Developing Safeguards to Combat the Rise of ATM Malware

ATM is one of the great convenience of this modern financial age. However, ATMs have been plagued with increased attacks as criminals are exploiting hardware and software vulnerabilities to exploit ATMs to obtain large sums of cash. A Trend Micro and Europol&npsp;2017 Report[1] highlighted that the use of ATM malware has evolved significantly as the scope and scale of these attacks have grown. This latest development is attributable to several factors, such as:

• The prospect of large financial rewards. It is well-known that a principal motivating factor for most cybercriminals is money and ATMs store lots of cash. Hence, ATMs remain attractive targets;
• It is becoming easier for cybercriminals to access malicious codes on the darknet. Only recently the Kaspersky Labs reported that hackers are selling detailed manuals of ATM malware targeting specific vendors for as little as $5000 on darknetmarkets[2] and
• Certain ATM machines are highly vulnerable and susceptible to attack since they often rely on outdated operating systems. According to the Trend Micro/Europol Report, a significant portion of ATMs installed worldwide still run either Windows XP or Windows XP Embedded. Some of the older ATMs run Windows NT®, Windows CE®, or Windows 2000. Support for these operating systems have either ended or is slated to end soon.

ATM malware includes either physical-based attacks or network-based attacks. In recent times, security analysts have been reporting more network-based attacks. Both forms of attack aim to empty the case safe (“jackpotting”), log the customer card transactions (“virtual skimming) or both. A few notable examples of ATM malware include [3]:

• The first known piece of malware to target ATMs known as Skimer was first reported in 2009. It is thought to have been existence since as early as July 2007. It exclusively targets ATMs manufactured by Diebold® and was originally found targeting ATMs in Russia and Ukraine;
• 41 Wincor Nixdorf® ATMs in Taiwan were reportedly attacked in July 2016. The criminals stole NT$80 million (US$2.5 million) from 22 branches of First Commercial Bank by using a network-based malware;
• NCR ATMs of Government Savings Bank (GSB) in Thailand were attacked in mid-2016 and their cash deposits emptied out. The attack used a new ATM malware referred to as Ripper. The Ripper reportedly stole around 12 million baht by first hacking into the bank’s network and then distributing the malware to the ATMs.

These developments have significant implications for the financial services market, especially since it is forecasted that ATM malware attacks will continue to rise. Comprehensive and responsive security solutions to minimize network vulnerabilities and risks and to reduce financial losses are therefore paramount. Consequently, organizations need to take steps to secure their ATMs at both the physical, network and application layers. Additionally, organizations should undertake to:

• Develop a comprehensive and responsive cybersecurity plan
• Engage in continuous security awareness among its employees and customers
• Adopt comprehensive endpoint security solutions
• Adopt security analytics tools to help detect patterns in ATMs and discover new knowledge on how to effectively secure the organization’s network and
• Conduct period vulnerability assessments to identify high risks areas.

Wilson Consulting Group (WCG) provides a range of services to assists organizations in securing their networks, ATMs and financial assets and minimizing risks and exposure. WCG helps in:

• Developing security plans, policies and procedures
• Empowering users by conducting training and development
• Providing guidance in the selection of viable endpoint security solutions
• Providing security analytics solutions and
• Conducting vulnerability assessments.

Let us assist you in safeguarding your ATM network and improving your security posture.

[1]Cashing in on ATM Malware, A Comprehensive Look at Various Attack Types – Trend Micro and Europol 2017 Report

[2]K. Zykov, ATM malware being sold on the darknet, www.securelist.com

[3]Cashing in on ATM Malware, A Comprehensive Look at Various Attack Types – Trend Micro and Europol 2017 Report