I would guess the ATM got hacked using an exploit stored on the card itself. In this case, whoever allowed unrestricted / unsigned / any code running on an ATM machine needs to get fired immediately. I just can’t believe they have not even bothered enabling application white listing using a simple group policy / domain policy setting.
The second video is worth watching as well:
Is your average ATM affected? You’re damn right it is. I haven’t seen a single sane INFOSEC aware bank having implemented proper security measures on their cash machines. It’s sad, but true.
If you are working at a bank:
- Implement proper OS hardening. What were all these files doing on the drive? cmd.exe and the onscreen keyboard, among hundreds of others, should not be even present on the drive!
- Implement proper policies (be it local or domain). Do not allow unsigned / unknown applications to run.
- Uninstall the flash / java plugins from the browser and / or uninstall any browsers present. If you need them – bring them on a flash drive when doing maintenance or access them remotely from a network drive / share.
- Run the machine as Guest during normal operation, or at least as a limited user?
- Maybe, try *THINKING* next time you try setting up an ATM?
Alex Sverdlov is the founder of NoPasara, author of numerous Information Security research papers and articles published in CIO and other InfoSec magazines. Certifications: CASP (Comptia Advanced Security Practitioner), CEH (Certified Ethical Hacker), CHFI (Certified Hacking Forensic Investigator), MCSE (Microsoft Certified Systems Engineer) You can contact him via the social profiles below:
