The ATMIA says it is focusing attention on ATM software security because it is starting to see evidence that criminals are targeting ATM software as a new frontier of fraud.
Reverse engineering, said the association, is the process of discovering the technological principles of a system through analysis of its structure, function and operation.
In terms of software, the association added that it can also be seen as "going backwards through the development cycle" – and since 84% of ATMs are now Windows-driven, the process is not a complex one, Infosecurity notes.
The purpose, said the ATMIA, is to deduce design decisions from end products with little or no additional knowledge about the structure and algorithms of the investigated application.
And here's where it gets interesting, as the association claimed that reverse engineering is an essential instrument in hackers’ hands to circumvent software systems for various purposes.
The association added that most of the modern well-known software security breaches were made using reverse engineering.
The problem, said the ATMIA, is that unprotected applications can be easily reversed-engineered by even an intermediate level hacker. Once the reverse engineering process is complete the hacker understands how an application works and is able to bring new functionality to the application.
This is, said the association, the most dangerous threat as the ATM owner/operator may not discover the system penetration for some time. While everything is working normally the fact that the system has been cracked is hidden but the fraudster can launch the malware mechanism at any time.
Commenting on the new recommendations, StarForce Technologies, a Russian security software development firm that specializes in defending applications against reverse engineering, said that protecting applications installed on ATMs requires attention through the whole software life cycle, starting with the development phase and continuing during patching of already installed programs.
The coding process, said the firm, can involve code obfuscation and virtualization, as well as self-checks on code integrity and the installation of protection against debugging software.