ATMs Still a Weak Link for Bank Security

Written by

More than physical distraction and rogue software applications on the ATM itself, the securing of the hole in the wall has become a priority in banking security. Robin Arnfield looks at threats and developments.

Despite security advances such as EMV, ATMs remain vulnerable to physical and software-based fraud attacks. As consumers generally aren’t liable for ATM fraud, card issuers and ATM operators face potentially heavy fraud losses. Counter-measures include deploying anti-skimming technology, installing OS security updates, and “locking down” ATMs so they can’t be controlled by hackers.

“ATMs have long been a source of profitable fraud, principally via skimming devices that grab card information to be used to create fraudulent cards for withdrawing cash or for point-of-sale purchases,” says Bob Meara, senior analyst, Banking Group, at U.S.-based Celent. “Generally, non-bank ATMs are thought to be more likely targets because of the comparatively lighter security surrounding them, although bank-owned ATMs have routinely suffered losses due to skimming.”

As part of the U.S. payment card industry’s migration to EMV chip cards, MasterCard and Visa have respectively set October 2016 and October 2017 as EMV migration deadlines for U.S. ATM operators. 

After these deadlines, if an EMV card is used fraudulently at a U.S. ATM that doesn’t support EMV, the acquirer will be liable for the issuer’s fraud losses. Non-EMV-compliant ATM deployers face being charged by their acquirer for fraud losses, or being disconnected from their acquirer’s network if they don’t migrate to EMV.

“EMV migration will theoretically lessen ATM fraud, but it will take some time for U.S. ATM deployers to accomplish the migration,” says Meara. “In the interim, liability shift rules offer deployers a compelling incentive to make the change. Contactless ATM user authentication – involving the use of contactless cards or smartphone-based m-wallets – may be a better long-term solution, but will be slow in coming.”

As of January 2016, 51% of the 120 U.S. ATM deployers participating in the 2016 ATM Channel EMV Readiness Survey from the ATM Industry Association (ATMIA), had already upgraded over half their fleets to be EMV-capable. However, the survey found that 44% of EMV-capable ATMs weren’t accepting EMV transactions, primarily because that functionality had been turned off by the operator.

When Canada migrated to EMV in 2012, some ATMs were disconnected by their acquirers for failing to migrate to EMV. Ben Knieff, a senior analyst at U.S.-based Aite Group, says some ATMs could be disconnected in the U.S. for the same reason. “But U.S. ATM deployers make a lot of money from surcharges on withdrawals – $3 to $4.50 per withdrawal – so there’s an incentive to migrate to EMV,” he says.

In April 2016, U.S.-based fraud analytics software firm FICO said the U.S. had seen the highest ATM compromise rate ever recorded by its FICO Card Alert Service. The number of ATMs compromised by skimming devices in 2015 rose by 546% in the U.S. since 2014. 

Criminal activity was highest at non-bank ATMs such as convenience store ATMs, where 10-times as many ATMs were compromised compared to 2014, FICO says. In 2015, non-bank ATMs accounted for 60% of all compromises, up from 39% in 2014.

“Criminals realize EMV’s coming to the U.S. and want to skim while they can,” says Knieff. “You can skim mag-stripe data off EMV cards, but it’s extremely difficult, although technically feasible, to skim card data from EMV chips. Criminals can’t skim from EMV chips on a scale that would be profitable.”

According to Ed O'Brien, director of U.S.-based Mercator Advisory Group's Banking Channels service, U.S. issuers are absorbing large losses from their cards being skimmed. “Consumers don’t pay for card fraud, except for a few hard-to-prove instances, e.g. you wrote your PIN on a post-it note, stuck to your debit card, which you left on your desk,” says Knieff. 

“Criminals have been using mag-stripe skimmers to read the mag-stripes on European EMV cards at EMV-compliant ATMs in Europe and make cloned cards for use at non-EMV-compliant ATMs in the U.S.” Lachlan Gunn, executive director at European ATM Security Team (EAST), says. In order to allow European cardholders to use their cards in the U.S., European cards still have mag-stripes.

