The FBI recently warned against a data breach of a credit card processor or bank that could lead to a global swarm of co-conspirators emptying automated teller machinesi. Soon after, a Pune, India-based financial institution – Cosmos Bank – lost roughly $13.5 million in a heist involving ATMs in more than two dozen countriesii
 
The crime was reminiscent of one several years ago. In 2013, that heist ended in Department of Justice charges involving eight people in New York armed with fraudulent prepaid cards. The scam drained roughly $45 million from two Middle Eastern banks through cash machines in dozens of countriesiii.  Crimes like these bring fears of full fleets of ATMs turning into safes bleeding cash machines. These are soft targets, where fraud has risen by more than 50% in the last year according to Javelin Strategy & Research dataiv
 
Still, financial institutions have a number of controls to reduce those risks:
 
  • Chip-Only Transactions. FIs can make policy changes to their cards to only allow chip-based transactions at ATMs. This means that no fallback is allowed, protecting their customers from the counterfeiting that inevitably follows skimming.  
  • Active-Monitoring. Recently developed sensors placed inside cash machines can detect the presence of skimmers,1 and advanced analytics capabilities focused on ATM activity can help detect, and subsequently halt, a swath of suspicious transactions.
  • Enabling Cardless ATM Features. FIs that allow bank customers to withdraw cash through the use of a smartphone app at the cash machine increase the likelihood that those transactions are authentic, assuming strong authentication is in place. 
  • Bolstering the ATM’s Logical Security. This boils down to protecting ATMs against malware. Patching software. Updating operating systems. These tactics safeguard devices from crimes like jackpotting, involving crooks gaining physical access to ATM innards through tools meant to crack the machine open like a safe. Such measures are also intended to stop criminals from distributing malware, remotely, through a bank’s software distribution mechanismv. To be clear, newer ATMs can have updates deployed, automatically. Older machines – many of which are still deployed across American bankers’ fleets and other financial services companies’ networks – must be visited by an FI’s IT people in -personvi
  • Securing the network.  Better security should also extend to the bank’s internal network. By putting stronger controls in place around any systems that control changes to ATM cash out parameters – both at the network and account level – criminals who compromise employees, through phishing, perhaps, won’t be successful in upending the security of ATMs. In short, stronger authentication and internal alerts.
 
Other Things to Read: 

----------------------

[1] https://www.cise.ufl.edu/~traynor/reaper/, accessed August 24, 2018.

 

[i] https://krebsonsecurity.com/2018/08/indian-bank-hit-in-13-5m-cyberheist-after-fbi-atm-cashout-warning/ accessed August 20, 2018

[ii] Around the same time, Cofense released a report outlining how the Necurs botnet had begun targeting banks with malicious Microsoft Publisher and Adobe files containing a new Remote-Access-Trojan. Or RAT. https://www.darkreading.com/vulnerabilities---threats/necurs-botnet-goes-phishing-for-banks/d/d-id/1332574, accessed August 20, 2018

[iii] https://www.questia.com/magazine/1G1-329310982/a-few-simple-controls-could-have-prevented-45m-bank accessed August 20, 2018

[iv] 2017 Identity Fraud Study, Javelin Strategy & Research

[v] https://blog.dieboldnixdorf.com/defending-against-logical-atm-attacks-insights-from-jackpotting-attacks-diebold-nixdorf-blog/#.W3uMA85Kjm4 accessed August 20, 2018

[vi] Earlier this year, crooks took to jackpotting schemes involving American ATMs reliant on unpatched software. At the time, both NCR and the Secret Service told bankers that organized criminal gangs were attacking stand-alone ATMs using a roughly five-year-old strain of malware, according to KrebsOnSecurity.

Author

About Sean Sposito

Sean Sposito is an analyst in the fraud & security practice at Javelin Strategy & Research. His primary focus is the intersection of retail banking and information security. The topics he’s keenly interested in are vulnerability disclosure, cybersecurity insurance, threat intelligence, and the overall challenges facing security executives inside financial institutions. 

Before joining Javelin, Sean worked as a reporter at the San Francisco Chronicle, the Atlanta Journal-Constitution, and American Banker, among others. As a content strategist at the Christian Science Monitor, he counseled security vendors, PR agencies, and in-house communications executives on storytelling techniques and media engagement. 

He has moderated panels at the Visa Security Summit, the ATM Debit & Prepaid Forum, the Emerging and Mobile Payments Card Forum, the Mobile Banking and Commerce Summit, and the Mobile Payment Conference, among others. He holds a bachelor’s degree from the University of Missouri’s School of Journalism. 

Stay in Touch!