ATM penetration testing
An ATM (automated teller machine) is a machine that enables the customers to perform banking transaction without going to the bank. Using an ATM, a user can withdraw or deposit the cash, access the bank deposit or credit account, pay the bills, change the pin, update the personal information, etc. Since the ATM machine deals with cash, it has become a high priority target for hackers and robbers. From past many years, Hackers have found multiple ways to hack into the ATM machines. Hackers are not limiting themselves to physical attacks such as cash/card trapping, skimming, etc. they are exploring new ways to hack ATM software. In this article, we will see how does an ATM works, security solutions used to secure the ATMs, different types of penetration testing to analyze ATM security and some of the security best practices which can be used to avoid ATM hack.
How does an ATM work?
Most of the ATMs have 2 input and 4 output. The card reader and keypad are input whereas a screen, receipt printer, cash dispenser, and the speaker are output.
An ATM connects to a backend server which is called as a host server or host switch. The host switch communicates with the bank and responds to the ATM. So what happens when a user insert his card to withdraw the cash?
- User’s account information is stored on the magnetic strip of the card which is located back side of the card. The user inserts the card in card reader. The card reader reads the information from the magnetic strip of the card. The data from this card is sent to the host processor which forwards the information to user’s bank.
- After the card is recognized, the user is asked to provide the pin. The user enters the pin using the keypad. The pin is encrypted and sent to the host server. The account and pin are validated with the user’s bank. Once validated with the bank, the host server sends the response code to the ATM machine.
- The user enters the amount to withdraw. The request goes to the host processor. The host server sends the transaction request to the user’s bank which validates the amount, withdraw limit, etc. Then fund transfer happens between customer’s bank and host processor’s account. Once the transfer is done, the host processor sends the approval code to the ATM which allows the ATM machine to dispense the cash.
- The application running on the ATM instructs the cash dispenser to dispense the cash. The cash dispenser has a mechanism which counts each bill as it exits the dispenser. This data related to the transaction like account number, transaction id, time, amount, bill denomination, etc. is logged to the log file. This log file is usually known as EJ log.
- During the dispensing process, a sensor scans each bill for its thickness. This is to check if two bills are stuck together or if any bill is torn or folded. If two bills are stuck together, then they are diverted to the reject bin.
Security in ATM
As the number of ATM units increase, the machine is prone to hack attacks, robberies, fraud, etc. Most of ATMs are still using Windows XP which make these ATM an easy target for the hackers. Electronic fund transfer has three components which are communication link, computer, and terminal (ATM). All three of the components must be secured to avoid the attack. We will look into the type of assessment we can perform to analyze the overall security of an ATM.
1. Vulnerability Assessment and Network Penetration Testing
These two activities are very common when dealing with ATM security. In network penetration testing we check for network level vulnerability in an ATM. Since ATM communicates with the back-end server, it has to be part of some network. By obtaining the IP address of the ATM, we can perform a network level penetration test. As a security best practice, ATM network is segregated with another network of the bank. So the tester has to be part of the ATM network to reach the ATM IP and perform testing. Once in the ATM network, we can perform a Nessus scan to identify the open port, services running on them and vulnerabilities associated with the running services. We can run full port NMAP scan to identify the TCP and UDP ports and services running on the ATM. Additionally, Nessus authenticated scan can be used to identify vulnerability associated with the installed components in the ATM OS like Adobe, Internet Explorer, etc.
The configuration audit deals with the hardening of the operating system. Most of the ATM runs the Windows OS. This OS must be hardened as per security best practices to reduce the attack surface for the attacker. Some of the areas we can look into while doing configuration audit are:
- Patches and Update: Checks related to latest OS and security patches.
- File system security: Checks related to access to critical folders and files.
- System access and authentication: Checks related to password and account lockout policy, User right policy, etc.
- Auditing and logging: Checks related to the event, application and security logs, audit policy, permission on event logs.
- Account configuration: Checks related to users under administrator group, the presence of default users, guest account, password requirement, and expiration.
2. Application Security Audit:
We can divide this activity into two categories:
a. Thick client application penetration testing: Majority of the ATM application are a thick client. We can perform an application penetration testing of this thick client application. Some of the test cases we can perform is:
- Sensitive information in application configuration files, credentials in the registry, sensitive information, hardcoded in code.
- Intercept the traffic going to the server and try to manipulate/ tamper with the parameters or look for any sensitive information passing between application and server.
- Check if application and database are communication in cleartext protocol.
- Protection from Reverse Engineering.
b. Application Design Review: In this activity, we can check for security practices being followed in the application. Some of the test cases can be:
- Types of event logged to the log file.
- The privilege with which ATM application is running.
- Does the software have provision to restrict different menu options to different user-IDs based on user level?
- Access the application related folders.
- Does the application allow the transaction without a pin or with an old pin?
- Does the application allow the access to OS while running?
- Communication with back-end components.
- Check for effective network isolation.
- Logging out of a customer in case of even a single invalid pin?
- PIN entry for each and every transaction is Mandatory?
- Does the software display the pin as it is keyed in?
Assessment of ATM security solution installed in the ATM:
What is ATM security solution?
