Criminals fancy ATMs for the same reason cybercriminals do: convenience. There are some four million cash machines neatly scattered throughout the world, and most are brimming with tens of thousands of bucks. Best of all, no interaction is required to make a withdrawal, benign or otherwise. No surprise, then, that thieves have spent years licking their lips over these electronic banks and dreaming up the most efficient and effective ways to drain them of cash.
What may have started with explosions and outright theft of the machines - methods that remain popular with the smash-and-grab crowd - the more technically inclined lawbreakers have turned their focus to the less dramatic, but potentially more damaging. They are targeting the computing elements of the ATM and bank networks, allowing their crime sprees to grow exponentially more prolific because of the sheer number of machines they can hit before anyone catches on.
This began with crude skimming devices and master password exploits, and elevated to malware that infiltrates the operating system. And these incursions continue to evolve. From tiny, Bluetooth-enabled skimming devices that are barely detectable because of how deeply they can placed inside the card reader to miscreants who are skipping the physical intrusion tactic altogether and instead penetrating the internal network of a bank with malware to remotely access ATMs, attacks against cash machines are not only accelerating - they're maturing.
And just this week, researchers reported on a unique development: ATM malware is now commercially available on the cheap in the cybercriminal underground.
Trustwave SpiderLabs EMEA Senior Security Consultant Neil Burrows, who advises banks on how to better monitor and lock down their ATMs, believes financial institutions can implement better measures to make these public-facing vaults more resilient to attack. He offered the following recommendations for helping keep the villains at bay.
The default locks (to secure the PC internals of) ATMs come supplied with are woefully insufficient. These are usually of the tubular lock variety and are trivial to bypass in a matter of seconds. Upgrading these locks is essential for any ATM in a public space.
Devices that steal credit and debit card information, such as skimmers and card catchers, are becoming more common and sophisticated. Banks should routinely check ATMs for signs of tampering, monitor surveillance cameras closely and activate "chassis" intrusion detection, a feature on some motherboards. Meanwhile, users should also check for signs of tampering by examining the card reader for indications it may be a fake cover the PIN pad when they enter their secret code to avoid a concealed camera possibly installed by the crooks from taking a photo.
Chassis intrusions, as well as the operating system reboots, can be tell-tale signs that an attack is underway. They must be closely monitored in real time to help prevent malicious activity from going unnoticed.
Both CCTV cameras external to the ATM and pinhole security cameras inside the ATM are valuable in helping identify attackers and/or providing assistance with the timeline during a forensic investigation.
Encrypted transaction logs are vital. The latest ATMs now offer full-disk encryption, which is recommended if available. Sometimes attacks involve the non-destructive bending of the side panels (using inflatable wedges, more commonly used to open car doors) to access the internals. Therefore, an ATM in a low-traffic or less-secure environment needs to employ more robust casing and internal lock mechanisms that cannot be easily bypassed by such methods. Reinforced paneling should also be considered to protect access to any USB or other interface ports to help prevent "black box" attacks.
Checks must be performed to ensure all transaction traffic is encrypted and to a sufficient key length (e.g no less than 128-bit), and to verify that "replay" and "protocol downgrade" attacks are unsuccessful.
ATMs in public areas, which are machines that are not through-the-wall models, must not have network cables or routing devices accessible, as these can be easily abused to circumvent security via, for example, man-in-the-middle attacks.
BIOS passwords, USB blocking (to prevent unauthorized boot and HID devices), application whitelisting and strict IP filtering (to permit trusted hosts only) are among the best ways to inhibit all but the most determined attacks against the underlying operating system.
Keeping up to date with the latest ATM vendor-supplied hotfixes is essential, but must not be relied in isolation to prevent the worst from happening. Patching should only be considered beneficial as part of a widely layered security process.
If you are interested in learning more about how a broad and flexible managed security services portfolio can give you and your organization a big lift, let us know.