A sophisticated crime where thieves install malicious software and/or hardware at ATMs—and force the machines to spit out up to 40 bills every 30 seconds—has for some time threatened banks in Europe and Asia. Yet these attacks somehow spared U.S. ATM operators—until now.
Last month, the U.S. Secret Service warned financial institutions that “jackpotting” attacks have targeted ATM machines in the U.S. for the first time. In a jackpotting attack, hackers—typically operating as a team and sometimes posing as ATM repairmen—access an ATM's physical and digital security, install malware, establish remote access and trick the machine into displaying an “out of order “screen. With those hardware and software modifications in place, an attacker can approach the compromised ATM while another thief remotely instructs it to dispense cash.
Jackpotting in part stems from the improved security that protects ATM transactions today. Over the past several years, EMV chip cards and enhanced authentication via consumers’ mobile phones have forced criminals to revert to more brazen physical attacks on ATMs. And with banks focusing on digital channels such as ATM and mobile to drive down costs and better serve customers, it’s no surprise cybercrime is following.
Relatively low-tech skimming attacks still represent most ATM losses. But more coordinated assaults that access the machine directly (via master key and keyboard), along with increasingly sophisticated malware, enable hackers to enjoy much bigger paydays. This trend will continue until banks address key vulnerabilities. To beat skimming, banks should consider card-less security technologies that include mobile authentication via QR code or visual cryptogram.
Given the strategic importance of ATMs for banking, it’s useful to review—and dispel—five ATM security myths. Despite significant efforts by the payment industry to systematically address ATM security, vulnerabilities associated with these devices continue to make them attractive targets for criminals. Let’s separate fact from fiction regarding the safety of ATMs
Myth 1: It’s easy to see and avoid devices implanted in ATMs for theft.
Fact: Criminals use custom designed ATM interface components that fit seamlessly into the card readers of specific manufacturers. Even a trained specialist might find it tough to quickly and casually spot some of these devices.
Myth 2: Chip cards fully halt hacking.
Fact: Chip card technology (EMV), which launched a decade ago in Europe and has spread worldwide, has certainly helped to cut card fraud. But even EMV can’t always prevent fraud. Bad actors can circumvent EMV protections through ultrathin metal or plastic devices installed in the readers, for example.
Myth 3: It takes a sophisticated hacker to steal from an ATM.
Fact: It doesn’t take a sophisticated hacker to defraud an ATM. In 2015, five California teens—ranging in age from 13 to 16—were arrested in for putting card data theft devices at three Lincoln, Nebraska ATMs located in banks. Today, any interested party can become a professional thief in this segment with a modest investment in time and money. Indeed, it’s so simple even an adolescent can do it.
Myth 4: ATM security must depend on the customer.
Fact: Although some IT and security professionals cite customer carelessness in ATM fraud, one growing risk vector has nothing to do with consumer carelessness. Researchers at the Stevens Institute of Technology found that IoT devices such as smartwatches can be hijacked to steal ATM access codes. By collecting hand movement information, electrical and computer engineering professor Yingying Chen and four graduate students could accurately guess passwords and access codes with up to 80 percent success on the first try—and 99 percent within five tries.
Myth 5: Thin copy devices or hidden cameras are the only ATM attack strategies.
Fact: Bank security professionals must look at and beyond reader devices and hidden cameras. There’s a new array of ATM fraud technology tools, such as Bluetooth-enabled devices that install on circuit boards. When fraudulent components are integrated into ATM circuits, thefts can potentially continue for years undetected.
What’s to stop hackers from going after the jackpot, then? While that might never be possible, smart financial institutions that stay informed will gain a clearer view of what today’s ATM threats look like—and as a result, how to combat them. Getting past the myths will keep hackers from getting to the jackpot.
Want more Banking Strategies? Sign up for our free newsletter!
David Vergara is Director, Security Product Marketing at VASCO Data Security and has more than 10 years’ experience in the software security space. He is based in the Chicago area.
If you enjoyed this article, check out: Podcast: Branches, branch tech and the future of banking in 2018 and Excellent executive execution: How to save retail banking.