In April 2016, EAST said skimming losses relating to the usage of stolen European card data outside Europe had risen to the highest level since 2008.

“To combat skimming, FICO recommends increased physical security around ATMs, particularly around free-standing ATMs,” TJ Horan, FICO’s vice-president of fraud solutions, says. “We advocate using anti-skimming devices that can detect or inhibit the attachment of alien objects to card readers. These devices come in a variety of forms, but the best anti-skimming devices include functionality allowing the device to shut down the ATM and generate an alert or alarm if it detects tampering.”

“ATM deployers have invested in anti-skimming technologies such as jitter (which uses a jitter motion when a card is inserted in an ATM, to distort the card’s mag-stripe data so it can’t be skimmed) or jamming (which creates random frequencies to scramble skimming devices),” says Knieff. “Many manufacturers are implementing multiple anti-skimming technologies in their devices so, if one tool doesn’t catch the fraud, another will.”

“ATM skimming appears to be slowing in countries that have fully implemented EMV chip cards and deployed enhanced security features such as active jamming and skimmer detection devices,” says Douglas Russell, director of U.K.-based DFR Risk Management. “But it’s still the most prolific ATM fraud type experienced globally. Sophisticated criminal enterprises have learnt to overcome many of the mainstream anti-skimming solutions by making their skimmers extremely thin – so-called ‘insert skimming devices’ – so they can be positioned inside the actual ATM card reader, avoiding active jamming and most detection technologies currently deployed. Eavesdropping, which involves connecting a recording device to the genuine ATM card reader, is also increasing as a popular way to compromise card data at ATMs fitted with anti-skimming solutions.”

Mobile ATM Access
“There are two ways mobile phones can be used to reduce ATM fraud,” John Gunn, vice-president Corporate Communications at U.S.-based VASCO Data Security, says. “One is with standard bank cards and one is cardless. For the first, a bank could send a one-time-password to the customer’s registered smartphone via secure push methods for keying into the ATM when they use their card. The bank could choose to do this only under higher-risk circumstances – not for one of the customer’s usual ATM locations, withdrawal amount, or time of day.” 

Banks can also let customers do cardless ATM transactions using smartphones, which removes the vulnerability of cards from ATMs, says Knieff.

“In a mobile ATM withdrawal, the customer enters all the transaction details into their m-banking app,” says Gunn. “The bank then presents a QR code on the ATM screen that’s read by the smartphone. If the device and the user match, the transaction goes through and the cash is dispensed. It’s easy for hackers to clone mag-stripe cards, but very challenging to clone smartphones if the device ID is handled properly.”

While U.S. banks are rolling out QR code-based mobile ATM access, other cardless ATM access options are one-time PINs sent by SMS, a method used by British banks, and NFC-based m-wallets. NFC readers attached to ATMs can also be used for contactless cards.

Although Bank of America said in May 2016 that its customers will be able to use digital wallets such as Android Pay for cardless ATM withdrawals, Knieff doesn’t think most banks will want to let customers use third-party NFC-based m-wallets for cardless withdrawals. “Potentially Apple Pay, Android Pay, etc. could be used for ATM withdrawals, but issuers want to retain control over ATM transactions,” says Knieff. “I don’t see issuers allowing these third-party wallets to be used for ATM withdrawals.”

“Using bank-issued m-wallets for ATM withdrawals that are based on tokenization of card numbers and Host Card Emulation (HCE) is a counter-measure to criminals who try to capture card information at ATMs,” says Joseph Walent, senior analyst, Emerging Technologies Advisory Service, at Mercator. “Even if a criminal captures a token, there’s very little they can do with it.”

Tokenization involves replacing card numbers in ATM and POS transactions with one-time numbers, with the actual card number being stored in a cloud-based HCE software vault run by an issuer or a third-party such as MasterCard or Visa.

