Protecting Payment Cardholders from ATM Malware Attacks

ATM machines have long been targeted by thieves before, and are unarguably a security weak point of financial institutions. A recently publicized breach has resulted in Indian banks becoming the latest victims of unknown malware running on ATM machines. The breach affected ATMs that were managed by Hitachi Payment Services for 19 Indian banks and is estimated to have compromised at least 3.2 million debit cards over a 4-6 week period prior to its discovery. 

The National Payments Corporation of India has instructed banks to deal with the consequences individually. Banks are currently re-issuing cards and warning consumers to change their PIN numbers – often using the same potentially compromised ATM machines. Further, the banks have informed the victims – their customers – that they will not be reimbursed. Clearly consumer protection legislation is required in this burgeoning market. One hopes that the NPCI takes concrete action in the near future and issues – at minimum – guidelines for the security of payments and payment machines, much as SWIFT has done for the former.

The simple truth is that the affected banks in India outsourced the responsibility for management of their ATMs to their supplier, Hitachi.  Hitachi clearly had no capability to detect malware that had breached defenses and was running on the endpoints. While this particular strain of malware has now been discovered, there is no guarantee that other malware is not running on the ATMs undiscovered. Or that another ATM supplier does not have the same problem.  

Generally speaking, ATM vendors and banks tend to be over-reliant on real time defensive technologies that simply do not work 100% of the time. Malware will and does breach antivirus (AV), HIPS, whitelisting, endpoint detection and response (EDR), and other defenses. They do not currently use solutions that allow them to look for threats that have bypassed these solutions.

The theft that brought this malware breach to light was recognized approximately 4 to 6 weeks post-compromise; which by EMEA standards is relatively rapid. The average breach detection gap period in EMEA is 465 days. While discovery within 30-45 days may seem positive in comparison, it should not be seen as acceptable. ATMs serve a critical function for society at large, and as such need to be subjected to the most rigorous protections available.  

Moving forward financial institutions need to change their security posture to combat today’s threats. Quite simply, endpoints must be treated as untrusted until it can be demonstrated they can be trusted – and that period of trust should be fleeting.  

How Infocyte HUNT Removes the Risk of Malware Persisting Undetected on ATMs

Infocyte HUNT is a malware hunting technology that is designed to quickly answer the question “Have I been breached?” As we have all learned by now – by the time malware is discovered, you already have a problem and now are simply aware of it. Organizations should be able to know, at any point in time, whether malware is running on their endpoints. And ideally before the realization that theft of money, information or other data has led to discovery.  

Using Infocyte HUNT, enterprises are capable of hunting down hidden malware before it causes a problem. Infocyte HUNT scans endpoints for malware – as frequently as needed.  It’s that simple.   

Here’s how it’s done:     

  1. HUNT is agentless: It uses dissolvable agents that only exist on the endpoint for the duration of the scans. Banks and financial institutions don’t have to undergo rigorous certification and testing prior to scanning an ATM.
  2. HUNT doesn’t rely on the host OS: It traverses all executable memory space, conducting volatile memory analysis and using memory un-mapping techniques to figure out what is happening at a given point of time.
  3. HUNT doesn’t require an expert: The final analysis is provided as an easy-to-understand, interactive report, designed for use by junior administrators and IT security professionals.

Reducing the Breach Detection Gap with Infocyte HUNT

A key challenge when it comes to malware and its impact on ATMs, is that banks generally have to wait for internal/external activity reports to identify instances of financial crimes or for security researchers to discover the malware and create tools/signatures to identify the malware.  In either case, the scenarios are long term and both allow for fraud to continue unaddressed for weeks or months.  

Infocyte takes a different approach by automating the hunt process. Infocyte HUNT can scan up to 25,000 endpoints per day on a single server deployment. To perform this work manually would be cumbersome and time consuming, requiring highly skilled digital forensics examiners - with volatile memory analysis skillsets - to actively go out and search and validate every endpoint in their ATM infrastructure. 

Banks are a highly desirable target to hackers, and due to the risk and data sensitivity of ATMs, our recommendation is that banks should re-establish trust in their ATMs several times per day and when occasioned by certain events: 

  1. ATMs should be scanned at minimum once per day; ideally at least two scans per day spaced at least 12 hours apart;
  2. ATMs should be scanned within minutes of an ATM being opened for service and again within minutes of the ATM being closed – this presents the largest opportunity for someone to install malicious software onto the ATM with physical access. 

This approach effectively reduces the breach detection gap, the amount of time between first execution of malware and its discovery, and shrinks it to a defined and managed period of time to mitigate damage. 

Infocyte HUNT is the only automated threat hunting technology on the market today that can address the above needs without straining IT resources:

  1. Scans can be scheduled to run multiple times per day (even hourly, if desired) 
    • Scans have almost no load on the endpoint – they typically last 1-3 minutes
    • Scans are agentless, so no ATM vendor support warranty is voided or at risk as the bank/institution is not installing new defensive software that can interfere with the operation of the ATM
  2. Scans can be triggered to run by an external system such as SEIM, where events related to ATMs being opened/closed or external media connected can be seen

The security problem inherent in ATMs will continue to worsen for banks and related financial institutions and entities until there is an acceptance that reliance on defenses alone are insufficient to protect consumers and the integrity of the financial transaction processes. However there is a solution. Infocyte HUNT offers a proactive stance, and equips financial institutions to confirm their malware status on-demand. 

Find out if you have malware running undetected. Learn more about Infocyte HUNT or request a demo