When cyber-criminals are intent on exploiting vulnerabilities in the security surfaces of financial institutions, ATM systems can serve as primary access points. While ‘smash and grab’ attacks on ATMs are nothing new, in the rapidly evolving world of cyber-crime cash machines are now a focus for operatives aiming to siphon bounty ranging from customer data to old-fashioned cash.
Asia Pacific is still a region dominated by the use of cash. According to Retail Banking Research (RBR), while the number of ATMs installed worldwide grew by 3 percent to 3.3 million in 2016, APAC demonstrated strong expansion of 6 percent, and now accounts for just over half of all terminals installed worldwide. This share is anticipated to rise further in the coming years, to reach 54 percent by the end of 2022.
Although cases of robbery or people getting mugged at ATMs are relatively rare, ATM frauds in APAC have been increasing along with the growth in the number of ATM terminals. In 2014, members of an international credit card fraud gang in Hong Kong withdrew USD 110,000 from bank accounts using a number of fake bank cards at ATMs to obtain account information and withdraw money from the machines. Then in 2016, suspicious devices—which were identified to be false card slots fixed with a card reader—were found at an ATM at a Bank of China branch.
This threat to ATMs is not physical but exists in the world of cybercrime. Last year, the FBI issued a warning about an imminent global cyber-attack on commercial bank ATMs. Known as an ATM ‘cashout,’ the pre-empted attack centered on the hacking of a bank or payment processor to enable the fraudulent withdrawal of funds using cloned cards. This is typical of a sophisticated hack that can impact consumers directly while derailing the operations of banks and businesses.
Over the past decade, ATM malware has developed rapidly. The European Union Agency for Law Enforcement Cooperation, known as Europol, highlighted the emerging threat of ATM malware as it warned that incidents of ATM targeting are likely to rise in the future.
In addition, according to a report by Marsh & McLennan, APAC is an ideal environment for cybercriminals to thrive in due to high digital connectivity contrasted with low cybersecurity awareness, growing cross-border data transfers and weak regulations. It also revealed that business revenues lost in APAC due to cyber attacks in 2015 came to USD 81.3 billion. And while cyber-security solutions can deal with an array of infrastructural vulnerabilities, ATM hardware and operating systems often remain a particular weakness.
ATM attacks fall into two categories: physical or logical. A physical attack sees the perpetrator present before, during or after the crime. It involves the use of physical force to compromise the machine; this still occurs in several areas of APAC. The FBI warning concerned a logical attack, which generally involves malware and specialist electronics to gain control of the ATM and access to customer data and funds.
Skimming the Top
Theft at the ATM interface is becoming more sophisticated and profitable. According to ATM manufacturers Diebold Nixdorf, ATM ‘skimming‘ now has a global cost exceeding USD 2 billion. Skimming is the act of siphoning customer data at the ATM using hardware that mimics the appearance of legitimate machine components. The technology needed is easy to legally purchase online.
While methods and components vary greatly, skimming hardware is now more discreet and effective, and is often virtually impossible to spot. Some equipment is now as thin as a credit card and can be installed inside the ATM’s card slot. Once operational, the ‘skimmer’ can siphon the card details of unwitting consumers – sometimes directly to the perpetrator’s mobile via Bluetooth.
Hitting the Jackpot
The most sophisticated form of logical ATM attack is referred to as ‘cashout’ or ‘jackpotting.’ This approach involves infecting an ATM with malicious software. For instance, an early form of this type of attack involved the transfer of malware to the ATM on a USB through an interface portal. Modes of infiltration have since become more effective and require even less involvement by the hacker.
As research by EAST shows, ‘black box’ ATM attacks have been on the rise in Europe. To perform this type of jackpotting attack, the perpetrator connects a device known as the ‘black box’ to the ATM’s ‘top box,’ or the interior of the machine. The device then reverts the machine to supervisor mode and dispenses cash.
This is another increasingly popular tactic in the APAC region. In 2016, a group of hackers in Japan stole USD 13 million from ATMs in a three-hour, 14,000 withdrawal spree, while in Taiwan, hackers breached a major domestic bank in July the same year and used malware to withdraw more than USD 2 million from dozens of ATMs. A similar crime also occurred in August last year, in which an India-based bank system was hacked via a malware attack on its ATM server and nearly USD 13.5 million was successfully siphoned off.
Financial gain is the motive behind 90 percent of all cyber attacks, and insecure ATMs present a soft target for criminals. Hackers are constantly looking for vulnerabilities across the spectrum of bank IT infrastructures and endpoints. And while banks safeguard against sophisticated phishing attacks across other areas of the network, they cannot afford to ignore the dangers to which ATMs are prey. Hackers often view ATMs as easy access to a bank’s infrastructure. And while unauthorized access might not always be preventable, restricting the extent of this infiltration is key.
For example, hacking using hijacked employee credentials has become prevalent in recent years. This issue can be mitigated by centrally securing privileged credentials, with multi-factor authentication, and controlling network access based on need. Thus, hackers are restricted in terms of their mobility through the environment and the extent to which they can compromise security controls and access capital.
Vigilance for Prevention
Moreover, there is an onus on banks to constantly monitor for threat risks. This should involve a holistic approach to how vulnerabilities are identified and should include ATMs as a first line of defense. By constantly monitoring events and patterns, it becomes easier to spot irregularities and unusual activity – for instance, those originating from the unauthorized use of employee credentials. If vigilance is consistent reaction times can become quicker to prevent the siphoning of data or access to cash funds by hackers.
Today, more than ever, there is a need for banks and businesses to recognize that ATMs require the same levels of rolling security provision and upgrading as every other aspect of their infrastructure. Like all other forms of cyber-crime, ATM attacks are changing and adapting all the time. It is therefore essential for banks to understand this threat and to keep the integrity of their ATM security one step ahead.