CONTINUE TO SITE »
or wait 15 seconds

Article

Protecting the ATM top hat: A multilayered approach

To protect cardholders' private, confidential information, financial institutions should deploy a combination of techniques to prevent the installation of malware on ATMs.

March 17, 2016

 

by Ralph Spinelli, Vice President of ATM Engineering, HTx Services

ATM hackers are persistent. With skimming, card overlays, and camera views now well defensed by financial institutions, hackers are seeking the next gap in ATM security to exploit.

Hackers in Europe and South America have begun targeting the ATM upper enclosure (aka the "top hat") as a vulnerable area. Once a hacker has access to the top hat, malware is installed using a USB flash drive or DVD.

At this point, hackers can either "eavesdrop" to capture information such as account numbers and personally identifiable information from the machine's transaction application, or "jackpot" the machine to immediately dispense all the cash that's available.

As demonstrated at the 2010 Black Hat Briefings conference in Las Vegas, a hacker can easily jackpot an ATM.

A report issued by Kaspersky Lab in February 2015 estimates that one notorious cybercrime gang called Carbanak (sometimes referred to as Anunak) has caused up to $1 billion in losses, at more than 30 banks, with much of the theft accomplished through the use of ATM jackpotting malware.

Security researchers are warning financial institutions in the United States that they've found signs of hackers planning to bring their attacks to machines in the U.S. Some have already reporting seeing them.

Why existing ATM protection is not enough

Considering that the top hat contains the ATM processor and is the "brain" of the entire ATM, it seems inconceivable that currently its main security control is a key lock.

Hackers understand that one ATM manufacturer's key can open multiple like-model ATM top hats, and that this key can be bought easily from third party suppliers — or on retail sites such as eBay — for about $10.

To date, the manufacturers' solution is to have ATM owner-operators rekey the top hat, or equip the ATM with an alarm.

Many banks have mitigated their risk by placing the ATM through the wall (including the upper compartment) in an enclosed room, with only the front accessible to patrons.

Still, retail ATM locations — i.e., malls, gas stations, and convenience stores — with exposed upper enclosures are especially high risk.

As the ATM services provider to one of the largest banks in the world, HTx Services has engineers are working on a better solution.

We believe the security fix lies in a layered approach that addresses these areas:

1. Video Surveillance

It seems basic, but to catch a criminal, you need a camera.

Camera systems and CCTV systems can record and store video for up to 90 days with date and time stamps. Successful prosecution of fraudsters is simplified with accurate and clear recordings.

2. Audited Access Controls

Set up individually approved access controls with a detailed audit trail that shows who accessed the machine, where and when.

3. Electronic Lock and Key

It's time to upgrade the lock and key with modern, readily available technology to verify identity of the individual trying to gain access to the top hat.

4. Alarm

Many service providers are promoting an alarm that would alert law enforcement, but we believe it's better to send a message up the line to an automated monitoring system.

5. Processor protection

This involves locking down the BIOS, implementing safeguards to prevent boot-up from removable media, and applying appropriate security settings.

Today, there is no single solution that stops every threat.

To protect the cardholder's private, confidential information, financial institutions should deploy a combination of techniques that send up a red flag and immediately take that ATM down from operations.

And then get ready to defend the next avenue of attack.

 

Ralph Spinelli is vice president of ATM engineering services at HTx, where he manages an ATM support organization that provides product and solution development support, quality assurance and help desk services. Previously Spinelli led the engineering and ATM support organizations at Citi. He led the migration from Citi's proprietary CAT platform to CAT2 and the transition to the Integrated Network Control management system, among other major projects.

 

 

 

 

 

 

cover photo istock

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
ATM fees increase for 3rd consecutive year
The Farmers Bank renames branches, converts ATMs to ITMs
ATM check deposit fraud on the rise in Honolulu
Nymeo Federal Credit Union wins recognition as 1 of the best workplaces in Maryland
ParaScript intros verification solution for checks


©2025 Networld Media Group, LLC. All rights reserved.
b'S2-NEW'