The Weakest Link In Banking Security – ATMs

Tuesday, October 03, 2017

Vanishree Rao


by Vanishree Rao and Warren Jackson

A chain is only as strong as its weakest link. This statement is especially true in security, where ingenious cybercriminals manage to discover and exploit the weakest links. We have recently seen this weak link theory play out with the very familiar Automated Teller Machines (ATMs) that are used regularly around the globe.

Traditionally, cybercrime in the banking sector has involved stolen credit card details or consumer credentials. Thanks to substantial investments in countering such cybercrime, together with advancements in data analytics and multi-factor authentication, we now have extremely reliable fraud detection and prevention mechanisms. Strengthening this particular “weak link” has, unfortunately, pushed cybercriminals to search for a new weak link; and the recent surge in ATM attacks indicate that, indeed, criminals have found a new one.

Weak Links Being Strengthened

We have seen an astonishing number of data breaches leading to enormous amounts of user data for sale on the “dark web” (a collection of websites that cannot be reached with traditional search engines and browsers, where user accounts, drugs, guns, and other illegal things are traded). This data trafficking has quickly translated into a frenzied rate of unauthorized access and exploitation of user accounts. Fortunately, this criminal activity also created massive amounts of criminal behavioral data, offering data scientists a way to determine criminal behavior and tactics that ultimately facilitated the banking sector to curtail the work of cybercriminals through account-access rules and activity detection models. As a result, stolen credit cards and user information have become a strong link in the chain of banking security.

ATMs - The Next Weak Link

Since 2015, there has been a substantial increase in the ATM attacks. Fair, Isaac and Company (FICO) had noted that its fraud-tracking service recorded a 546% surge in ATM attacks from 2014 to 2015.  But these new attacks are starkly different from the traditional ATM attacks.

Traditionally, ATMs have been physically attacked, using sledgehammers or explosives, or through card skimmers (fake card readers placed on top of real ATM card readers). Banks have implemented a number of security systems to prevent such attacks, including securely fixing ATMs to the floor, installing security cameras and security alarms, and situating ATMs inside the banking lobby.

The new era of ATM attacks involves a clever orchestration of a sequence of steps consummating in the ATMs spewing out cash.

The New Style of Jackpotting ATMs

[Step 1] Gain access to an insider: This is a common first step of most hacking methods -- social engineering an insider to let the cybercriminal into his computer system. This entry can be achieved by sending targeted phishing emails to employees, hoping to serve two purposes: to attain the necessary digital access to perform malicious activities and to connect to the criminal’s command-and-control over the server.

[Step 2] Watch in order to gather information: The malicious code captures information about the workflows of the employee, from a few months to many years. This helps criminals design their next moves that look legitimate and do not set off any alarms. Also, the malicious code learns the potential vulnerabilities in the system and relays information to the criminals.

[Step 3] Make a legitimate-looking connection to an ATM server and install malware: Using the information, make a legitimate-looking connection to an ATM server, carefully chosen depending on security loopholes. Using the server, connect to a set of ATMs, carefully chosen depending on the geographical locations, the level of public activity and visibility, the level of ATMs’ physical security, and the security vulnerabilities of firmware and software. Finally, through the server, install specific malicious code on the ATMs.

[Step 4] Collect the cash from the ATMs: The malicious code in an infected ATM is programmed to dispense endless cash with a specific sequence of keys. To regular users, the ATM either works as it should or appears to be out of service. The malicious code contains a secret master-key, which generates a new and unique session key for each session. If the user enters the same session key, then the code allows the criminal to empty the ATM.

Quick Fixes

Most aspects of the new ATM attacks involve exploiting known methods of vulnerabilities. Social engineering (e.g., phishing) is a well-known threat to virtually every industry and most consumers. Additionally, many recent ATM attacks used a legitimate program called Cobalt Strike, designed to perform penetration testing, which is notoriously complicated and difficult to implement. Despite the popularity of these vulnerabilities, there are big problems to solve. But, there are a few quick-fix solutions to help deter criminals in the near term.

Avoid Falling for Phishing: It is critical to train employees on how to detect and avoid falling victim to phishing emails. Some organizations send phishing-drill emails and monitor employees’ reactions, and provide training accordingly. However, to err is human, and as long as there are humans in the loop, social engineering attacks will continue.

Look out for System Behaviors: Multi-factor authentication should be required for every new program to be installed in employee systems, servers, and ATMs. In addition, although a criminal’s activities look as if they are legitimate, modeling and profiling usual and unusual behaviors, through machine learning, and detecting and flagging anomalies in real-time will help hinder these activities. However, this solution is only a short-term fix because, as criminals decode the definitions of ‘normal behaviors,’ they will redesign their moves to conform to new normal behaviors.

Biometrics: Biometrics can be used to curb unauthorized ATM access. While this might mitigate the problem to some extent, in order to obtain substantial resilience against malicious codes entering ATM machines, software solutions fall short. For instance, a recent version of a popular ATM malware, called the Tyupkin malware, has anti-debug techniques that disable the anti-malware from the infected system. There are also hardware security measures, such as ones that self-destruct if tampered with making the criminal’s job more difficult.

Allow for Small Amounts of Cash: Another fairly effective fix is to simply prevent jackpot payouts by setting a maximum payout rate determined by a timer that cannot be tampered with. A similar idea is in effect on convenience store counters where the safes allow only so much cash access per hour, so that a robber cannot force an employee to release money any faster.

Keep up the Watch: Cameras placed at vantage points allow banks to perform behavioral analytics on ATM users, and identify and quickly flag anomalous behavior. However, criminals can resort to breaking cameras with sledgehammers. Also, criminals could potentially identify camera locations and try to block them just before jackpotting the ATMs.

Long-term Solution

The world that previously transacted with physical money is embracing electronic money, although, cash is still king. In 2016 about 61% of transactions in Singapore were cashless, 45% of transactions in the United States were cashless, and only 2% of transactions in India were cashless. The banking sector is investing disproportionately in securing digital transactions, while ATMs are still running on Windows XP, which Microsoft barely supports today.

Fortunately, countries like India are making headway into embracing a completely digital currency system. Platforms like Paytm and Airtel Money, that help make digital transactions such as paying bills, are gaining popularity in India. The hope is that the banking sector will join hands with such platforms to accelerate the transition.

Although digital transactions are rife with cyber-security challenges, digital is here to stay. The banking sector is making advancements to protect digital accounts against fraud. Black money and tax evasions are made possible due to real cash, where transactions don’t leave a trail.

Is it time to remove the physical ATM? And is it time to move to a 100% digital currency system? The absence of an additional challenge and the cost of securing ATMs will help channel all resources and efforts towards securing digital money.

"The best way to strengthen the weakest link is to remove it."

About the author: Vanishree Rao is a Security and Cryptography researcher. She is mainly interested in the design and analysis of practical protocols from the provable security perspective.

Possibly Related Articles:
Infosec Island Breaches Vulnerabilities
Banking ATM ATM hacking Prevention
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.