Cybercriminals began targeting automated teller machine (ATM) software back in 2009. Since then, new ATM malware families have been springing up every year. By 2016, fraudsters realized that the ATMs could be accessed through the network.

Cybercrooks have two options to loot an ATM: leverage direct physical access to an ATM endpoint or gain access to the machine through the network. The latter method is progressively gaining popularity because it eliminates the need to physically access a target ATM, increasing the chance of success. Once the network is compromised and malware is installed on the endpoint, a money mule who is standing by picks up the cash and whisks away.

This shift to network-based ATM attacks has gone unnoticed by a large number of banks. They understand the variety of physical ATM breaches but don’t realize that cybercriminals are already a step ahead, exploring opportunities for network-based campaigns.

In July 2016, for example, actors withdrew $2.66 million from 41 ATMs at 22 branches of Taiwan’s First Commercial Bank without laying a finger on a PIN pad. Later that summer, the Cobalt cybergang launched coordinated ATM network attacks in several European countries, including the U.K., Spain, the Netherlands, Romania, Poland and Russia.

Three Crucial ATM Network Security Gaps

Such attacks typically stem from three crucial ATM network security gaps that are inherent to a large number of banking institutions. These lapses are obvious and fairly simple to eliminate. If left unmitigated, however, they facilitate easy unauthorized access to ATM networks.

1. Ignoring Network Segregation

Unfortunately, some banks still have flat networks that unite all corporate hardware, including ATMs. A well-planned network architecture requires the ATM network to be separate from the main one. This creates an additional challenge for fraudsters targeting ATM endpoints.

2. Lack of Security Between Networks

Even when banks do segregate networks, little attention is paid to implementing security controls to manage access from one network to another. The two ATM attacks mentioned above are consequences of this mistake, since the cybercriminals managed to breach ATMs via the banks’ main networks.

To protect against ATM network security threats, financial institutions should install perimeter firewalls, intrusion prevention systems (IPS), intrusion detection systems (IDS) and antivirus software.

3. Outdated Operational Systems

An overwhelming majority of ATMs installed worldwide still run Windows XP or Windows XP Embedded, which Microsoft stopped supporting in 2014 and 2016, respectively. This means that hundreds of banks are exposed to ATM network security breaches due to the absence of patches for these outdated operational systems.

An Advanced Approach to ATM Protection

As ATM network attacks become more sophisticated, it’s important for financial institutions to apply advanced security measures with the help of a security information and event management (SIEM) system. SIEM tools receive logs from a controlling network server and ATM endpoints, and employ correlation rules to help security analysts monitor things such as as entries into the network, the launching of unsolicited services, software integrity and antivirus feeds. This delivers a comprehensive overview of the ATM network security posture at any moment.

Another advanced ATM protection method is penetration testing, which simulates an attack to help security professionals uncover vulnerabilities before fraudsters have a chance to exploit them. Penetration testing checks cover patching, file system security, system access and authentication, auditing and logging, and account configuration.

The implementation of an SIEM system, coupled with annual penetration testing, considerably reduces the attack surface of an ATM network. These advanced ATM protection methods work best on a segregated network with proper security devices installed and operating systems updated.

Banks are already fortifying their ATMs against physical attacks, which have historically been frequent. It is safe to assume that financial institutions will become more meticulous about ATM network security once they reach a breaking point with network-based attacks. Instead of staying a step behind cybertheives, banks should address network security issues now to escape financial loss and reputational damage that could result from a widespread ATM breach.

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today