“NFC-based mobile ATM access will migrate quite quickly to the UK, as NFC is far better accepted there than in the U.S.,” says Knieff. “Most banks will look for multiple modalities of authentication, as some people don’t have smartphones or aren’t comfortable with QR codes.”

Mercator’s O'Brien says a gating factor for NFC-based ATM withdrawals is the need for smartphones to be NFC-compatible. “QR codes and one-time PINs represent an easier, interim solution for banks,” he says. “They can roll out QR code-based solutions now and migrate to NFC-based ATM withdrawals once NFC becomes widely available on smartphones.”

“ATMs supporting biometric authentication are finally gaining traction, driven by a need for enhanced security and as a means of improving financial inclusion,” says DFR Risk Management’s Russell. 

“Japan has led the way with many if not most of its ATMs having fingerprint/finger-vein scanners or palm vein scanners. Elsewhere, voluntary consumer acceptance of biometrics is helped by the number of consumer electronic devices, particularly smartphones, that incorporate biometric capabilities, but biometric systems aren’t inherently secure. Attacks can be successful in compromising biometric ATMs as well as other biometric implementations.”

Malware poses a major threat to ATMs. “The challenge with malware is that many ATMs – even in the U.S. – run old versions of Windows that aren’t supported by Microsoft and aren’t patched with the latest security updates,” says Knieff.

Since April 2014, any ATMs still running Windows XP instead of Windows 7 no longer receive Microsoft security patches, making them vulnerable to malware and network intrusions and in breach of the Payment Card Industry Data Security Standard (PCI DSS) requirement for ATM operators to update their operating systems with security fixes against known vulnerabilities.

“PCI DSS requires ATMs to use patched Windows 10 or Windows 7 software,” says Knieff. “But it takes time to update a bank’s systems. For a large bank with tens of thousands of ATMs, it’s a big project to get all those terminals updated, especially if the bank has ATMs from different vendors.”

“Most of the malware attacks I’ve seen require some degree of physical access,” Knieff says. “It’s quite easy for criminals to plug in USB sticks to ATMs. The question is whether they can scale these physical attacks. If it takes half an hour to infect each ATM with malware and then you have to pay money mules to withdraw the cash, when does it stop being worth it, if you can’t scale the attacks pretty significantly?”

Knieff says that, while there are network software vulnerabilities letting criminals into ATM networks remotely, this attack method is more complicated and requires a lot more skill. “Hackers need to get through a lot of technological gates to break into ATM networks remotely,” he says. “This doesn’t mean it can’t happen, but some criminals have found it easier to go after the physical device, and they get enough of a payday that they’re happy with.”

Kaspersky Lab Research
“In some cases, attackers use malware such as Skimer to turn ATMs into card skimmers for further carding fraud,” says Juan Guerrero, a senior security researcher at Kaspersky Lab. “In most cases, the attackers seek to get cash disbursements from the ATMs. Countermeasures include replacing the default locks and updating the software used to operate the ATMs, removing unnecessary overheads like remote administration software that may grant remote access to attackers, and employing robust anti-malware solutions.”

According to Kaspersky, in 2014-2015 around 100 banks worldwide were affected by the Carbanak ATM malware attack, with losses per bank ranging from $2.5 million to $10 million.

“In Carbanak’s case, ATMs were instructed to disburse cash at a predetermined time, raiding the contents of the ATM, with a money mule standing around waiting for the cash to come out with no interaction required,” says Guerrero.

To guard against malware, ATM applications must run in a locked-down account with minimum privileges, ATM vendor NCR says. Also, ATM deployers should implement effective firewalls and anti-malware software.

But ATM security is more than just best practice. ATM deployers and acquirers are required to comply with the Payment Card Industry Security Standards Council’s standards such as PCI DSS. Penalties for PCI DSS non-compliance include fines as well as liability for fraud losses resulting from breaches.

What’s hot on Infosecurity Magazine?