Article

DDOS on an ATM network? Impossible. Right?

ATM hackers always look for the easiest in, no matter where it is. 

April 25, 2013 by Suzanne Cluckey — Owner, Suzanne Cluckey Communications

This week, the world got a small reminder of how easy it can be to shove a stick in the spokes of the U.S. financial system. On Tuesday afternoon, hackers gained access to the Associated Press Twitter account and tweeted that bombs had exploded at the White House, injuring President Obama.

Within two minutes, the Dow Jones Industrial Average plummeted 145 points. Two minutes later, the AP declared the tweet a fake and by day's end, the markets climbed back out of the trenches.

Responsibility for the AP attack was claimed by the "Syrian Electronic Army," which purports to be composed of "enthusiastic" youths loyal to President Bashar al-Assad. (The group also claims hacks against NPR, 48 Hours and 60 Minutes).

But a bigger wheel among FI hackers is "The Cyber-Fighters of Izz ad-Din al-Qassam" (or just "al-Qassam"). Annoyed by an "insulting movie" on YouTube, this Muslim group has staged distributed denial of service attacks against dozens of FIs based in the United States, including Bank of America, Chase, Citigroup and Wells Fargo.

The concept behind a DDOS event is simple: Using large numbers of servers (usually hijacked) bombard a website with communications requests until it slows to a crawl or crashes. Al-Qassam vows to continue these attacks until every frame of "The Innocence of Muslims" is erased from every YouTube account everywhere in the world.

Ideology-driven hackers like al-Qassam aren't after money — they're after media attention. And the damage they do is not to programs and databases but to customer confidence. When computer-dependent customers can't access money online, they become unnerved.

And, as Hurricane Sandy and the financial crisis in Cyprus demonstrated, when they can't access money from an ATM, they become irate. Which raises the interesting question of whether hackers could add ATMs to online banking websites as a target for DDOS attacks.

"ATM networks are typically separate and strongly protected," said Adam Williams, chief security officer at Diebold. "But to rule them out as not being vulnerable would be inappropriate. So absolutely, there is a risk there."

Harish Bhat, president and CEO of ESQ Business Services also acknowledged the possibility of a DDOS attack against an ATM network. "It could definitely percolate to the ATM from the data center and impact quality of service," he said.

There's also the question of whether hackers could gain access to a network through multi-function ATMs, which introduce new points of connection and handoff — in a billpay transaction, for instance.

Chuck Somers, vice president of core self-service solutions and ATM security at Diebold, said that if the ATM was actually the central focal point, as opposed to a back-end system, vulnerabilities could increase because information is exposed across two different networks.

But often, he said, billpay is just an added transaction of the same type usually performed by an ATM. "[T]he same network that is authorizing a $50 cash withdrawal is also facilitating that back-end transfer … the risk is really to the back-end system and not so much at that point of interface with the customer," Somers said.

It's most likely that a hacker would skip the ATMs and go for the real target of opportunity. "[W]hether it's denial of service, or affecting availability, integrity or confidentiality, [the target] would be those back-end connected systems that process, store and transmit the data that supports the ATM network," Williams said. "That's the real threat."

That threat comes in two basic varieties: First there's the overt attack that aims to take down systems in a spectacular crash — for instance, the late March attack on major South Korean banks, which disabled not only online banking but also ATMs and internal systems — for more than 21 hours at some branches.

Then there's the covert attack that seeks to tap data unnoticed, going so far as rewrite and replace system code. A covert attack last year at Heartland systems went on for weeks before it was discovered.

"There's a tremendous gap between most organizations' ability to detect and respond, compared to the time it takes for an attacker to do damage," Williams said.

Safeguards such as PCI can facilitate improved compliance awareness and standardized operational processes, but they're not a cure-all, said Bhat.

"[T]he banks are always playing catch-up to the growing sophistication of fraud. What their fraud analysts need is an ability to react proactively to fraud threats." Legacy fraud management solutions often lack the agility to effectively handle emerging threats, he said.

Williams said that compliance shouldn't be allowed to drive an organization's security posture because that might result in vulnerabilities elsewhere; the key is to use both preventative and detective controls — at the network layer, the system layer and the data layer.

The end game is to "reduce the criminal ROI," Somers said. "Because criminals, when you thwart whatever they're coming at you with, don't put down their criminal tools and become law abiding citizens and get a day job. They simply attack you in a different way."

Read more about security.

graphic: cluck

About Suzanne Cluckey

---

Suzanne’s editorial career has spanned three decades and encompassed all B2B and B2C communications formats. Her award-winning work has appeared in trade and consumer media in the United States and internationally.