Russians hack Diebold ATM software

Instead of installing a `false front' card reader and monitoring users inputting their PINs via a video camera, Russian hackers have apparently started installing their own custom `sniffing' software on to the ATM's computer to get access to card plus PIN data.

According to newswire reports, a group of criminals managed to gain access to Diebold's Opteva ATMs - which are typically installed at chain stores to encourage frequent store visits - and hacked the programs driving the machines.

The Opteva ATMs are much more sophisticated than the ATM kiosks seen in pubs, clubs and 7-11 -style stores, Infosecurity notes. They offer chain stores a highly customisable, branded facility for customers to make deposits, print out statements and conduct many of the
transactions that normally require a bank branch visit.

They are also Microsoft Windows-driven.

Unconfirmed reports suggest that the criminals have rewritten the programme code for the ATMs to allow remote card and transaction `sniffing' access.

The criminals are then thought to have threatened or coerced site owners and/or staff to allow them out-of-hours access to the ATMs, and installed their own customised Windows software.

The sophisticated fraud has been countered by Diebold release a new set of software for the Opteva ATMs, which it is loading onto machines on a site-by-site basis.

Diebold reportedly learned of the incident back in January and sent out a global security update to its ATM customers using the Windows operating system.

Unsurprisingly, the firm is not releasing full details of what happened, including which businesses were affected, but has confirmed the criminal modus operandi as centering around the fraudsters gaining physical access to the machines to install their malicious program.

"Criminals gained physical access to the inside of the affected ATMs," Diebold says in its security update. "This criminal activity resulted in the operation of unauthorised software and devices on the ATMs, which was used to intercept sensitive information."

"The incident was a low-tech break-in to the ATM, but they had a high-tech knowledge of how to install the virus," says the company in a press statement.

Diebold has not said how the criminals were able to install the software on the systems, but its security update advises customers that there are several factors that can increase the risk of such a hack.

These precautions include using administrative passwords that may have been compromised; not using the locked-down version of Windows that Diebold provides; and misconfiguring the Symantec firewall software that comes with the ATMs.

Sophos claims that, after examining a copy of the hacked ATM code, that the program has been in `circulation' since last November.

Whoever wrote the malware, called Troj/Skimer-A by Sophos, probably had an insider's knowledge of the Diebold ATMs, says the IT security

The software, says Sophos, uses quite a lot of functions that are not documented and replaces files in the Diebold folder, looks for printer plus screen data, as well as scanning for transactions in Ukrainian, Russian and US currencies.

What’s hot on Infosecurity Magazine?