Locking down the ATM. It's a software precaution the ATM industry has screamed for since the advent of Windows, but some ATM operators and deployers have been slow to heed the advice.
Increasing media coverage of ATM software glitches and malware, which is shadowed by massive data security breaches such as the RBS WorldPay and Heartland Security breaches, has led to increased attention from regulatory bodies and consumer advocacy groups. And all pressures aside, the financial industry itself is concerned, since breaches of any kind damage consumer confidence and adversely affect operating budgets and bottom lines.
In March, when news broke of the card-skimming malware that had attacked a Diebold Inc. ATM in Russia, security bloggers and mainstream media jumped on the story. And more stories followed.
Skimming attacks and ATM software reprogramming hacks continually grab news headlines, and are pushing the ATM industry and its primary players to take more aggressive action, say experts like Sharon Dickie, NCR Corp.'s vice president of marketing for financial services.
"ATM skimming has been very prevalent for a long time, and the awareness has been heightened in other countries, before the U.S.," Dickie said. "But we knew fraud would migrate to the States, and our campaign has been to try to educate our customers and also law enforcement."
As skimming attacks become more common and sophisticated, and as criminals get continually wiser with their ATM reprogramming, domestic ATM operators and manufacturers are closely eyeing the migration of ATM fraud.
Story continues below...
Engage Customers with Strategic ATM Marketing
So, you’ve taken the plunge and launched one or more targeted offers at the ATM. But, are you getting those 20% take-up rates you were hoping for? Phoenix customers are. Find out five ways to drive more revenue with ATM marketing.
"We have been saying for a long time that crime will migrate to the weakest link," Dickie said. "While the mag-stripe remains on the card, the card will always be vulnerable to ATM skimming at some point or another. And as the rest of the world moves to EMV, that is definitely a vulnerable point and is a big issue for the ATM and point of sale in the United States."
Speaking specifically to the malware attack in Russia, Dickie suspects an inside job.
"To get this unauthorized code on the ATM, it needs to be someone who knew what they were doing," she said. "From an NCR point of view, we integrated into our APTRA Security guidelines that lock down the entire ATM — we actually locked it down so that no unauthorized code can run. We've locked it down with Solidcore."
But Diebold officials, responding to the attack in Russia, say the breach was definitely not related to an internal compromise. Rather, it's a reflection, yet again, of the increasing sophistication of international crime rings.
The year of ATM skimming
Jim Pettitt is Diebold's director of ATM-security strategy and planning. He says 2008 was the year of skimming, across the globe.
"This is organized crime, and they are distributing this information and stuff throughout the world," he said. "It's not a small business. Hacking is the starting point. They see if they can get in and then they exploit the terminals from there. We've seen a significant increase in skimming attacks in the last 18 months."
Diebold spokeswoman DeAnn Zackeroff says the Russian breach involved a physical attack on the ATM that was used to gain access to install malicious software. It was not, she says, an attack based on internal knowledge.
"An important take-away: I believe all ATMs are vulnerable to this type of attack," Zackeroff said. "It happened to a Windows-based operating system that was not locked down and the whole industry should be concerned."
Pettitt says the system was not locked down, as is always recommended, but even if it had been locked down, the criminals likely would have gotten in.
"I have a difficult time equating, saying this is the real problem or that is the real weakness," Pettitt said. "To prevent a malware attack, there are layers of security that you put in place. But if there are any security holes open, the ATM is vulnerable."
