Why ATMs and points of sale need protection and what we have done to provide it

ATMs and point-of-service systems are extremely vulnerable to malware — and software vendors are no longer patching them. Here’s how to make them safer.

Just recently, we discussed the problem of integrated (or embedded) software losing vendor support. The problem primarily affects companies whose business involves the use of ATMs and point-of-sale terminals.

An overwhelming number of these devices still run Windows XP — an operating system that is never going to be updated again. Therefore, any of its vulnerabilities that were not patched — or even discovered yet — are here to stay. That situation is creating security issues for the companies that operate these devices and rely solely on the integrated Windows XP Embedded security mechanisms.

Closer to the money

A few years ago, Kaspersky Lab’s security experts predicted that cybercriminals would start attacking ATMs and point-of-service (POS) terminals directly. That prediction was fully justified: First, our experts identified the Tyupkin attack — and the malware used in it is still active. Moreover, we recently discovered another criminal group, ATM-Infector, which uses a new version of this Trojan. In addition, over the past two years reports have emerged of numerous POS infections in major retail chains, resulting in major data leaks. The biggest leaks were in Target, Wendy’s, and the Hilton hotel network.

These hacks happen because ATMs and points of sale are very easy targets for attackers. The targets often have both lame cyberdefense and insufficient physical security.

ATMs are essentially conventional, x86-compatible computers, supplemented with specialized equipment and software. The same is true for point-of-sale terminals. These devices run special, very limited versions of operating systems with tools the service device doesn’t need disabled. But looking past the limitations, there is fundamentally no difference between an ordinary Windows installation and a limited one.

These devices are typically located away from their service departments, but they run within the internal networks of companies and often have a direct connection to the Internet. Almost all of them process personal data or maintain financial transactions.

The urgent problem

For security, the PCI DSS standard regulates a large number of technical requirements and parameters for systems that process payment by cards. However, those rules now focus primarily on addressing the risks of traditional viral infections. In fact, the regulations neglect features specific to devices such as ATMs and POS systems — and ignore the peculiarities of attacks against them. Because of the obsolete hardware and out-of-date operating systems, not to mention the absence of reliable data channels (of an average capacity at least), using conventional antivirus software is inefficient — and often impossible.

Today, hackers possess a wide range of tools for hacking ATMs — some to use with direct access to a particular device and also some for remote hacking.

Remote attackers have several options. Most often, our investigators discover incidents of unauthorized access over a trusted network (for example, an ATM is infected by means of physical access and the malware further spreads within the intranet), but sometimes the experts reveal the consequences of a successful targeted attack against a bank or the use of VPN vulnerabilities.

The goal is always the same: an opportunity to steal money or collect the data of credit and debit cards while remaining undetected. Sometimes the criminals manage to hide for a very long time.

Payment terminals are another common vector of personal data leaks. According to this 2015 Verizon report, up to one-third of these incidents take place as a result of hacked point-of-sale devices. Why? Well, the terminals’ applications don’t take information security requirements into account at all, and therefore, they may contain flaws through which they can be easily infected. And they are usually connected to the Internet (to access various databases), which only facilitates the work of hackers.

Payment terminals at Target got infected because they were in the same network as the company’s project management systems — which cybercriminals had accessed through one of the contractors involved in servicing Target’s air conditioning systems.

The Target incident is by no means an exception. Many corporate infections occur by the fault of service units or service companies with legitimate access to devices (whether remotely or locally, for example through a USB port). And negligence alone is not always to blame. In some cases, employees of the organizations have used their positions to deliberately infect terminals. That kind of violation is virtually impossible to notice because service remains operational for customers.

Countermeasures

What means does Kaspersky Lab offer to solve these problems? Obviously, this case requires an additional layer of protection, and so we developed a solution, called Kaspersky Embedded Systems Security, specifically to secure embedded hardware. KESS uses comprehensive security technologies, but it can operate effectively on machines with limited functionality and extremely low performance. ATMs and points of sale typically run obsolete hardware, and their software is seldom updated.

In Kaspersky Embedded Systems Security, we implemented technologies to prevent popular methods of attack against these types of devices. The Default Deny mode permits the system to use only those files, drivers, and libraries that are explicitly authorized by the administrator. The process of adding applications, scripts, and drivers to the list of exceptions does not require radical intervention, and therefore the protection doesn’t become an additional burden for service personnel. KESS secures ATMs and payment terminals from complex targeted threats at the level of endpoints.

The solution also includes the Device Control function, which enables the blocking of unauthorized attempts at physically connecting USB drives, thus eliminating one of the primary flaws regularly exploited by cybercriminals.

Kaspersky Embedded Systems Security is fully compatible with all current versions of Windows, as well as with Windows XP Embedded, Windows Embedded 8.0 Standard, and Windows 10 IoT. System requirements are minimal: 256MB of RAM and 50MB of disk space.

To learn more about Kaspersky Embedded Systems Security follow this link: http://www.kaspersky.com/enterprise-security/embedded-systems.

Tips