Guys, I couldn't stand it. We will now talk about the ATM virus discovered more than a year ago in Diebold ATMs, and the basic principle of its operation. This topic is ancient, the peak of hysteria has long passed, but the public has not found out what really happened, which is why even IT specialists build a lot of guesses and tell myths. Many articles have been written about this virus, from technical descriptions to political education of housewives, but the most important trick was never revealed to us. I will try to explain more simply, because it is important for us to understand the essence, and not to delve into the details of a specific implementation of something.
Image to attract attention:
Let's start from the beginning. A year ago, a panic broke out in the media: "there are viruses in ATMs!", as a result of which all self-respecting bank managers supported this panic and began to try to do something. There is a reason for the panic: there are many freebie lovers in the world, so-called carders, whose goal is to get your bank card details, including PIN-code, then make a duplicate of it and withdraw all the money or buy something. To do this, various methods of deception are invented, but before the virus appeared, all of them were physical in nature. But the virus is very interesting, because it brought the technology to a fundamentally new level-PIN codes were stolen at the software level. It should be noted that the virus still knows how to issue unlimited cash on a special card, but we, as customers, do not care about this, here the bank gets money, and not us.
Now let's make a cursory excursion into the ATM itself, and find out where viruses can be there. Let me tell you a secret: the vast majority of ATMs work under Windows XP. A quick-witted reader will understand that in this case, the threat is obvious, and you need to start being afraid. But not everything is as bad as it seems. First, bona fide suppliers of ATM software severely curtail this Windows, disabling everything that is possible in it, protecting ports, blocking access, and so on. And secondly, the ATM never looks directly at the Internet – it is either in a dedicated segment of the corporate network, or it is connected through some kind of encryption device, such as Cisco or Checkpoint, and the virus can get there, to put it mildly, without options. Accordingly, the way out here is only insider, because it is problematic to slip something into the ATM from the outside.
And what is a typical ATM software? And here's what. The architecture of this software is similar to the client-server architecture. In this case, the server is able to work with specific hardware (of which there is a lot at the ATM) and publishes software interfaces common to each type of hardware (dispenser, card reader, printer, keyboard, etc.). The client, i.e. the business application itself, in turn, uses these interfaces to show us ads, gives out the long-awaited salary, prints checks and happily blinks lights. All this is called the CEN/XFS standard. I think I'll attach a picture.
After learning this news, we immediately start writing our own ATM softwareс блэкджеком и шлюхами fortunately, there are no secrets here, and no one hides all the emulators and specifications from us. We will read the magnetic stripe from the card reader when the client inserts the card, and the PIN code from the PIN keyboard when the client types it. Here it is, as they say, profit. And it looks like everything is fine. But it's too early to be happy, we are waiting for a small bummer. The fact is that the PIN code cannot be read from the keyboard in its pure form. You can only use it in encrypted form.
Let's make a lyrical digression for the general development of those interested. The PIN code in its pure form does not go anywhere except for the keyboard itself and a special HSM device that is in processing. The PIN code entry process is as follows. The software sends the card number and PIN code input command to the keyboard. Further, during the input process, the keyboard returns only the fact that a key was pressed, but does not indicate which one. Then the keyboard forms a construction from the two-digit length of the PIN code, the PIN code itself, then finishes up to 16 characters with the digit F and makes an "exclusive or" with the right 12 digits of the card number, except for the last verification digit. For example, for PIN 1234 and card 4987.6543.2109.8765, we will take 04.1234. FFFFFFFFFF, XOR it with 0000.765432109876 and get 0412.42 AB. CDEF.6789. And then this last number is encrypted with a working key that is already in the keyboard, and the cipher is returned to the application that ordered the PIN entry operation.
Now let's deal with the encryption keys, since we're already talking about them. These keys are located in the keyboard itself, and you can't read them from there. As a rule, bank security officers manually enter the so-called master key (MK) into the keyboard before operating the ATM. Then, periodically, a special working key (WK) arrives from processing to the ATM, encrypted with the same master key, which, apart from the keyboard and the special HSM device mentioned above, no one knows (the officers each enter their own component and also do not know the full key). In total, we have MK and MK(WK) in the keyboard.
Let's start smoothly approaching the climax. In fact, you can write many different keys to the keyboard. You can also feed her a PIN block, force her to decrypt it with a working key, encrypt it with another key, and return the result. That is, we will never get the key in its pure form, but if it is encrypted with any key, please. So why don't we write down our known master key there and give the keyboard a command to encrypt the PIN block with it, and not some other one? And then we will decrypt it, because the key is now already known to us. This is exactly what our virus does.
That's the trick, guys. Nothing complicated, right?
Finally, I'll tell you what the catch is. It is no coincidence that the virus operated on Diebold ATMs. The fact is that some Diebold ATMs have installed old keyboards that do not meet modern security requirements. And modern security requirements state that keyboards in ATMs must provide a hierarchy of keys. This means that if we give the keyboard a command to decrypt the PIN block with the working key, then we can only encrypt it with the master key that the worker was encrypted with. This is logical, because if we managed to download the working key, then we know this master key (we encrypted the working one with it) and can be trusted. But if we ask to encrypt the PIN block with any key from a neighboring branch, we will not be given – there are signs of evil intentions.
