ATM machines have been back in the news of late, highlighting the various fraud campaigns that target them. NCR, a global ATM giant, says that the aging infrastructure that underpins most ATM machine networks almost guarantees a continued spike in things like skimming and jackpotting.
A Malaysian network of 18 ATMs was taken for $1 million recently by a Latin American cyber-gang using specialized malware; meanwhile earlier this month a two-stage financial attack was discovered that targets multiple ATMs around the world, including in Latin America, Europe and Asia, allowing attackers to remove money via direct manipulation and steal millions.
Owen Wild, NCR’s global marketing director for security compliance solutions, said that aging machines is one of the biggest issues. In the Malaysian incident for instance, the ATMs were all older-model NCR ATMs, known as Personas, the youngest line of which is seven years old. And that issue is endemic: Consider, for instance, average corner store or bodega ATMs, most of which look like they’ve been through fires and floods and everything in-between—they’re not likely to be running the latest version of anything.
Interestingly though, the operating system is not the biggest concern, despite the fact that Windows XP, the OS that Microsoft no longer supports or patches, is still used in many cases.
“Most of these attacks come down to two different ways of jackpotting the ATM,” Wild said, speaking to security researcher Brian Krebs, in a Q&A. “The first is what we call ‘black box’ attacks, where some form of electronic device is hooked up to the ATM — basically bypassing the infrastructure in the processing of the ATM and sending an unauthorized cash dispense code to the ATM. That was the first wave of attacks we saw that started very slowly in 2012, went quiet for a while and then became active again in 2013.”
He continued, “The second type that we’re now seeing more of is attacks that start with the introduction of malware into the machine, and that kind of attack is a little less technical to get on the older machines if protective mechanisms aren’t in place.”
The main protective measure, he added, is locking down the BIOS so that it can’t boot from a USB or CD drive—the main vector for criminals.
While the European ATM Security Team (EAST) said in a recent report that there was a 42% decrease in ATM related fraud attacks when compared to the same period in 2013, losses and targets have widened.
So even though card skimming incidents fell by 21% (in a continuation of a downward trend that started in 2010), cash trapping attacks fell by 52% and incidences of transaction reversal fraud declined by 96%, overall ATM-related fraud losses totaled €132 million for the first half of the year, up 7% from the €124 million reported a year ago.
Most worrying to EAST, criminals are expanding their targets for ATM fraud. The organization said that it tracked at least 20 incidents involving ATM jackpotting with malware in Europe in the first half of this year—a first for the region.
“These were ‘cash out’ or ‘jackpotting’ attacks and all occurred on the same ATM type from a single ATM deployer in one country,” EAST Director Lachlan Gunn said. “While many ATM malware attacks have been seen over the past few years in Russia, Ukraine and parts of Latin America, this is the first time that such attacks have been reported in Western Europe. This is a worrying new development for the industry in Europe.”
Until ATM owners update their machines and take appropriate security steps—including physical security—it’s likely that ATM attacks will continue to widen their focus and increase their takes.
“The trend toward these new forms of software-based attacks is occurring industry-wide,” Wild said. “It’s occurring on ATMs from every manufacturer, multiple model lines, and is not something that is endemic to NCR systems.”