Closing ATM Network Security Gaps to Stop Fraudsters in Their Tracks

Cybercriminals began targeting automated teller machine (ATM) software back in 2009. Since then, new ATM malware families have been springing up every year. By 2016, fraudsters realized that the ATMs could be accessed through the network.

Cybercrooks have two options to loot an ATM: leverage direct physical access to an ATM endpoint or gain access to the machine through the network. The latter method is progressively gaining popularity because it eliminates the need to physically access a target ATM, increasing the chance of success. Once the network is compromised and malware is installed on the endpoint, a money mule who is standing by picks up the cash and whisks away.

This shift to network-based ATM attacks has gone unnoticed by a large number of banks. They understand the variety of physical ATM breaches but don’t realize that cybercriminals are already a step ahead, exploring opportunities for network-based campaigns.

In July 2016, for example, actors withdrew $2.66 million from 41 ATMs at 22 branches of Taiwan’s First Commercial Bank without laying a finger on a PIN pad. Later that summer, the Cobalt cybergang launched coordinated ATM network attacks in several European countries, including the U.K., Spain, the Netherlands, Romania, Poland and Russia.

Three Crucial ATM Network Security Gaps

Such attacks typically stem from three crucial ATM network security gaps that are inherent to a large number of banking institutions. These lapses are obvious and fairly simple to eliminate. If left unmitigated, however, they facilitate easy unauthorized access to ATM networks.

1. Ignoring Network Segregation

Unfortunately, some banks still have flat networks that unite all corporate hardware, including ATMs. A well-planned network architecture requires the ATM network to be separate from the main one. This creates an additional challenge for fraudsters targeting ATM endpoints.

2. Lack of Security Between Networks

Even when banks do segregate networks, little attention is paid to implementing security controls to manage access from one network to another. The two ATM attacks mentioned above are consequences of this mistake, since the cybercriminals managed to breach ATMs via the banks’ main networks.

To protect against ATM network security threats, financial institutions should install perimeter firewalls, intrusion prevention systems (IPS), intrusion detection systems (IDS) and antivirus software.

3. Outdated Operational Systems

An overwhelming majority of ATMs installed worldwide still run Windows XP or Windows XP Embedded, which Microsoft stopped supporting in 2014 and 2016, respectively. This means that hundreds of banks are exposed to ATM network security breaches due to the absence of patches for these outdated operational systems.

An Advanced Approach to ATM Protection

As ATM network attacks become more sophisticated, it’s important for financial institutions to apply advanced security measures with the help of a security information and event management (SIEM) system. SIEM tools receive logs from a controlling network server and ATM endpoints, and employ correlation rules to help security analysts monitor things such as as entries into the network, the launching of unsolicited services, software integrity and antivirus feeds. This delivers a comprehensive overview of the ATM network security posture at any moment.

Another advanced ATM protection method is penetration testing, which simulates an attack to help security professionals uncover vulnerabilities before fraudsters have a chance to exploit them. Penetration testing checks cover patching, file system security, system access and authentication, auditing and logging, and account configuration.

The implementation of an SIEM system, coupled with annual penetration testing, considerably reduces the attack surface of an ATM network. These advanced ATM protection methods work best on a segregated network with proper security devices installed and operating systems updated.

Banks are already fortifying their ATMs against physical attacks, which have historically been frequent. It is safe to assume that financial institutions will become more meticulous about ATM network security once they reach a breaking point with network-based attacks. Instead of staying a step behind cybertheives, banks should address network security issues now to escape financial loss and reputational damage that could result from a widespread ATM breach.

Share this Article:
Serguei Tchesnokov

Senior SIEM Consultant, ScienceSoft

IBM certified Security Professional with a 10-year background in Security Information and Event Management (SIEM) and a 17-year work experience in Information Technology. Serguei’s portfolio includes projects on architecture design, integration, and deployment of security solutions based on IBM Security QRadar SIEM, IBM TSIEM/TCIM, IBM Security Identity Manager (SIM) for healthcare, banking, financial and governmental organizations.