Insider Threat: Malware on your ATM

Insider Threat – your ATM may now be hacked from the inside. According to Wired’s Threat Level Blog…

• • A Bank of America worker installed malicious software on his employer’s ATMs that allowed him to make thousands of dollars in fraudulent withdrawals, all without leaving a transaction record, according to federal prosecutors.

According to the paperwork filed by the US Attorney, the ATM would dispense cash without any record of transaction (see image below) and speculation prompted by Bank of America’s statement is that it was engineered to target the ATM and not the account holders using the ATM.

Speaking of malware…

VISA recently warned of keylogger malware which would also take screenshots. This PDF released by VISA also has hash values of the malware as of March 17th 2010. Of course since variants will change the hash, it’s in a business’ best interest to keep their AV up to date and use the best protection.

If you’re a merchant having issues, the VISA site mentioned in the PDF is found here. The penalty of becoming compromised by malware if merchants are not compliant with PCI DSS is pretty grim:

• • • If a Visa member fails to immediately notify Visa Inc. Fraud Control of the suspected or confirmed loss or theft of any Visa transaction information, the member will be subject to a penalty of $100,000 per incident.
    • Members are subject to fines, up to $500,000 per incident, for any merchant or service provider that is compromised and not compliant at the time of the incident.

Clearly, it’s incentivizing merchants to keep their AV protection up to date and use the best zero-day protection. I’ve heard speculation that VISA as an industry may be counting on their bottom line revenue increasing due to such penalties. I’ll be following up on that speculation in a later article.

Securing Our eCity Contributing Writer