Security Experts:

The Latest Threats to ATM Security

Attacks against automated teller machines (ATMs) are nothing new, for obvious reasons. They are a perfect target for both conventional thieves and hackers, standing at the intersection of physical theft and cyber crime. Particularly in the developing world, ATMs often lack basic cybersecurity precautions, with archaic operating systems and minimal authentication requirements within the machines. The past few years have seen criminals applying their creativity to stealing money from ATMs, with considerable success. Methods of attack have included:

• Insert skimmers—physical devices placed in card slots to capture information from swiped cards.

• Remote cyber attacks—taking control of ATM servers to dispense cash, using malware like ATMitch.

• Direct malware attacks—using physical access to an ATM to deploy malware variants like Ploutus-D.

2018 saw at least two new major threats to ATM security: a “jackpotting” attack that presents a unique challenge because of its speed, efficacy, and comparative lack of resources required from attackers; and “shimming”, a simple way to steal data from chip-enabled cards. 

Jackpotting

Thieves have come up with many different ways to trick ATMs into spitting out large amounts of cash, but this new variation was first found in Europe around 2016 and has been tied to approximately a dozen attacks in 2018. It involves cutting a small hole next to the PIN pad, inserting a cable to connect a laptop, and commanding the ATM to dispense its money. Researchers from Kaspersky were able to recreate the attack using just $15 worth of equipment, swapping out the laptop for a simple microcomputer. 

The attack works because the minimal encryption and authentication requirements in many ATMs mean that once certain ports are accessed, the attacker has total control. What makes this technique so potentially dangerous is that it can dispense cash in just a few seconds and empty an ATM within minutes. Jackpotting has always been difficult to pull off in the developed world, because of faster police response times, but the speed of this technique could make it extremely lucrative in any country. Fortunately, this type of attack does not affect consumers, but it could become a major problem for financial institutions.

Shimming

As previously mentioned, “skimming” is when thieves insert a device into an ATM’s card reader to steal data from swiped cards. “Shimming” is a new variation on this attack that can steal data from chip-enabled cards in ATMs or point-of-sale machines using a paper-thin insert in the card reader. 

This type of attack is more expensive to pull off than the jackpotting attack, because of the tech involved, but it’s especially dangerous because of how simple the attack is. All thieves need is a few seconds of access to the machine, and it can be quite hard to detect once deployed. The best way to spot the shimmer is by feeling for the tighter fit that the device creates when inserting a card.

Once a card has been compromised, the attackers can create a replica of the card for use in swipe machines. To my knowledge, they are currently unable to create a chip-enabled duplicate to be used for insert and tap payments. For this reason, chip cards are still a more secure option for consumers.

What Should Businesses Do to Protect ATMs?

The current state of ATM security is far from optimal, but the unique security challenges around ATMs make improvements difficult. That said, there are short- and long-term possibilities to make these types of attacks, and others, more difficult to pull off.

Better physical security will make the biggest difference, because even most malware attacks start with physical access to the ATM. However, this is easier said than done, especially in developing countries and rural areas. ATMs could conceivably be built to shut down completely when anyone tampers with the machine, but manufacturers are unlikely to do so because of how easy it would be to trigger a false positive and disable the machine.

For better digital security, ATM manufacturers should leverage more encryption within the software of the machines, require more authentication measures, disable unused ports, and create whitelists of allowed processes so that alerts are automatically generated by unauthorized processes—just to name a few ideas.

There are some promising developments in the industry that could lead to better ATM security in the long term. Many ATM companies are moving fully off of Windows XP—which has long been one of the biggest weaknesses in ATM cybersecurity—to Windows 7 or 10, with the deadline to upgrade coming in January 2019. Separately, a group of 125 ATM companies are looking at developing their own standard for ATM software, with the goal of moving away from Windows entirely. However, this will take some time, so upgrading operating systems is an important intermediary step.

There are some potential upgrades in security that would come at the cost of convenience, and therefore might not be implemented any time soon. For example, requiring two-factor authentication for withdrawals and transactions over a certain dollar amount would go a long way to reduce the value of skimmed cards, but would consumers tolerate the inconvenience?

What Should Consumers Do to Protect Themselves?

To avoid shimming, skimming, or other methods of payment card information theft, use tap payments and smartphone payments like Apple Pay when possible. They are safer due to being much harder for thieves to replicate. When using ATMs, look for machines inside banks, or in well-lit, busy areas that would not allow thieves any uninterrupted access. When using an ATM that you think may have been compromised, look for anything that seems out of place. Scratch marks on the surface of the machine or any disturbance around the keypad might suggest that the machine has been tampered with. To avoid shimmers, feel for unusual resistance when inserting your card. Finally, it is wise to check your transaction records regularly to look for any unauthorized payments.

view counter
Stan Engelbrecht is the Director of Cybersecurity Practice at D3 Security and an accredited CISSP. Stan is involved throughout the product delivery and customer success lifecycle, and takes particular interest in working with customers to configure solutions. You can find Stan speaking about cybersecurity issues at conferences, in the media, and as the chapter president for a security special interest group.