A Russian security company, Kaspersky Labs has discovered a
flaw in cash machines that allows criminals to quickly steal cash from
ATM machines.
Reuters reports that the Interpol has alerted countries in Europe,
Latin America and Asia known to have been targeted – and is carrying out
a widespread investigation.
It was gathered that Kaspersky Labs discovered the hack, which is enabled by entering a series of digits on the keypad of ATMs.
Infected cash machines can be instructed to dispense 40 notes at once, without a credit or debit card.
Kaspersky Labs produced a video showing how the hack was carried out. More details were provided in a blog post.
Prior to trying to obtain the cash, targeted machines are infected with malicious software via a boot CD.
However, before this could be done, hackers need physical access to the workings of the machine.
Once the malware – known as Tyupkin – has been installed, the “mule”
sent to collect the cash must enter a code on the machine’s key pad.
But Tyupkin then requires a second unique code – randomly generated
by an algorithm at a remote location – to unlock the machine and
dispense the cash.
It is this part of the process that ensures the hacker who has this
algorithm retains control over when and how often these illegal
withdrawals occur.
“Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software,” said Vicente Diaz, principal security researcher at Kaspersky.
“Now we are seeing the natural evolution of this threat with
cybercriminals moving up the chain and targeting financial institutions
directly.”
Kaspersky carried out its initial investigation at the “request of an unnamed financial institution”.
However, the attack does not affect individual customers, instead simply
instructing the machine to dispense notes, with no link to bank
accounts.
“The fact that many ATMs run on operating systems with
known security weaknesses and the absence of security solutions is
another problem that needs to be addressed urgently,” Kaspersky wrote.
Earlier this year another malware strain, known as Ploutus, allowed
hackers to command machines to dispense cash by sending a text message
to them.
In 2010, hacker Barnaby Jack discovered a technique he dubbed
“Jackpotting” – in which a cash machine could be made to spew out money.
His demonstration on stage at security conference Black Hat provoked a standing ovation.
Mr Jack died of a suspected accidental drugs overdose in 2013, just days
before he was due to give a presentation on the weaknesses in medical
devices.
Kaspersky Labs is a developer of secure content and threat management
systems and the world’s largest privately held vendor of software
security products. The computer security company is co-founded by Eugene
Kaspersky and Natalia Kaspersky in 1997.
Kaspersky Lab is headquartered in Moscow, Russia with 30 regional offices. The company currently works in almost 200 countries.
The company’s products and technologies provide protection for over
300 million users worldwide and more than 250,000 corporate clients
globally.
It competes in the antivirus industry
against Avira, BitDefender, BullGuard, ESET, F-Secure, Frisk, McAfee, Panda
Security, Sophos, Symantec, Trend Micro among others.
No comments:
Post a Comment