There has been a significant rise in ATM fraud in the past couple of years, with cybercriminals around the world planning highly co-ordinated attacks that can be completed in a matter of minutes. Briony Richter explores the vulnerabilities that are leaving ATMs exposed
A recent report by Positive Technologies stated that 69% of tested ATMS were vulnerable to ‘black box’ attacks. It highlighted that criminals could connect ‘black box’ devices to the cash dispenser of an ATM, from where the device is programmed to send the command to dispense banknotes.
Go deeper with GlobalData
Shockingly, the entire attack – connecting the device to the ATM, bypassing security and collecting the cash – can take just 10 minutes, and this applies to various ATM models.
Positive Technologies experts tested NCR, Diebold Nixdorf and GRGBanking ATMs. Working together, they identified the level of risk for banks and customers. Globally, ATM vulnerabilities have been a significant concern. In January 2018 the US Secret Service, alongside Diebold Nixdolf and NCR, issued urgent warnings about the threat of attacks on ATMs.
These warnings were notable because of the nature of the threat. The Secret Service stated that criminals are planning to plant malware into ATMs or connect special devices to control cash dispensing. These ‘logic attacks’ require intense technical skill, and put the hacker at an advantage as the methods are quieter and the risk of being caught is therefore substantially reduced.
The first reports of ATM malware attacks date back to 2009, with the discovery of Skimer, a Trojan able to steal funds and bank card data. According to NCR, Black Box attacks were uncovered in Mexico in 2017, and spread to the US in 2018. Furthermore, the Positive Technologies ATM vulnerabilities report noted that 85% of ATMs tested were poorly protected against hacker attacks, such as spoofing the processing centre.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataAs a result, a criminal could interfere with the transaction-confirmation process and fake a response from the processing centre in order to approve every withdrawal request or increase the number of banknotes dispensed.
THE ATM VULNERABILITIES
For those looking to carry out an attack, the parts of an ATM on which they primarily focus are the computer, the network equipment and the main peripherals, in particular the card reader and cash dispenser.
Attacking through these components allows hackers to intercept the card details being processed and interfere with the actual transaction.
Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, says: “Our research shows that most ATMs have no restrictions to stop connection of unknown hardware devices. So an attacker can connect a keyboard or other devices to imitate user input.
“On most ATMs, there is no prohibition on some of the common key combinations used to access OS functions. What’s more, local security policies were frequently misconfigured or absent entirely. On 88% of ATMs, application control solutions could be bypassed due to poor whitelisting and vulnerabilities – some of them zero-day – contained in this very same application control software.”
According to the Positive Technologies ATM vulnerabilities report, a number of vulnerabilities were found in testing. Of the ATMs tested, 96% showed inadequate protection of communication with the main peripherals. Furthermore, a staggering 88% had insufficient local security policies.
Most of the ATMs allowed freely connecting USB and PS/2 devices. This essentially means a hacker could connect their own device and imitate user input.
The report also noted: “Vulnerabilities allowing access to the hard drive file system are caused by weaknesses in authentication for BIOS access and lack of disk encryption. Malware can communicate with the cash dispenser as the result of poor protection of peripherals, specifically a lack of authentication and encryption between the OS and devices.”
It found that 92% of ATMs had insufficient authentication when accessing BIOS. Card fraud is rife across the world. According to Financial Fraud Action, £768.8m ($1bn) was lost to fraud in the UK in 2016, with 80% of this through payment cards. Banks and ATM operators have invested heavily to combat these types of crime.
Security devices, such as improved card slots, are being fitted to cash machines to prevent both skimming and card tapping. However, as hacking technology becomes increasingly sophisticated, the best way for the financial sector to manage it is to work out how to move even quicker than the hackers.
