is open. However, simply by replacing a few bytes in the binary code of the utility, carders
The Last Mile and the Fake Processing Center
Direct interaction with peripherals, without communicating with the host, is only one of the effective methods of carding. Other tricks rely on the fact that we have a wide variety of network interfaces through which the ATM communicates with the outside world. From X.25 to Ethernet and Cellular. Many ATMs can be identified and located using the Shodan service (the most concise instructions for using it are presented
The "last mile" of communication between the ATM and the processing center is rich in a wide variety of technologies that can serve as an entry point for the carder. Interaction can be carried out via a wired (telephone line or Ethernet) or wireless (Wi-Fi, cellular: CDMA, GSM, UMTS, LTE) communication method. Security mechanisms may include: 1) hardware or software to support VPN (both standard, built into the OS, and third-party); 2) SSL/TLS (both specific to a particular ATM model and from third-party manufacturers); 3) encryption; 4) message authentication.
But
One of the main requirements of the PCI DSS is that all sensitive data, when transmitted over a public network, must be encrypted. And we do have networks that were originally designed in such a way that the data in them is completely encrypted! Therefore, it is tempting to say: "Our data is encrypted because we use Wi-Fi and GSM." However, many of these networks do not provide sufficient protection. Cellular networks of all generations have long been hacked. Final and irrevocable. And there are even vendors that offer devices to intercept the data transmitted over them.
Therefore, either in insecure communication, or in a "private" network, where each ATM broadcasts about itself to other ATMs, a "fake processing center" MiTM attack can be initiated - which will lead to the carder taking control of the data flows transmitted between ATM and processing center.
The following figure
Dump commands of a fake processing center
Source: habr.com