Sunday, August 1, 2010

Sightline Payments: ATM Hacking- Fact or Fiction?

The Sightline Payments LLC Team and IT group are working with industry resources to determine “fact or fiction” in this identified hacking scheme. Sightline uses enterprise level NCR ATM3X devices which do not use the Windows CE systems (which is the operating system the vulnerability has been shown to occur). Sightline uses the latest proprietary PCI tools, firewalls, and secure telecommunications to detect and stop these types of hacking events.

In the gaming industry, Windows CE based systems are used on certain ticket redemption and ATM devices(confirm with your provider).

An article in ZD Net discussed this in more detail.

Using home-brewed software tools and exploiting a gaping security hole in the authentication mechanism used to update the firmware on automated teller machines (ATMs), a security researcher hacked into ATMs made by Triton and Tranax and planted a rootkit that dispensed cash on demand. Barnaby Jack, Director of Research at IOActive Labs, used a laptop with a custom-built software tool called “Dillinger” (named after the famous bank robber) to overwrite the machine’s internal operating system, take complete control of the ATM and send commands for it to spew cash on demand.

At the Black Hat security conference in Las Vegas, Jack demonstrated two different attacks against Windows CE-based ATMs — a physical attack using a master key purchased on the Web and a USB stick to overwrite the machine’s firmware; and a remote attack that exploited a flaw in the way ATMs authenticate firmware upgrades.

He did not provide any technical details that would allow anyone to reproduce the attack techniques but suggested that a skilled hacker could exploit these weaknesses if ATM manufacturers continue to create software with gaping security holes.

“There are attack vectors in all these standalone or hole-in-the-wall ATMs,” Jack warned, noting that many ATMs are protected by a master key that can be bought for $10.78 on hundreds of web sites. ”With this master key, I can walk up to a secluded ATM and have access to USB [and] SD/CF slots. In some cases, opening and inserting my USB key was faster than installing a skimmer,” he said.

The most impressive attack, which used the “Dillinger remote ATM attack/admin tool, was done via a laptop connected to the ATM. It launched an exploit against an authentication bypass vulnerability in the ATM’s remote monitoring feature (this is enabled by default on all ATMs) and allowed the hacker to retrieve ATM settings, master passwords, receipt data and the location and name of the business hosting the ATM.

The Dillinger tool came with a graphical UI that included features to “Retrieve Track Data,” or simply “Jackpot!”. A click of the Jackpot button and the commandeered ATM started spewing cash on demand.

The “Black Hat” computer security conference originated in 1997 as an annual conference. Its attendee list includes government representatives, FBI agents, computer hackers and other computer experts. The 2010 Black Hat Conference was just held in Las Vegas. One speaker, Barnaby Jack, did a presentation pertinent to the ATM industry. His topic: “Jackpotting Automated Teller Machines.” In his demonstration, he took a detour from the commonly known ATM hacks (skimming devices or smash and grabs). Barnaby was able to have the terminal spew out currency by attacking the terminal’s software.

Updating the gaming industry on issues like this to protect their business is one more example of how Sight Line Payments is on your side.

Regards, The Sightline Payments LLC Team- Kirk Sanford, Tom Sears, and Diran Kludjian