Cybercriminals began targeting automated teller machine (ATM) software back in 2009. Since then, new ATM malware families have been springing up every year. By 2016, fraudsters realized that the ATMs could be accessed through the network.

Cybercrooks have two options to loot an ATM: leverage direct physical access to an ATM endpoint or gain access to the machine through the network. The latter method is progressively gaining popularity because it eliminates the need to physically access a target ATM, increasing the chance of success. Once the network is compromised and malware is installed on the endpoint, a money mule who is standing by picks up the cash and whisks away.

This shift to network-based ATM attacks has gone unnoticed by a large number of banks. They understand the variety of physical ATM breaches but don’t realize that cybercriminals are already a step ahead, exploring opportunities for network-based campaigns.

In July 2016, for example, actors withdrew $2.66 million from 41 ATMs at 22 branches of Taiwan’s First Commercial Bank without laying a finger on a PIN pad. Later that summer, the Cobalt cybergang launched coordinated ATM network attacks in several European countries, including the U.K., Spain, the Netherlands, Romania, Poland and Russia.

Three Crucial ATM Network Security Gaps

Such attacks typically stem from three crucial ATM network security gaps that are inherent to a large number of banking institutions. These lapses are obvious and fairly simple to eliminate. If left unmitigated, however, they facilitate easy unauthorized access to ATM networks.

1. Ignoring Network Segregation

Unfortunately, some banks still have flat networks that unite all corporate hardware, including ATMs. A well-planned network architecture requires the ATM network to be separate from the main one. This creates an additional challenge for fraudsters targeting ATM endpoints.

2. Lack of Security Between Networks

Even when banks do segregate networks, little attention is paid to implementing security controls to manage access from one network to another. The two ATM attacks mentioned above are consequences of this mistake, since the cybercriminals managed to breach ATMs via the banks’ main networks.

To protect against ATM network security threats, financial institutions should install perimeter firewalls, intrusion prevention systems (IPS), intrusion detection systems (IDS) and antivirus software.

3. Outdated Operational Systems

An overwhelming majority of ATMs installed worldwide still run Windows XP or Windows XP Embedded, which Microsoft stopped supporting in 2014 and 2016, respectively. This means that hundreds of banks are exposed to ATM network security breaches due to the absence of patches for these outdated operational systems.

An Advanced Approach to ATM Protection

As ATM network attacks become more sophisticated, it’s important for financial institutions to apply advanced security measures with the help of a security information and event management (SIEM) system. SIEM tools receive logs from a controlling network server and ATM endpoints, and employ correlation rules to help security analysts monitor things such as as entries into the network, the launching of unsolicited services, software integrity and antivirus feeds. This delivers a comprehensive overview of the ATM network security posture at any moment.

Another advanced ATM protection method is penetration testing, which simulates an attack to help security professionals uncover vulnerabilities before fraudsters have a chance to exploit them. Penetration testing checks cover patching, file system security, system access and authentication, auditing and logging, and account configuration.

The implementation of an SIEM system, coupled with annual penetration testing, considerably reduces the attack surface of an ATM network. These advanced ATM protection methods work best on a segregated network with proper security devices installed and operating systems updated.

Banks are already fortifying their ATMs against physical attacks, which have historically been frequent. It is safe to assume that financial institutions will become more meticulous about ATM network security once they reach a breaking point with network-based attacks. Instead of staying a step behind cybertheives, banks should address network security issues now to escape financial loss and reputational damage that could result from a widespread ATM breach.

More from Banking & Finance

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today