Hacking ATMs with malicious software or traditional physical attacks is becoming one of the most worrisome trends in the banking sector in 2018. The wave of "jackpotting" attacks, which swept across the countries in Asia, North and South America at the beginning of the year, continues as series of similar crimes occur in European countries, including the post-Soviet space.
The main problem for financial institutions is that they have to protect their self-service infrastructure from completely different types of attacks, and there is no cure-all solution to all possible problems.
It is important to understand that financial institutions are protecting not only their physical assets (the terminals themselves) and stored money, but also their intellectual property and business-crucial data about their activities and customers, as well as their reputation as reliable providers of banking services.
However all the threats we will be examining can be divided into three main types. Each group of vulnerabilities has its own specifics and requires the consolidation of multiple departments of the bank (technical department, security department, customer service departments) and an experienced technology partner.
1. Physical attacks on ATMs
According to recent statistics, the most popular attacks on self-service devices are performed with rather primitive means: trying to saw or break open the ATM, which in most cases takes a lot of time and attracts the attention of the police. In 8 out of 10 cases of such physical attacks, it is quite easy to track criminals, and they do not even have time to access the stored money.
Cybercriminals using special means, in particular, explosives possess a higher threat to banks. For example, an ATM can be filled with gas and blown up, which will attract the attention of the security service only at the very last moment. In recent years, up to 30 such cases have been recorded in the world, and annual damage ranges from 170 to 200 million euros.
Preventing such attacks is the prerogative of the security service. Reliable installation of self-service devices, effective use of video surveillance systems and quick notifications from the sensors installed on the terminals - help minimize the risk of the criminals disappearing without a trace along with the cash and the self-service device itself.
2. Intrusion attacks through ATMs
An even greater threat comes from attackers being able to access and reprogram the hardware of the self-service device using malicious software installed directly on the terminal itself. To do this hackers drill a small hole to access the ATM computer on which they install special software via the USB port, for example, the Green Dispenser Trojan or the software part of the Cutlet Maker kit, which is freely available to hackers of such devices around the world.
The malicious software on the compromised devices is not easy to detect for the security staff of the bank, so criminals manage to carry out the preparatory stage without much risk. They seal the video cameras and drill a small hole in the terminals shell (which only takes a few minutes). After that, because ATM computers are usually protected by standard antivirus software or not protected at all, all that is left is to insert a USB stick or gain control of the ATM computer through the USB port.
The malicious program instructs the dispenser to issue all the banknotes stored in the cassettes of the ATM before the security service has time to respond adequately. The speed and the ease of compromise is why logical attacks are the most effective way of stealing money.
The best way to protect devices from hackers is to use specialized solutions that restrict access to the device from outside processes and other various manipulations. Creating a "sandbox" environment for the hardware and software of the ATM allows you to automatically detect any suspicious activity on the terminal and instantly inform the responsible personnel while simultaneously running one of the protective scenarios.
3. Global malware attacks on the IT infrastructure of the bank
However, often the point of penetration for criminals who want to empty ATMs or payment kiosks is not the terminal itself, but other parts of the bank's IT infrastructure. Unoptimized work processes, high staff rotation with access to important internal information and low technological level of financial organizations makes the attack surface even greater, and the job of the security service becomes greatly complicated.
For this reason, practically no ATMs are connected to the internal bank network, access to which from the outside is practically impossible. The use of VPNs, TLS protocols, special "firewalls" together with decisions on strict (ultimatum) delineation of access rights allows concentrating protective resources around the most vulnerable part of the banking infrastructure.
Thus, even in the case of hacking banking databases (for example, Internet banking), ATMs and payment kiosks are relatively safe. Their defense system should be detached and generally independent of what is happening outside of it. Nevertheless, only companies with a large practical experience in this field can check the correctness of the configuration of all self-service device protection systems.
Tomas Augucevičius, Deputy General Director of Banking Technology Company BS/2