The battle for ATMs. How criminals break into self-service devices today

Tomas Augucevičius

Deputy General Director at BS/2

Views 425

The battle for ATMs. How criminals break into self-service devices today

11.10.2018 10:00 am

Hacking ATMs with malicious software or traditional physical attacks is becoming one of the most worrisome trends in the banking sector in 2018. The wave of "jackpotting" attacks, which swept across the countries in Asia, North and South America at the beginning of the year, continues as series of similar crimes occur in European countries, including the post-Soviet space. 

The main problem for financial institutions is that they have to protect their self-service infrastructure from completely different types of attacks, and there is no cure-all solution to all possible problems. 

It is important to understand that financial institutions are protecting not only their physical assets (the terminals themselves) and stored money, but also their intellectual property and business-crucial data about their activities and customers, as well as their reputation as reliable providers of banking services. 

However all the threats we will be examining can be divided into three main types. Each group of vulnerabilities has its own specifics and requires the consolidation of multiple departments of the bank (technical department, security department, customer service departments) and an experienced technology partner.

1. Physical attacks on ATMs

According to recent statistics, the most popular attacks on self-service devices are performed with rather primitive means: trying to saw or break open the ATM, which in most cases takes a lot of time and attracts the attention of the police. In 8 out of 10 cases of such physical attacks, it is quite easy to track criminals, and they do not even have time to access the stored money. 

Cybercriminals using special means, in particular, explosives possess a higher threat to banks. For example, an ATM can be filled with gas and blown up, which will attract the attention of the security service only at the very last moment. In recent years, up to 30 such cases have been recorded in the world, and annual damage ranges from 170 to 200 million euros. 

Preventing such attacks is the prerogative of the security service. Reliable installation of self-service devices, effective use of video surveillance systems and quick notifications from the sensors installed on the terminals - help minimize the risk of the criminals disappearing without a trace along with the cash and the self-service device itself.

2. Intrusion attacks through ATMs

An even greater threat comes from attackers being able to access and reprogram the hardware of the self-service device using malicious software installed directly on the terminal itself. To do this hackers drill a small hole to access the ATM computer on which they install special software via the USB port, for example, the Green Dispenser Trojan or the software part of the Cutlet Maker kit, which is freely available to hackers of such devices around the world. 

The malicious software on the compromised devices is not easy to detect for the security staff of the bank, so criminals manage to carry out the preparatory stage without much risk. They seal the video cameras and drill a small hole in the terminals shell (which only takes a few minutes). After that, because ATM computers are usually protected by standard antivirus software or not protected at all, all that is left is to insert a USB stick or gain control of the ATM computer through the USB port. 

The malicious program instructs the dispenser to issue all the banknotes stored in the cassettes of the ATM before the security service has time to respond adequately. The speed and the ease of compromise is why logical attacks are the most effective way of stealing money.

The best way to protect devices from hackers is to use specialized solutions that restrict access to the device from outside processes and other various manipulations. Creating a "sandbox" environment for the hardware and software of the ATM allows you to automatically detect any suspicious activity on the terminal and instantly inform the responsible personnel while simultaneously running one of the protective scenarios.

3. Global malware attacks on the IT infrastructure of the bank

However, often the point of penetration for criminals who want to empty ATMs or payment kiosks is not the terminal itself, but other parts of the bank's IT infrastructure. Unoptimized work processes, high staff rotation with access to important internal information and low technological level of financial organizations makes the attack surface even greater, and the job of the security service becomes greatly complicated. 

For this reason, practically no ATMs are connected to the internal bank network, access to which from the outside is practically impossible. The use of VPNs, TLS protocols, special "firewalls" together with decisions on strict (ultimatum) delineation of access rights allows concentrating protective resources around the most vulnerable part of the banking infrastructure. 

Thus, even in the case of hacking banking databases (for example, Internet banking), ATMs and payment kiosks are relatively safe. Their defense system should be detached and generally independent of what is happening outside of it. Nevertheless, only companies with a large practical experience in this field can check the correctness of the configuration of all self-service device protection systems. 

Latest blogs

Marten Nelson Token

PSD2: The real RTS deadline is closer than banks think

Let’s work backwards. Most banks know that the final deadline to comply with PSD2’s Regulatory Technical Standard (RTS) is 14th September 2019. Eleven months away.  Following the amendments to the RTS, however (based on industry consultation and Read more »

Alexander Peschkoff Trusted

Brex - not Brexit - is the shape of things to come

There are a lot of discussions on LinkedIn about the Brex duo - two 22-year olds who built a unicorn in less than two years. “Young and inexperienced, did not invent anything new, there are thousands of similar products, etc”. Well, it’s not that Read more »

Shiran Weitzman Shield FC

eComms Compliance Challenges under MiFID II and MAR

In today financial markets, compliance officers face a haystack of digital information to sift through, for the needles that indicate market abuse or misbehaviour. The question is, how to find those needles amongst all the hay of normal market Read more »

Eli Fathi MindBridgeAI

The Charter to Success

The UK audit market is awash with tension. A variety of factors are redefining the landscape, but most prominent are the widespread scrutiny of auditing practices and high-profile allegations of malpractice. As a result of these tensions, trust in Read more »

Ed Lloyd encompass corporation

KYC remediation: Don’t let outdated customer information expose you to risk

Regulatory and reputational drivers for KYC and customer remediation Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App