When cyber-criminals are intent on exploiting vulnerabilities in the security surfaces of financial institutions, ATM systems can serve as primary access points. While ‘smash and grab’ attacks on ATMs are nothing new, in the rapidly evolving world of cyber-crime, cash machines are now a focus for operatives aiming to siphon bounty ranging from customer data to old-fashioned cash.
The past few years have seen a spate of attacks on ATMs in the UK using trucks and stolen farm machinery. The aim is to steal the ATM intact and transport it to a site where the cash can be extracted by force. The alternative is ‘smash and grab,’ breaking into the ATM on site to extract funds. Since 2016, almost 100 attacks of this type on ATMs using gas explosions were recorded by police in England and Wales. This included 23 attacks by a single gang over a three-month period, which saw more than £1.5 million stolen across midlands.
But there is a new threat to be mindful of – one that isn’t physical but in the world of cybercrime. This summer when the FBI issued a warning about an imminent global cyber-attack on commercial bank ATMs. Known as an ATM ‘cashout,’ the pre-empted attack centred on the hacking of a bank or payment processor to enable the fraudulent withdrawal of funds using cloned cards. This is typical of a sophisticated hack that can impact consumers directly while derailing the operations of banks and businesses.
Over the past decade, ATM malware has developed rapidly. A 2017 European ATM Crime Report by EAST showed a 287 per cent rise in ATM black box attacks on the previous year. And while cyber-security solutions can deal with an array of infrastructural vulnerabilities, ATM hardware and operating systems often remain a particular weakness.
ATM attacks fall into two categories: physical or logical. A physical attack sees the perpetrator present before, during or after the crime. It involves the use of physical force to compromise the machine and is still very prevalent in the UK. The FBI warning concerned a logical attack, which generally involves malware and specialist electronics to gain control of the ATM and access to customer data and funds.
Skimming the top
Theft at the ATM interface is becoming more sophisticated and profitable. According to Diebold Nixdorf, the ATM manufacturers, ATM 'skimming,' now has a global cost exceeding $2 billion. Skimming is the act of syphoning customer data at the ATM using hardware that mimics the appearance of legitimate machine components. The technology needed is easy to legally purchase online.
While methods and components vary greatly, skimming hardware is now more discreet and effective, and is often virtually impossible to spot. Some equipment is now as thin as a credit card and can be installed inside the ATM’s card slot. Once operational, the ‘skimmer’ can syphon the card details of unwitting consumers – sometimes directly to the perpetrator’s mobile via Bluetooth.
Hitting the jackpot
The most sophisticated form of logical ATM attack is referred to as ‘cashout’ or ‘jackpotting.’ This approach involves infecting an ATM with malicious software. For instance, an early form of this type of attack involved the transfer of malware to the ATM on a USB through an interface portal. Modes of infiltration have since become more effective and require even less involvement by the hacker.
As recent research by EAST shows, ‘black box’ ATM attacks have been on the rise in Europe. To perform this type of jackpotting attack, the perpetrator connects a device known as the ‘black box’ to the ATM’s ‘top box,’ or the interior of the machine. The device then reverts the machine to supervisor mode and dispenses cash. The good news for banks is while the number of planned black box attacks in Europe have been increasing, the rates of criminal success have been falling due to the work of agencies such as EC3, Europol’s European Cybercrime Centre.
Financial gain is the motive behind 90 per cent of all cyberattacks, and unsecure ATMs present a soft target for criminals. Hackers are constantly looking for vulnerabilities across the spectrum of bank IT infrastructures and endpoints. And while banks safeguard against sophisticated phishing attacks across other areas of the network, they cannot afford to ignore the dangers ATMs are prey to. Hackers often view ATMs as easy access to a bank’s infrastructure. And while unauthorised access might not always be preventable, restricting the extent of this infiltration is key.
For example, hacking using high-jacked employee credentials has become prevalent in recent years. This issue can be mitigated by centrally securing privileged credentials, with multi-factor authentication, and controlling network access based on need. Therefore, hackers are restricted in terms of their mobility through the environment and the extent to which they can compromise security controls and access capital.
Vigilance for prevention
Moreover, there is an onus on banks to constantly monitor for threat risks. This should involve a holistic approach to how vulnerabilities are identified and should include ATMs as a first line of defence. By constantly monitoring events and patterns, it becomes easier to spot irregularities and unusual activity – for instance, those originating from the unauthorised use of employee credentials. If vigilance is consistent reaction times can become quicker to prevent the syphering of data or access to cash funds by hackers.
Today, more than ever, there is a need for banks and businesses to recognise that ATMs require the same levels of rolling security provision and upgrading as every other aspect of their infrastructure. Like all other forms of cyber-crime, ATM attacks are changing and adapting all the time. It is therefore essential for banks to understand this threat and to keep the integrity of their ATM security one step ahead.
David Higgins, Director of Customer Development EMEA, CyberArk
Image source: Shutterstock/GlebStock