Ensuring ATMs aren’t the weakest link to banking cybersecurity

By Elida Policastro, Regional VP – Cybersecurity division at Auriga

Digital banking brings huge benefits to customers, but the risks of cyber-attacks continue to rise. For banks, there is a need to stay ahead of the game, anticipating new methods of attack so that innovative solutions can be put in place in time to minimise those changing threats.

In terms of attack targets, the ATM ecosystem is complex and made up of heterogeneous hardware and software that is expensive and difficult to update especially when ATMs and customer touchpoints need to be available 24/7. Because of this, financial organisations usually do not have the latest security policies in place, nor a centralised view of the ATM attack surface. It is vital that banks and ATM operators strike the balance between software deployment and hardware maintenance with keeping control of changes in software and hardware and ensuring the ATM network is as secure as possible.

This is critical because ATMs and central servers, which are the systems that control ATMs, have become a popular target for cyber-attacks. Last year, over a half (58%) of the global banking industry respondents to the ATMIA Global Fraud and Security Survey 2019 reported that ATM attacks, which includes both physical security breaches and fraud incidents, had increased.

ATM fraud attacks fall into three categories:

• Data fraud, resulting from data breach, such as account numbers, pin codes, and other personal data
• Physical fraud, consisting of theft of valuable assets, such as cash by stealing cards
• Cyber fraud – logical attacks to the systems and communications

Jackpotting is a an increasingly popular form of cyber-attack that exploits physical and software-based vulnerabilities in ATMs to get cash and thus an immediate financial reward for the attacker. It is estimated that in the last five years, financial organisations have lost millions to jackpotting. For example, the Ploutus family of ATM malware, which originally appeared in Mexico in 2013, has created losses of over $450 million dollars (€398 million) around the world.

ATMs suffer physical and logical attacks for several reasons: one is that the physical cash inside acts as an incentive, and another is that cash machines contain confidential information like debit card numbers and PIN codes, which can be stolen and sold.

Critically, ATMs are a weak link in a bank’s security systems. They appeal to attackers because they are often poorly monitored and little logical action is taken to protect the data in them. In addition, cyber-criminals have also realised that ATM networks utilise security infrastructure that is based on a great deal of legacy hardware and software. This is more vulnerable to attacks because of the high cost of upgrades and difficulty to install security updates with machines that are geographically dispersed and use older operating systems and protocols. Unfortunately, this results in insecure systems that can be easily exploited.

On top of all of that, there is a real risk of an insider threat. There are a lot of different people and roles responsible for the upkeep of an ATM and these all have administration rights, including employees from the financial institutions, service providers, developers and installers.

One of the main ways cyber adversaries attack ATMs is via the ‘XFS layer’, a standard interface designed to have multivendor software running on manufacturers’ ATMs and other hardware. While the XFS layer uses standard APIs to communicate with self-service applications, there is no standard way of secure authentication that comes with it, making it easy for cyber-criminals to exploit this vulnerability. Cyber-attackers can therefore deploy malware into banking touchpoints such as cash machines to trick them into giving ‘cash out’ commands and dispense money. The card reader may also be compromised – able to steal card numbers and track the pin pad to learn pin numbers, making the XFS layer a very attractive target. The importance of cybersecurity in banking is therefore only going to increase.

So, how should banks and ATM operators best prevent attacks? For ATMs, typical endpoint protection security such as anti-malware technology is just not enough. ATM networks and systems are critical infrastructure devices that need to be constantly available and so they require greater protection and a different approach.

The best approach is a centralised security solution that protects, monitors, and controls ATM networks and thus manages the entire banking asset network in one place and take appropriate action, such as stopping malware spreading throughout the network from infected ATMs.

Such modern technology solutions not only provide invaluable cybersecurity protection, they can also save banking organisations time and money, as ATM and infrastructure management is centralised into a single hub. Actions can be executed remotely to quickly establish new defences via techniques such as network segmentation or implementing new firewalls.

It is particularly important for banks to have several layers of protection in one single platform. Such layers could involve full disk encryption, application whitelisting, hardware protection and file integrity protection.

Although financial organisations are making a concerted effort to improve their security landscape, cyber-criminals are continuing to innovate their attacks, making it an environment of threats that is evolving and advancing. From this, banks must constantly be proactive in implementing and testing their cyber-defences. It is therefore wise to draw upon external counsel with specialist security knowledge to double check on security plans and processes and help ensure ATM security is up to date and preventative.

Cyber Threat Intelligence (CTI) can provide banks with an early warning system to detect and contain potential threats before they become incidents. This intelligence is essential for any business as cybersecurity threats become increasingly indiscriminate. Once they become aware of any relevant threats and vulnerabilities, then they will begin to understand where and how these can be exploited, as well as the impact this may have on both the business and individuals.

Awareness of the threat landscape is vital for banks to understand what could be exploited and utilised for future cyber-attacks. If they do not, they open themselves up to the very real possibility of experiencing security breaches, loss of sensitive customer data, and of course stolen cash.