The battle for ATMs. How criminals break into self-service devices today

Hacking ATMs with malicious software or traditional physical attacks is becoming one of the most worrisome banking sector trends in 2018. The wave of “jackpotting” attacks, which swept across the countries in Asia, North and South America at the beginning of the year, continues a series of similar crimes in European countries, including the post-Soviet space.

Financial institutions’ main problem is that they have to protect their self-service infrastructure from completely different types of attacks, and there is no cure-all solution to all possible problems.

It is important to understand that financial institutions are protecting not only their physical assets (the terminals themselves) and stored money, but also their intellectual property and business-crucial data about their activities and customers, as well as their reputation as reliable providers of banking services.

However, all the threats we will be examining can be divided into three main types. Each group of vulnerabilities has its own specifics and requires the consolidation of multiple bank departments (technical department, security department, customer service departments) and an experienced technology partner.

1. Physical attacks on ATMs

According to recent statistics, the most popular attacks on self-service devices are performed with rather primitive means: trying to saw or break open the ATM, which in most cases takes a lot of time and attracts the attention of the police. In 8 out of 10 cases of such physical attacks, it is quite easy to track criminals, and they do not even have time to access the stored money.

Cybercriminals using special means, in particular, explosives, possess a higher threat to banks. For example, an ATM can be filled with gas and blown up, which will attract the security service’s attention only at the very last moment. In recent years, up to 30 such cases have been recorded globally, and annual damage ranges from 170 to 200 million euros.

Preventing such attacks is the prerogative of the security service. Reliable installation of self-service devices, effective use of video surveillance systems, and quick notifications from the sensors installed on the terminals – help minimize the risk of the criminals disappearing without a trace along with the cash and the self-service device itself.

2. Intrusion attacks through ATMs

An even greater threat comes from attackers being able to access and reprogram the self-service device’s hardware using malicious software installed directly on the terminal itself. To do this, hackers drill a small hole to access the ATM computer. They install special software via the USB port, for example, the Green Dispenser Trojan or the software part of the Cutlet Maker kit, which is freely available to hackers of such devices worldwide.

The malicious software on the compromised devices is not easy to detect for the bank’s security staff, so criminals manage to carry out the preparatory stage without much risk. They seal the video cameras and drill a small hole in the terminal’s shell (which only takes a few minutes). After that, because ATM computers are usually protected by standard antivirus software or not protected at all, all that is left is to insert a USB stick or gain control of the ATM computer through the USB port.

The malicious program instructs the dispenser to issue all the banknotes stored in the ATM’s cassettes before the security service has time to respond adequately. The speed and the ease of compromise are why logical attacks are the most effective way of stealing money.

The best way to protect hackers’ devices is to use specialized solutions that restrict access to the device from outside processes and other various manipulations. Creating a “sandbox” environment for the ATM hardware and software allows you to automatically detect any suspicious activity on the terminal and instantly inform the responsible personnel while simultaneously running one of the protective scenarios.

3. Global malware attacks on the IT infrastructure of the bank

However, the point of penetration for criminals who want to empty ATMs or payment kiosks is not the terminal itself but other parts of the bank’s IT infrastructure. Unoptimized work processes, high staff rotation with access to important internal information, and low technological level of financial organizations make the attack surface even greater. The job of the security service becomes greatly complicated.

For this reason, practically no ATMs are connected to the internal bank network, access to which from the outside is practically impossible. The use of VPNs, TLS protocols, special “firewalls” together with decisions on strict (ultimatum) delineation of access rights allows concentrating protective resources around the most vulnerable part of the banking infrastructure.

Thus, even in hacking banking databases (for example, Internet banking), ATMs and payment kiosks are relatively safe. Their defense system should be detached and generally independent of what is happening outside of it. Nevertheless, only companies with a large practical experience in this field can check the correctness of all self-service device protection systems’ configuration.

BS/2 offers comprehensive security audit services for the fleet of banks’ self-service devices and protects the most vulnerable part of the infrastructure from attacks of any type. BS/2 offers the ATMeye.iQ solution, which protects more than 80,000 devices worldwide, and Diebold Nixdorf’s Vynamic Security solution – a world-leading firm in the field of banking technology. Contact BS/2 representatives for detailed information on the audit procedure, the functionality of the software solutions, and its implementation stages.

Did you like our material? Subscribe to our regular newsletter to receive the most interesting topics and exclusive offers from BS/2.