All ATMs can be hijacked with malware, Kaspersky says – expert comment

Kaspersky Labs research has shown that ATMs can easily be hacked by cyber criminals, meaning funds could be stolen.

Alex Cruz Farmer, VP of cloud at NSFOCUS IB has the following expert comments;

Why are banks still using old models of ATMs that lack security?

“This is simple. A bank is an enterprise, and it is their prerogative to deliver profits for their staff and, most importantly, shareholders. With this mindset, ATMs and installations are delivered and deployed with a particular strategy to ensure a good return on investment. Looking at the UK, since ATM withdrawal fees are no longer a thing, I can absolutely understand the return on investment due to maintaining these would be much lower or take longer. With that in mind, updating and putting state of the art technologies within ATMs will be challenging. As we have also seem, the use of contactless payment methods and general card transactions are far exceeding cash. The last time I had to use hard cash was to enter a pub quiz!”

Why are hackers moving onto ATMs from hacking through internet banking?

“Hacking ATMs is straight forward. However it requires a physical person to commit the fraud. By that I mean having to physically attend an ATM, and install equipment. For example, a basic attack could be skimming equipment on the card reader. That alone is not foolproof, as many users of ATMs became vigilant and started covering their PIN numbers. Hackers got smarter and put an overlay on the keypad to log the PIN code as well, which made this successful. However, all of this still required someone to physically attend the machine to install and remove the equipment to receive the data or commit the act, and then return to ATMs to withdraw cash or remove the equipment. Generally, the withdraws from skimming are limited to £250 at a time, and often people do not leave vast sums of money in their current accounts.

The move to internet banking is now taking the physical attendance away, unless done through social engineering of course. This not only allows criminals from anywhere in the world to attack their victims, it also means that generally they have access to much more funds. Many people in the UK have a main current account, a savings account, and perhaps an ISA for the more tax savvy of us. A one hit smash on an internet banking account could be as much as £25-100k or more. The worst part of this is that theft through internet banking can be automated.”

How can banks reduce the risk of these issues?

“I have a love-hate relationship with my two-factor banking provided security. On one hand, having to punch in digits to access my account, and then for any transaction to a new payee, having to qualify that with the amount, and their account number, is cumbersome. However, on the other hand, I do know that it takes some effort for a hacker to steal my money. Whilst this does sound flawless, it is for online attackers. However, for more organised crime, it would take the loss of just my debit card, which has all of my critical details on it, plus my PIN for them to be able to access my account and take funds. Whilst I do have extensive monitoring set up, the risk is still very prominent, as monitoring only protects me after the fact.

The difficulty again is that banks could absolutely increase security for their customers, but it would be at the risk of user experience. It’s a careful balance, and I believe improvements still could be made, perhaps around verification for transactions which are larger than a certain amount, and increasing threat intelligence relating to specific accounts which have been used for depositing stolen funds. There are maximum amounts that can be transferred from an account, however with Faster Payments today, the ability to transfer £10k between one account and another can be done in seconds. Once that transfer has been done, it can be repeated multiple times until the limit of that account has been hit.”

What other things can be done to protect banking infrastructure from such ATM attacks?

“If ATMs were treated the same way as we treat security appliances, or secure data stores, meaning tamper-proof blackboxes, any tampering causes them to lockdown, or in some cases wipe themselves, followed by an alert and a lockdown, then any attempts hacking them would be much more difficult or hopefully near impossible. Even vendors like Intel have created free technology built in their processors to deal with detecting malware on boot, so the solutions are there to be utilised.”