Cybercriminals began targeting automated teller machine (ATM) software back in 2009. Since then, new ATM malware families have been springing up every year. By 2016, fraudsters realized that the ATMs could be accessed through the network.

Cybercrooks have two options to loot an ATM: leverage direct physical access to an ATM endpoint or gain access to the machine through the network. The latter method is progressively gaining popularity because it eliminates the need to physically access a target ATM, increasing the chance of success. Once the network is compromised and malware is installed on the endpoint, a money mule who is standing by picks up the cash and whisks away.

This shift to network-based ATM attacks has gone unnoticed by a large number of banks. They understand the variety of physical ATM breaches but don’t realize that cybercriminals are already a step ahead, exploring opportunities for network-based campaigns.

In July 2016, for example, actors withdrew $2.66 million from 41 ATMs at 22 branches of Taiwan’s First Commercial Bank without laying a finger on a PIN pad. Later that summer, the Cobalt cybergang launched coordinated ATM network attacks in several European countries, including the U.K., Spain, the Netherlands, Romania, Poland and Russia.

Three Crucial ATM Network Security Gaps

Such attacks typically stem from three crucial ATM network security gaps that are inherent to a large number of banking institutions. These lapses are obvious and fairly simple to eliminate. If left unmitigated, however, they facilitate easy unauthorized access to ATM networks.

1. Ignoring Network Segregation

Unfortunately, some banks still have flat networks that unite all corporate hardware, including ATMs. A well-planned network architecture requires the ATM network to be separate from the main one. This creates an additional challenge for fraudsters targeting ATM endpoints.

2. Lack of Security Between Networks

Even when banks do segregate networks, little attention is paid to implementing security controls to manage access from one network to another. The two ATM attacks mentioned above are consequences of this mistake, since the cybercriminals managed to breach ATMs via the banks’ main networks.

To protect against ATM network security threats, financial institutions should install perimeter firewalls, intrusion prevention systems (IPS), intrusion detection systems (IDS) and antivirus software.

3. Outdated Operational Systems

An overwhelming majority of ATMs installed worldwide still run Windows XP or Windows XP Embedded, which Microsoft stopped supporting in 2014 and 2016, respectively. This means that hundreds of banks are exposed to ATM network security breaches due to the absence of patches for these outdated operational systems.

An Advanced Approach to ATM Protection

As ATM network attacks become more sophisticated, it’s important for financial institutions to apply advanced security measures with the help of a security information and event management (SIEM) system. SIEM tools receive logs from a controlling network server and ATM endpoints, and employ correlation rules to help security analysts monitor things such as as entries into the network, the launching of unsolicited services, software integrity and antivirus feeds. This delivers a comprehensive overview of the ATM network security posture at any moment.

Another advanced ATM protection method is penetration testing, which simulates an attack to help security professionals uncover vulnerabilities before fraudsters have a chance to exploit them. Penetration testing checks cover patching, file system security, system access and authentication, auditing and logging, and account configuration.

The implementation of an SIEM system, coupled with annual penetration testing, considerably reduces the attack surface of an ATM network. These advanced ATM protection methods work best on a segregated network with proper security devices installed and operating systems updated.

Banks are already fortifying their ATMs against physical attacks, which have historically been frequent. It is safe to assume that financial institutions will become more meticulous about ATM network security once they reach a breaking point with network-based attacks. Instead of staying a step behind cybertheives, banks should address network security issues now to escape financial loss and reputational damage that could result from a widespread ATM breach.

More from Banking & Finance

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today