or wait 15 seconds
or wait 15 seconds
"You just have to run faster than the other guy running from the bear,” as the saying goes. It’s possibly not the most sympathetic way to look at ATM security, but it is realistic, pragmatic and smart.
“You don’t have to run faster than the bear. You just have to run faster than the other guy running from the bear.”
It’s possibly not the most empathetic way to look at ATM industry security, but it is certainly realistic, pragmatic and smart. Because try as they might, ATM deployers will never outrun the bear — the bear in this case being criminals looking for easy money.
In the interests of enterprise preservation, the most pragmatic path for a financial institution or retail deployer to take is to identify threats to the ATM fleet and then anticipate them with technologies that prove enough of a deterrent to persuade criminals to look for an easier target elsewhere.
This was the premise of a morning workshop on day one of the ATMIA US 2019 conference, “Protecting your ATMs from criminal attacks: What you need to know.”
The workshop was moderated by Tom Moore, executive vice president and managing director for the Americas at TMD Security, with panelists including William Arnold, ATM operations manager at IberiaBank; Josh Hammond, senior security consultant at IOActive; and Michael Kearn, vice president and managing business information security officer at U.S. Bank.
Moore opened the workshop with an overview of the various types and modes of attack seen around the world.
The most prevalent and persistent threat continues to be ATM skimming. According to Moore, virtually all skimming methods originated in Europe and emigrated from there.
Shimming, which uses a device inserted into the card reader to gather information directly from the chip on an EMV smartcard, has been seen across Europe, and in some South American markets, but has yet to be successfully deployed in the U.S. — though a major U.S. bank recently found evidence of an unsuccessful shimming attempts on six of its ATMs.
Physical attacks on ATMs are an ongoing problem — and an increasingly dangerous one, as criminals resort to explosive attacks. In Europe, ese attacks have increased from 188 in 2005 to 1081 in 2017, Moore said.
He said these attacks are actually becoming more dangerous as banks push ATM manufacturers to introduce stronger safes that require stronger explosives to crack.
Banks in the Netherlands have closed some ATMs due the risk to human life posed by explosive attacks.
Logical attacks, including jackpotting, malware and blackbox attacks, have become a major threat, as well. “We’ve been having great discussions as an industry about prevention of these attacks (for more on logical attacks, here’s a very informative webinar replay).
For many ATM deployers who have EMV-enabled ATMs, the fear of jackpotting has replaced the fear of counterfeit fraud.
Unlike a cash-out attack that targets the bank or processor, a jackpotting attack targets the ATM terminal itself, both physically and logically. The criminal installs malware or a new hard drive and then manipulates commands to the dispenser, causing it to dispense cash until it is empty.
Arnold said that in late January, an IberiaBank ATM in Baton Rouge, Louisiana, experienced this type of attack, though fortunately, not successful.
To prevent this type of attack, it’s important to secure all physical entry points of the ATM, starting with changing the top box lock.
Additionally, Arnold advised, “Make sure you stay up to date with all of your patches, your [cash] dispenser upgrades, whatever needs to be done. And stay in close touch with your manufacturer. We use managed services, so they’re constantly pushing upgrades to our ATMs for us. But if you don’t have someone doing it for you, make sure you’re getting them done.”
Arnold said it’s also important to monitor more vulnerable ATMs closely. He said that one good indication that an ATM is being prepped for a jackpotting attack is if it goes offline while the remainder of the network remains in operation.
This could mean that an attacker is in the process of uploading malware that will later be used to trigger the cash dispenser.
Arnold said that ATM cash-out schemes using cloned cards remain a threat, as well.
In fact, Arnold said that while sitting on stage waiting to give his presentation, he received an email from a branch in Tennessee saying that one of their ATMs appeared to have Vaseline smeared on the lens and video footage showed an individual with a stack of cards that he was inserting one by one at the ATM.
IberiaBank will be free of liability for any cash lost, though, Arnold said.
“My ATMs are EMV so that’s going to be on the card processor or card issuer, not on me, because they allowed the fallback.”
Hammond gave the audience a glimpse of “the art of the possible” from the attacker’s point of view.
Hammond looked at attack vectors aimed at the upper and lower cabinet of the ATM individually.
Issues under the top hat include:
Issues involving the lower cabinet include:
“In terms of the upper cabinet we see a lot of vulnerable network services, especially when it comes to custom solute ions,” Hammond said. “We’ve seen things like the update mechanism that didn’t have strong authentication systems in place.”
Being able to open up the upper cabinet and reach the PC core can be “a huge leg up,” Hammond said. “Once I’m attacking a traditional PC, I’ve got a whole large tool set at my disposal.”
This can include PC functions that aren’t even used on a day to day basis for ATM functionality.
“There’s a lot of footprint there that’s overlooked because it’s not external facing, it’s not as obvious that it’s there,” he said.
Looking at physical security in the lower cabinet, Hammond said that he’d seen things like small holes drilled in the cabinet — not by the attacker, but by the manufacturer to accommodate cabling. In one instance, this allowed an attacker to access the dispenser, reboot it and gain control during initialization.
Anomalies in proprietary firmware — such as optional authentication — can also present opportunities for criminal access, as can devices like electronic locks.
“There’s exposure there as a lot of these have data signals going through the safe from the outside where you’re able to put in a PIN or turn a dial to the inside where the controller is actually existing,” he said. “That ends up being an attack surface as well, and there’s the opportunity to bypass the locking systems.”
Hammond said that the difficult part of defending vulnerabilities is that “Once you protect one way, the attackers are going to find the next way. The attackers generally look for the easiest option, so it’s about being aware of security and about trying to stay on top of your security and kind of staying ahead of the game.”
Coming from a background as a white hat hacker, Mike Kearn’s job is “to stay at least five steps ahead of the adversary who wants to rob us blind. … From an adversarial perspective, the threatscape itself continues to expand and the cadence and frequency of the adversary continues to escalate.”
The heart of Kearns’ message was that ATM operators in the U.S. need to better prepared when the next attack method from Europe or elsewhere makes its way across our borders. He aggregates and combs through information about these attacks daily.
For instance, he said black box attacks had been around for several years before the first incidents occurred in the U.S. Nevertheless, when it did show up here, some law enforcement officials thought it was just another type of skimming attack. It wasn’t until several months later that it became clear that black box attacks had finally washed up on our shores.
“It’s a very fluid type of situation. It’s not something that’s going to become stagnant or that we can just kind of sit back, take a deep breath, sit back and say [sigh] ‘Alright, we’re done now.’ It doesn’t work that way. I fully expect this to get a heck of a lot worse before it gets better.”
Ultimately, Kearns said, ATM security is a team sport in which all of the players have to come together, bring their expertise to the table, share information and talk about the real issues and what a solution that makes sense will look like.
And, though it might seem counterintuitive, immediate action is not always the best course when confronted with a security problem, Kearns said.
It’s important first to understand the problem fully and then to figure out how to take that option away from the adversary at the point of attack — and to determine whether the action justifies the expense. Spending $1 million to address a $100,000 risk doesn’t make sense. Spending $1 million to prevent a $5 million loss does.
Again, understand the real nature of the threat and you’ll know better how to manage the risk.
“Sometimes the best response you have is patience,” he said. “You can choose not to act. Perhaps now is not the right time. Now maybe you need to do more homework. You need to figure out some more things for your business. That’s OK. You can do as much harm to yourself by having a knee-jerk reaction and not thinking things through.”