ATM security is not just about having strong locks physically locking down the machines. It also requires protecting the IT security of bank networks more generally.
This is underscored by an advisory that was just issued by the Federal Financial Institutions Examination Council (FFIEC) notifying financial organizations of the risk of what they have dubbed 'unlimited operations' attacks.
"Unlimited Operations are a category of ATM cash-out fraud where criminals are able to withdraw funds beyond the cash balance in customer accounts or beyond other control limits typically applied to ATM withdrawals," according to the FFIEC. "Criminals perpetrate the fraud by initiating cyber-attacks to gain access to web-based ATM control panels, which enables them to withdraw customer funds from ATMs using stolen customer debit, prepaid, or ATM card account information. A recent Unlimited Operations attack netted over $40 million in fraud using only 12 debit card accounts."
The attacks typically start with malicious emails sent to employees, according to the FFIEC. Once the malware is installed, the criminals use it to monitor the institution's network to determine how the bank accesses ATM control panels and obtain employee login credentials. These controls are used to manage the amount customers of money customers can withdraw in a certain timeframe as well as any geographic limits on withdrawals.
Following an attack on an institution’s ATM control panels, criminals use fraudulent debit, prepaid or ATM cards they create with account information and personal identification numbers (PINs) stolen through separate attacks using skimmers or other means. From there, crews of "cashers" are responsible for actually withdrawing the cash. Criminals may conduct their operations during holidays and weekends to take advantage of increased cash levels in ATMs and limited monitoring by financial institutions during non-work hours, according to the FFIEC.
Mike Park, managing consultant at Trustwave, said these types of multi-stage attacks by determined group can be challenging to fight. Still, he added, the attack demonstrate the importance of maintaining a "full and far-reaching security program for all aspects of the ATM environment," including the ATM network, management interfaces and protocols and the software on the ATM itself.
"PCI DSS compliance is a good start and a good baseline, but it is just that - a baseline," he added. "To try to achieve the best level of security possible, small and medium sized banks and ATM networks need to proactively test their ATM networks, the physical ATM security and the security of the applications running on the ATM themselves, as well as the security of any backend ATM Management applications. They should also frequently scan applications to help identify vulnerabilities before they become a problem."
Andreas Baumhof, chief technology officer at ThreatMetrix, agreed, adding that the payment ecosystem is very complex.
"More regulation will certainly help as it sets a clear boundary of things that need to be done," he said. "It will never be enough though. For this we need regulation that incentivizes companies to do the right thing. Data breach notification is a good example where it is not a regulation to “fix” a problem, but rather makes sure that companies do the right thing."
"We need to have a more holistic view of all of these things," he continued. "At the moment a payment processor can say, 'Hey, I'm doing everything correct to protect my customers, but there is nothing I can do if Target or LinkedIn or anyone else for that matter'. The problem is in between there, and we need a more holistic view to solve it."
According to the FFIEC, there are a number of steps organizations can take. For starters, they can limit the number of elevated privileges across the institution, including administrator accounts, as well as the ability to assign elevated privileges to critical systems that manage the institution's card issuer authorizations and ATM management systems. They should also consider updating all credentials and monitoring logs for use of old credentials and consider establishing authentication rules such as time-of-day controls for web-based control panels.