Most of the ATMs run on Windows XP and 7. Patching individual ATM is a quite complex process. Since Windows XP is no longer supported by Microsoft, many ATM vendor uses security solution to mitigate the threats related to ATM attacks such as Malware based attacks, OS-level vulnerabilities. These security solutions allow the ATM application to run in very restrictive environment with limited services and processes in the back end. Two of such security solutions are Mcafee Solidcore and Phoenix Vista ATM.
McAfee Application Control blocks unauthorized executables on ATM OS. This solution works on the whitelisting strategy. This allows only those application, process, and services to execute which are whitelisted. It Tracks modifications (changes) to program code and configurations via Integrity Monitor. It protects application code and configuration from unapproved changes with Change Control mechanism. The ATM application and related files are whitelisted first and then executed.
Phoenix Vista ATM:
Phoenix Vista ATM is a product of Phoenix Interactive Design Inc acquired by Diebold. This solution integrates with the ATM application itself. This application works on file integrity check where any modification/tampering with the application related critical file will result in a system shutdown. This disallows any unauthorized program to modify the application specific file.
The architecture is consist of 3 layers. OS <–> XFS <–> Vista ATM.
XFS (eXtensions for Financial Services) provides a client-server architecture for financial applications on the Microsoft Windows platform, especially peripheral devices such as ATMs which are unique to the financial industry. It is an international standard promoted by the European Committee for Standardization (known by the acronym CEN, hence CEN/XFS). XFS provides a common API for accessing and manipulating various financial services devices regardless of the manufacturer.
Vista ATM communicates with the XFS layer which gives commands to the hardware like cash dispenser of the ATM to dispense the cash. Any unauthorized modification in XFS files will trigger the Vista ATM application to restart the machine forcefully. The machine restarts 4-5 times, and after that, it goes into maintenance mode which does not allow the user to perform any transaction.
Pentesting security solutions:
The approach for testing security solution in ATM remains the same. The end objective is to gain access to OS or to fiddle with the application related file to see how does the application behave. An attacker after gaining access to OS can create a malware which can issue the command to system hardware using XFS components.
Some of the test cases that can be considered are:
- Test cases related to access the OS and related file:
- Check if USB is enabled, make your USB bootable using “Konboot.”
- Plug-in the USB and boot the system through USB.
- Since most of the security solution take over the OS as soon as it boots, keep on pressing the “Shift” button at boot time. This will break any sequence configured to run at boot in OS. This will result in Windows login screen.
- If you are aware of valid username, then enter that and press the “Enter” button. This will result in direct access to the OS without a password.
- If you are not aware of valid username, try login with “Administrator” as many ATM does not disable the default administrator account.
- Another way is to make your USB bootable using Hiren boot. Boot from USB, this will give access to file system directly without any Windows login.
- Check if USB is enabled, make your USB bootable using “Konboot.”
Test related to runtime code authorization: Check if USB is enabled, try to run unauthorized code (exe or batch file) directly from the USB or using autorun feature of the USB.
Test related to code protection: Check if application related files can be moved to another location, modified or deleted.
Checks related to process modification: Rename unauthorized file to a valid security solution process. This will result in the execution of unauthorized file when the application starts.
Security best practices to be followed for ATM
The banks can implement security best practices to reduce the attack surface for the attacker. This section can be categories into three categories:
Protection against physical attacks:
- Detection and protection against Card skimming.
- Detection and protection against card/ cash trapping.
- Detection against keypad tampering.
- Mirror and pin shield to identify and prevent shoulder surfing attack.
- Implementing a DVSS camera inbuilt in the ATM to capture facial features of the user along with transaction details and timestamp.
- Vault protection against fire, explosion, etc.
- Lock protection again unauthorized access to banknotes or bills.
- Electric power point and network point protection.
- Disabling unused network and electric port.
- The ATM must be grouted on the floor to secure against threats related to the robbery. ATM can be implemented with shock sensor to identify the impact and movement of ATM machine.
- Implementation of CCTV camera. The presence of security guard.
Protection against logical attacks:
- Protection against unauthorized booting by setting non-guessable boot and BIOS password. Most of ATM have default boot password configured.
- Protection against USB and unauthorized hard disk access.
- OS hardening and latest patch.
- Whitelisting the application, services, and process on ATM.
- Running ATM with least privilege user. Need to know and need to have approach.
- File integrity checks.
- Securing the transaction logs.
- Use of secure channel for the communication and transaction.
- Configure security best practices in ATM application.
- Antivirus protection.
- ATM network segregation with other networks.
- Protection against Malware like tyupkin, ploutus, etc.
Protection against fraud attacks:
- Implementation of geo-blocking. In this implementation, the card can only be used in originating country or region. The user has to take permission to use the card outside the originating country.
- Implementation of chip and pin based card to mitigate copied and skimming card based attack.
- Implementing a behavior mentoring which detects the unusual transaction in term of the amount, place of transaction, frequency of transaction, etc.
With advancement in the technology, hackers are coming up with more and more ways to hack into ATM. In the battle of keeping ATM safe and maintaining the customer’s trust, banks need to stay one step ahead of criminals by deploying the latest security solutions and reducing the attack surface to as narrow as possible. The recommendation in this article will help to make the ATM channel more secure by enhancing Physical and logical security.