Security firm Sophos reported this week that it received three samples of a trojan that was customized to run on Diebold-manufactured cash machines in Russia, said Graham Cluley, Sophos' senior security consultant. The malware was able to read card numbers and PINs -- then when the attacker returned to the ATM, he inserted a specially crafted card that told the machine to issue him a receipt containing the stolen information.
"Basically [the malware] would be spewing out the identity information," Cluley told SCMagazineUS.com on Wednesday. "It's a really cunning scheme. You need to know how to talk to the ATM. It was working with the Diebold DLL (dynamic-linked library). It knew what API (application programming interface) calls to make, which is information, I suspect, not normally in the public domain."
Diebold this week disclosed that it issued a security update in January for its ATMs running a Windows-based operating system to address the problem. Diebold told its customers in a letter that a number of its machines in Russia were infected -- but the company did not reveal specifics on the attacks.
Researchers, though, cautioned that this attack is not something most hackers can pull off. The culprits were required to have intimate knowledge of how the Diebold ATMs function and likely needed physical access to them, Cluley said.
"It would suggest that hackers gained insider access to the ATM or managed to intercept the ATM in the production line to install the software," he said.
But Kishore Yerrapragada, a CTO at Solidcore, which makes anti-tampering solutions for ATM manufacturers, said the criminals, in this case, may have been able to succeed just by somehow gaining access to the network of the bank that owns the machine -- and then exploiting a Windows vulnerability.
He said the malware writers customized the code so that when the crook returned to the ATM, the malicious card he inserted triggered the malware to run the machine in "service mode," which turned off encryption and other security controls and enabled him to receive the stolen data in clear text.
Diebold, in its update, said that the risk of such an attack is "significantly increased" when the machine is not running a hardened version of the Windows platform, when the provided firewall software is disabled or not properly configured, or when the Windows administrative password is compromised.
But Yerrapragada told SCMagazineUS.com that machines need run-time control software to ensure nothing can tamper with authorized applications.
"You could have firewalls and hardening, but...if those things are not patched, you are out of luck," he said.
Diebold also has been called to task on the voting machines it makes. In July 2007, the California Secretary of State's Office issued a report, contending that the company's touch-screen voting machines were susceptible to malicious software, which could sabotage election results. Machines made by Sequoia and Hart also were found to have flaws.