Attacking ATM Operators

Home Article Attacking ATM Operators
Attacking ATM Operators
06 Apr 2021

Attacking ATM Operators

Pavithiral Elangovan

|

Article, Banking

|

off

Another major component of the banking sector is their ATM point. It is one of the most laudable innovations across the world. It has brought an end to the endless queues in the banking halls and makes money available to clients any moment of the day. However, the congestion that left the banking hall only came to re-enact itself at the other side of the premises. Both ATM and its operators are usually subjected to undue attacks by criminals. This is known as jackpotting. Jackpotting – also known as “black box attack” – refer to attacks in which an ATM is manipulated to dispense all its cash, similar to a slot machine after a jackpot in a casino, is reportedly increasing on a regular basis.

ATMs continue to be a profitable target for criminals, who use various methods to generate illegal revenue. While some rely on physically destructive methods through the use of metal cutting tools, others choose malware infections, enabling them to manipulate cash dispensers from the inside. Criminals use different tools and techniques (physical, logical or combined) to access ATMs “black box” and bypass all security controls forcing the cash-out of all its money. With some exceptions, each ATM has the same functionality, a cash dispensing mechanism that is controlled by an operating system using a personal computer (PC) and therefore, exposed to risk from logical attacks. Malware attacks, a sub-category of these logical attacks, are becoming increasingly popular among cyber criminals (ENISA, 2018).

Tools used in jackpotting plots

Endoscope – Narrow, tube-like medical devices with cameras on the ends typically used to see inside the human body. Used by fraudsters to see inside the ATM and locate vulnerable points.

Tyupkin malware – Piece of malware that allows attackers to empty the ATM cash cassettes via direct manipulation.Firstly identified by security researchers in 2013 as Backdoor.MSIL.Tyupkin, affecting ATMs from a major manufacturer running Microsoft Windows 32-bit.

Ploutus.D malware – Identified by the filename of “AgilisConfigurationUtility.exe”, is one of the most advanced ATM malware families, discovered for the first time in Mexico in 2013. This malware once installed via USB port, allows criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message (ENISIA, 2018).

Techniques employed in ATM attacks

ATM’s hard drive manipulation:

  • Fraudsters dressed as ATM technicians or through an onsite “money mule” replace the ATM hard drive with a new one (possibly using a malware-laden thumb drive), to enable unauthorized dispense commands to the cash dispenser unit.
  • Optionally, ATM’s hard drive can be removed, infected with malware, and reinserted instead of being replaced with an attacker-supplied hard drive.
  • In addition, sensors are manipulated using an endoscope to fool the authentication system. This way, encrypted communication protocols are bypassed in the attack

Black Box Attack:

  • Fraudsters dressed as technicians disconnect the ATM PC or “black box” disabling logical security measures.
  • An endoscope is used to look inside the ATM and locate the internal portion of the cash machine where a cord can be attached, allowing the synchronization between the criminal’s laptop and the ATM’s computer.
  • The ATM is switched back to ON with the malware already installed and running on the machine’s background, waiting for instructions from the ATM keyboard to dispense the cash

What makes these attacks interesting for certain criminals is the low technical knowledge required to execute. There are plenty of tutorials and step-by-step guides available on the dark web to make things easier for them. Still, these attacks require a certain level of physical access to the ATM and criminal’s identity exposure to pull it off. Criminals can steal money from ATMs using less complicated methods than jackpotting. There are remote attacks that do not rely on physical access to the inside of the ATM, that the recent Cosmos bank incident is a good example (ENISIA, 2018).

The modern means they use is malware infection. This is done through the Financial Institutions networks. Once an attacker gains access to a bank’s network, they can install malware from a remote location transforming the ATM into a slave machine. The final stage would be for the attacker to send instructions directly to the ATM, command it to dispense the money, and order a mule to collect it.

Should we now sit back and watch while this injustice and criminal act spreads its fluttering wings on the financial sector? No! There are many things that can be done!

Advice for on-premise ATM operators

  • Ensure the ATM is in an open, well-lit environment that is monitored by visible security cameras. The ATM should be securely fixed to the floor with an anti-lasso device that will deter criminals.
  • Regularly check the ATM for signs of attached third-party devices (skimmers).
  • Be on the lookout for social engineering attacks by criminals who may be masquerading as ATM technicians.
  • Implement intruder alarms and act accordingly by notifying law enforcement authorities of any potential breach.
  • Consider filling the ATM with just enough cash for a single day of activity

Recommendations for financial institutions and ATM operators

  • Implement EMV security standards. EMV is a payment method based upon a technical standard for smart payment cards (also called chip cards or IC cards) and for payment terminals and automated teller machines that can accept them.
  • Review the physical security of ATMs and consider investing in quality and robust physical security solutions and ATM security alarm.
  • Secure the top compartment (top box) of an ATM which contains the PC. This area should be secured by an intruder alert to prevent unauthorized opening, or the access lock to the top box should be changed to avoid the usage of default master keys provided by the manufacturer.
  • Implement special security solutions designed for self-service terminals. Solutions that keep ATMs software up-to-date through a smart ATM security management program. Consider including other equipment connected to the ATM such as network devices and modems in the security management program.
  • Proactively report to law enforcement authorities of any unusual amount withdrawals on specific units.
  • Use of real time fraud detection system or artificial intelligence software to spot ATM theft, money laundering and other financial crimes (ENISIA, 2018).

References

Cryptera (2017). ATM Attacks Remain Leading Pain Point For Banks Worldwide. Retrieved from http://www.cryptera.com/atm-attacks-remain-leading-pain-point-for-banks-worldwide/

ENISA (2018).ATM Cash-Out Attacks. Retrieved from https://www.enisa.europa.eu/publications/info-notes/atm-cash-out-attacks

Wild, O (2018). ‘Jackpotting’ Attacks Arrive in the U.S—What Do ATM Operators Need to Do? Retrieved from https://www.ncr.com/company/blogs/financial/jackpotting-attacks-arrive-in-the-us-what-do-atm-operators-need-to-know

 

© 2016-2022, LPS Training Pte Ltd, All Rights Reserved