Hitachi

U.S.A.

Hitachi Group Global Network

Americas

Asia

Europe

Middle East and Africa

Oceania

Close

ATM Malware Attacks: Stop Hackers from Cashing In
You are here: Home \ ArkAngel \ ATM Malware Attacks: Stop Hackers from Cashing In
atm machine
Posted on Monday, January 29th, 2018 by
Email this to someoneShare on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn

Preventing ATMs From Being Hacked

 

In an era of digitalization and unlimited connectivity, an increasing number of banks are reporting fraud cases connected to their Automated Teller Machines (ATM).

One way to prevent ATM fraud is to monitor the ATM network directly and on a 24/7 basis. The objective of ATM Monitoring is to stop client data theft by preventing malicious individuals from infiltrating the system directly through ATMs or by using malware that infects the organization from inside to eventually reach ATMs.

Related post: ATM and POS Fraud: Preventing Bank Card Hacks

 

How does ATM Monitoring work?

There are two different types of ATM monitoring:

  1. When monitoring the ATM itself, a machine generates logs with information that could be processed like security alerts.
  2. When monitoring the bank’s internal network and the ATM infrastructure, an ATM machine communicates with the servers inside the company.

ATM Monitoring consists of the combined methods to get a holistic view of the risk that a bank may be exposed to.

 

Impact of ATM Attacks

Unfortunately, ATM security is currently weak because banks tend to focus primarily on physical security as opposed to information security. In most cases, they have on premise security agents looking out for suspicious behavior or monitoring security camera footage.

Banks typically analyze operations or the information generated when machines are used. Then, they report whether a credit card has been stolen or is no longer valid, or whether somebody is attempting ATM skimming by plugging a fake card reader into the ATM. In any case, there is no real global security in terms of internal bank security or repeated suspicious behavior.

As mentioned above, we see an increasing number of sophisticated ATM attacks. The latest attacks are originating from inside the bank, from a malware targeting the ATM network and infecting multiple machines. For example, an employee could open a suspicious email attachment which could turn out to be an ATM malware attack that infects the bank servers and eventually the ATM servers. A virus could then spread to several ATMs and simulate communications with the bank’s headquarters to enable a fraudulent credit card (with a certain code when inserted) to control the entire machine by gaining server validation for this card use. Physical campaigns can determine where this fake card is used by organized teams trying to steal millions of dollars from ATMs.

Financial institutions are worried about these new attack types and seek ways to protect their systems to avoid potentially disastrous consequences. In general, attacks causing massive withdrawals are more costly than physical ATM attacks. If you empty 5 ATMs at once with an ATM network attack, knowing that a few million dollars can be available in machines, the impact would be massive. Malware attacks are much more costly from an operational perspective, especially compared to stealing 5 credit cards in a row from ATM users to retrieve only a few thousand dollars from their bank accounts.

 

ATM Theft and Fraud

The way ATMs work is that they perform simple requests to validate whether the card number is known, whether the user is authorized and what the maximum allowed amount is to be retrieved in order to send an approval to the server using a private signature.

A commonly known case of ATM fraud is to open the machine and connect a cell phone that emulates the bank server. The phone uses a software that replaces the communication with that server.  This can be prevented with ATM Monitoring because a holistic security system is added to the current physical ATM security and gathers the information collected from all monitored ATMs. Log monitoring helps identify fraudulent cards and massive ATM attacks.

An ATM monitoring solution provides a complete view on the information lifecycle collected from the machine, the client’s credit card as well as malware infection from emails and the servers.

 

Insider Threats – A Real Danger

By monitoring cash-dispensing machines, you can also know if a collaborator is in collusion with a criminal group. For example, the collaborator (a bank employee) may have been paid to give privileged access to a fake client (Client A). The collaborator receives $100,000 to perform a fund transfer. The collaborator then collects the username and password previously left on a colleague’s desk and uses it to cover his/her identity and access the bank server. The collaborator figures out the password to access Client A’s account and edits the sum deposited in the account from $10 to $1,000,000, simply by adding a few zeros. Client A is a millionaire and the collaborator is not discovered.

 

24/7 ATM Monitoring

Without 24/7 security monitoring, security elements can slip through the cracks. For instance, attacks usually occur outside business hours. At that time, less workforce is available, individuals lack focus or are not swift enough to react.

If you shift to a 24/7 Security Operations Center (SOC) that provides continuous and systematic attention, the chain reaction of a Sunday morning at 3:00 am will be as responsive as on a Monday at 4:00 pm. The benefit of ATM monitoring is that it leverages the distinct competencies and capabilities of a SOC. ATMs represent a different source of logs but they contain the same kind of information analyzed for other types of monitoring. Therefore, Information Security Analysts go through a similar log processing process with no additional training.

Of course, one may wonder why ATM Monitoring software alone cannot be used to detect frauds. The difference between ATM Monitoring as a software and as a service is that software can’t understand all potential attack scenarios — human intelligence becomes key. The ATM Monitoring service is delivered by Analysts who deal with a large variety of cyberattacks on a daily basis. Analysts leverage their comprehensive security knowledge to interpret specific cases that wouldn’t normally be detected by a software.

Hitachi Payment Services, producer of ATMs, owns valuable information about ATM hacks from ATM frauds reported directly by clients. As a partner benefiting from direct threat intelligence, Hitachi Systems Security is a pioneer in ATM monitoring and has a competitive advantage that allows us to be one of the first vendors in the world to deliver a 24/7 ATM protection service.

Interested in learning more about the benefits and costs of ATM Monitoring? Contact us here.

ATM and POS Monitoring

About author:
Patrik Heuri advises and supports the company’s clients to ensure they implement risk management and develop data leak prevention frameworks properly. Prior to joining Hitachi Systems Security, Patrik was the global head of information security risk at HSBC, where he was responsible for creating a medium- and long-term risk strategy in information protection for the private banking division. During his time at HSBC, Patrik played a large role in successfully mitigating the damages of Swiss Leaks.

Stay up to date! Subscribe to our Blog

Recent Videos

What is Penetration Testing?

What is a Vulnerability Assessment?

What is a Control Assessment?

More