Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Kochetova+osipv atm how_to_make_the_fraud__final

PacSec2016

  • Login to see the comments

  • Be the first to like this

Kochetova+osipv atm how_to_make_the_fraud__final

  1. 1. ATM How to make the fraud Olga Kochetova, Alexey Osipov Kaspersky Lab
  2. 2. root@root:~# whoami Penetration Testing Department, Kaspersky Lab •  @_Endless_Quest_, @GiftsUngiven •  ATM and POS security assessment •  Penetration Testing •  Forensic Investigation Speakers at many IT events Authors of multiple articles, researches and advisories
  3. 3. Overview One should
  4. 4. Lego for adults •  Top box – service zone •  PC •  Card reader •  Pin pad •  other •  Bottom – safe •  Cash out module (dispenser) •  Cash in module (deposit unit) •  Recycling module (out and in)
  5. 5. Software •  Host (computer) •  MS Windows •  GUI and device control •  Antivirus/Integrity control software •  Video surveillance •  Radmin/TeamViewer and other crap •  Devices •  Some microcontrollers with rtos
  6. 6. Are you kidding me?
  7. 7. How it works?
  8. 8. Things from the 1990s
  9. 9. Attack techniques •  Physical •  Hardware •  Software •  Network
  10. 10. Countermeasure to save treasure
  11. 11. Cashcontrolcentipede Service Providers Cash Cassettes Cash device Communicat ions Cash protect systems XFS Integrity control app OS Hardware VPN Office computers Processing center Software VPN GUI Windows- based app Atm admin Network Network Service zone
  12. 12. bla •  bla
  13. 13. Cash They don’t break it. They steal.
  14. 14. Treasure Chest
  15. 15. Don’t break the lock. Break the chain
  16. 16. Cash devices Is in the safe. So what?
  17. 17. What is the hook •  Microcontroller •  Firmware
  18. 18. Super advanced persistent threat •  Firmware •  Modify •  Update •  Cash device •  Control •  Total control
  19. 19. Deposit your funny money •  Fake cash in •  Real Cash out
  20. 20. Recycle $1 to $100
  21. 21. Card reader Not cash, but … cash
  22. 22. Card reader exploitation •  Sensitive data in plain text •  Hardware sniffer
  23. 23. You are not you anymore Source: https://media.ccc.de/v/31c3_-_6450_-_de_-_saal_1_-_201412272030_- _ich_sehe_also_bin_ich_du_-_starbug#video •  What you … were?
  24. 24. Communications
  25. 25. Analyze This •  RS… (e.g. 232, 485) •  SDC •  USB
  26. 26. Typical flavours •  ASCII-based •  Binary •  Encrypted Obfuscated
  27. 27. Hacker stuff
  28. 28. Video - Newly Evil USB (BlackBox)
  29. 29. Service zone There is no cash. really?
  30. 30. How to get in •  “Master key” •  Screwdriver •  “Special” tool
  31. 31. Video - How to get in
  32. 32. Our service zone is secured ©
  33. 33. Should we?
  34. 34. Service providers
  35. 35. Malware: next generation •  Attacker bypasses interaction with XFS manager •  Hooks all functions used by specific ATM vendor software •  Gives highest information to attacker compared to XFS based malware: •  Intercept network data in clear text •  Intercept EMV transactions •  Intercept USB/COM communication
  36. 36. Malware: next generation
  37. 37. Video – Malware NG
  38. 38. Malware: XFS based •  Every windows executed can issue commands to XFS manager •  Malware can work on most ATMs •  Everyone involved in ATM security is pretty much familiar with it
  39. 39. devopssechumancaterpillar •  Buffer overflow •  Kiosk mode bypass •  Sensitive data disclosure
  40. 40. Third-party security software One more door •  Buffer overflow •  Kiosk mode bypass •  Sensitive data disclosure •  Remote control
  41. 41. Operating system MS08-067 strikes again
  42. 42. Just ahead •  Old versions •  Not updated •  Vulnerabilities •  Standard services
  43. 43. Let’s have fun with shodan Hardware units
  44. 44. Video – Obey the net
  45. 45. Why VPN is not good sometimes •  Software •  With access to OS can be disabled •  Not always provide firewalling functionality •  If VPN-connection is interrupted it is common, that all data from this moment will be transmitted in clear-text •  Hardware •  Doesn’t protect against physical access •  Works regardless of host computer •  It’s peace of metal/plastic, you can grab it with hand
  46. 46. Processing center
  47. 47. Two-edged sword •  Rogue processing center (attacking ATM) •  Cash withdrawal •  Rogue ATM (attacking processing center) •  Fake Cash deposit •  Bank card account compromise •  Payment services/systems attacks
  48. 48. •  tcpdump •  “tcpreplay"
  49. 49. Video – Rogue processing
  50. 50. ATM administrators
  51. 51. People are so lazzzzy
  52. 52. People are so soooocial
  53. 53. People are so stupid pwnle
  54. 54. What to breach •  Management system •  Update server •  Logs server
  55. 55. Conclusion
  56. 56. Silver bullet
  57. 57. Security is a process
  58. 58. Kudos •  Alexander Tlyapov @_Rigmar_ •  Artem Kondratenko @artkond •  Alexander Zaytsev @arbitrarycode •  All other folks
  59. 59. Have fun Stay safe Olga Kochetova, Olga.Kochetova@kaspersky.com, @_Endless_Quest_ Alexey Osipov, Alexey.Osipov@kaspersky.com, @GiftsUngiven

×