That's all. It turned out a bit long, I didn't need to write about PIN blocks, but oh well. I hope I have clarified the situation a little, and there will be fewer different myths and interpretations in well-known circles. This is especially true for large bank managers who dream of putting antivirus software on ATMs, not realizing that they will get hemorrhoids many times more than they need. Normal guys have been using Solidcore solutions for a long time and live in peace.
Image to attract attention:
Let's start from the beginning. A year ago, a panic broke out in the media: "there are viruses in ATMs!", as a result of which all self-respecting bank managers supported this panic and began to try to do something. There is a reason for the panic: there are many freebie lovers in the world, so-called carders, whose goal is to get your bank card details, including PIN-code, then make a duplicate of it and withdraw all the money or buy something. To do this, various methods of deception are invented, but before the virus appeared, all of them were physical in nature. But the virus is very interesting, because it brought the technology to a fundamentally new level-PIN codes were stolen at the software level. It should be noted that the virus still knows how to issue unlimited cash on a special card, but we, as customers, do not care about this, here the bank gets money, and not us.
Now let's make a cursory excursion into the ATM itself, and find out where viruses can be there. Let me tell you a secret: the vast majority of ATMs work under Windows XP. A quick-witted reader will understand that in this case, the threat is obvious, and you need to start being afraid. But not everything is as bad as it seems. First, bona fide suppliers of ATM software severely curtail this Windows, disabling everything that is possible in it, protecting ports, blocking access, and so on. And secondly, the ATM never looks directly at the Internet – it is either in a dedicated segment of the corporate network, or it is connected through some kind of encryption device, such as Cisco or Checkpoint, and the virus can get there, to put it mildly, without options. Accordingly, the way out here is only insider, because it is problematic to slip something into the ATM from the outside.
And what is a typical ATM software? And here's what. The architecture of this software is similar to the client-server architecture. In this case, the server is able to work with specific hardware (of which there is a lot at the ATM) and publishes software interfaces common to each type of hardware (dispenser, card reader, printer, keyboard, etc.). The client, i.e. the business application itself, in turn, uses these interfaces to show us ads, gives out the long-awaited salary, prints checks and happily blinks lights. All this is called the CEN/XFS standard. I think I'll attach a picture.
After learning this news, we immediately start writing our own ATM software
Let's make a lyrical digression for the general development of those interested. The PIN code in its pure form does not go anywhere except for the keyboard itself and a special HSM device that is in processing. The PIN code entry process is as follows. The software sends the card number and PIN code input command to the keyboard. Further, during the input process, the keyboard returns only the fact that a key was pressed, but does not indicate which one. Then the keyboard forms a construction from the two-digit length of the PIN code, the PIN code itself, then finishes up to 16 characters with the digit F and makes an "exclusive or" with the right 12 digits of the card number, except for the last verification digit. For example, for PIN 1234 and card 4987.6543.2109.8765, we will take 04.1234. FFFFFFFFFF, XOR it with 0000.765432109876 and get 0412.42 AB. CDEF.6789. And then this last number is encrypted with a working key that is already in the keyboard, and the cipher is returned to the application that ordered the PIN entry operation.
Now let's deal with the encryption keys, since we're already talking about them. These keys are located in the keyboard itself, and you can't read them from there. As a rule, bank security officers manually enter the so-called master key (MK) into the keyboard before operating the ATM. Then, periodically, a special working key (WK) arrives from processing to the ATM, encrypted with the same master key, which, apart from the keyboard and the special HSM device mentioned above, no one knows (the officers each enter their own component and also do not know the full key). In total, we have MK and MK(WK) in the keyboard.
Let's start smoothly approaching the climax. In fact, you can write many different keys to the keyboard. You can also feed her a PIN block, force her to decrypt it with a working key, encrypt it with another key, and return the result. That is, we will never get the key in its pure form, but if it is encrypted with any key, please. So why don't we write down our known master key there and give the keyboard a command to encrypt the PIN block with it, and not some other one? And then we will decrypt it, because the key is now already known to us. This is exactly what our virus does.
That's the trick, guys. Nothing complicated, right?
Finally, I'll tell you what the catch is. It is no coincidence that the virus operated on Diebold ATMs. The fact is that some Diebold ATMs have installed old keyboards that do not meet modern security requirements. And modern security requirements state that keyboards in ATMs must provide a hierarchy of keys. This means that if we give the keyboard a command to decrypt the PIN block with the working key, then we can only encrypt it with the master key that the worker was encrypted with. This is logical, because if we managed to download the working key, then we know this master key (we encrypted the working one with it) and can be trusted. But if we ask to encrypt the PIN block with any key from a neighboring branch, we will not be given – there are signs of evil intentions.
That's all. It turned out a bit long, I didn't need to write about PIN blocks, but oh well. I hope I have clarified the situation a little, and there will be fewer different myths and interpretations in well-known circles. This is especially true for large bank managers who dream of putting antivirus software on ATMs, not realizing that they will get hemorrhoids many times more than they need. Normal guys have been using Solidcore solutions for a long time and live in peace.
