Tim Yunusov is the senior expert of banking security and author of multiple researches in field of application security including "Apple Pay replay attacks" showed at the BlackHat USA 2017, "Bruteforce of PHPSESSID", rated in Top Ten Web Hacking Techniques by WhiteHat Security and "XML Out-Of-Band" showed at the BlackHat EU. Professional application security researcher.
Yar Babin is the specialist of Web application and Banking systems security depts. Social engineering field's enthusiast.
[Abstract]
==========
Everyone is perfectly familiar with logical and black-box attacks on ATMs. But hardly any countermeasures have been taken so far: banks are sure that their devices are perfectly protected until hackers prove them wrong. The most frequent reason why this happens is developers, engineers, and security staff' lack of expertise: they have a vague idea on attacks sources and vectors and what they should monitor and improve.
During the last year alone, we assessed 10 different application control products during ATM security assessments. Each product was found to have bypass methods. Whilst the most versatile bypass method was discovered a long time ago we have found 0-days in leading products (CVE-2016-8009, GVM Checker, Kaspersky KESS, M3Defender), as well as some universal 0-day techniques.
In this presentation, we will focus on Application Control bypass, in the reason why Application Control is one of the main protection mechanisms in ATM, and the current state of this type of security software is really poor and has a lot of weaknesses and bypasses. Nevertheless, it could be made in absolutely another manner, which will satisfy requirements for necessary security level.