High-profile ATM attacks in Thailand and Taiwan have shone a spotlight on an array of security cracks.
When Thailand's Government Savings Bank suffered from a malware attack that enabled a cyber gang to steal millions of Baht from its ATMs in August, the bank was forced to deactivate more than 3,300 of its ATMs nationwide to prevent further unauthorised cash-outs. Analysts note that this incident, along with a sophisticated ATM attack in Taiwan, suggest gaping vulnerabilities of these cash machines and the need for banks to bolster security protocols to deter attacks.
"Two recent ATM attacks one in Bangkok and one in Taiwan are the most outrageous,” says Naveen Bhat, managing director at Ixia Asia Pacific.
“Both these attacks were similar, where the attackers believed to be East European, introduced malware into the ATM via cards. Several million dollars have been reported stolen, and the theft was detected as ATM became slower and money was missing," he adds.
Bhat says there are three ways to attack ATMs. First is by skimming and recording devices which are external to the ATM, second is by infecting the internals of an ATM via malware introduced through chips and cards, and third is by attacking the back end network that the ATM is connected to.
The first method of skimming devices is the easiest to pull off, provided that the attackers obtain physical access to the ATM. Still, a combination of the second and the third enabled the recent Bangkok incident, so there is concern that ATM attacks are becoming cleverer.
“Without physical access, attackers need to find a way to break into the network which are usually protected by VPN (Virtual Private Networks). Breaking into a private VPN is an intensive and complicated,” explains Bhat.
“However, as attackers get more sophisticated, breaking into the secure network will become more common.”
If banks want to thwart future attacks, they will have to address four major security problems associated with ATMs, says Ryan Flores, senior manager, Future Threat Research TrendLabs at Trend Micro Asia Pacific.
The first problem is that many ATMs run on older operating systems that could be vulnerable to security threats. Flores says that ATM manufacturers shipped most of their machines with Windows in the previous decade, but Microsoft was no longer releasing security patches for Windows XP as of 2014.
Security experts warned that at least 95% of banks ran the risk of being infected by OS-specific malware due to XP’s dominance in the ATM market. On the slightly brighter side, Microsoft worked with banks from 2007 on preparation for XP’s end of life,” says Flores.
A second related problem is the outdated infrastructure of ATMs in Asia. Flores says even if PCs and mobile devices have shed legacy ports, many ATM designs have not kept up with the times, sporting optical disc drives and older USB connections, both of which can help facilitate rogue network access by cybercriminals.
A third concern for ATMs is their network vulnerabilitystemming from poor standards in, if not a complete lack of, encryption security. Once attackers bypass the initial safeguards, there is little else that will hamper their theft.
“ATM network is a close-loop system; accordingly, encryption is often not implemented, leaving gaps for cybercriminals to steal data and, in lieu of an encrypted hard drive, boot the system using a Linux distribution to gain full access,” says Flores.
The fourth and final issue with ATMs is that many have been built for multiple vendors, which makes their security easier to crack.
“Cybercriminals don’t have to be an ATM expert or have inside knowledge to generate or code malware for ATMs,” says Flores.
“Standardisation benefits hackers,” concurs Joerg Reuter, software engagement manager at Diebold Nixdorf.
“To allow for easier interoperability and to reduce costs, the ATM industry has either created new or adopting existing standards to a large extent. These standards are publicly documented, making it easier to take advantage of them.”
As if the multitude of attack vulnerabilities inherent to ATMs were not enough, cybercriminals are becoming even more cunning.
Reuter cites as an example the recent malware or Jackpotting attack in Taiwan, which he considers a harbinger of complex attacks that banks and ATMs will face in the future.
Attackers in the Taiwan incident hacked into the banking network with the use of an internet-facing server system without any direct relationship to the self-service network as their entry point. Once the network was infiltrated, the attackers moved laterally until they were able to take over a file distribution server of the bank’s ATMs, which in turn was used to establish remote control of the ATMs. The final step to actually steal the cash in the ATMs was for an accomplice to visit an ATM and give the green light via a mobile phone, triggering a remote initiation of an unauthorized dispensation.
“Sophisticated as it was, the Taiwan hacking attack could be stopped in various stages,” says Reuter. “With a stricter network security regime, by requiring additional authentication for the file distribution system, by preventing remote control of the ATM on network level, and finally by ‘hardening’ the ATM against unsolicited software dispensing cash.”
He reckons that there is reason to believe that more criminal groups will attempt similar attacks as the one in Taiwan in the future, which puts a lot of pressure on banks to refresh and shore up their ATM defenses.
“With the ever-evolving attack landscape and the long lifespan of a typical ATM, it is not sufficient however to deploy security measures once and forget about the topic thereafter. Security is a process, and regular reviews and adjustments of the countermeasures are paramount,” says Reuter.
Holistic and proactive approach
With so many physical and cyber touch points through which attackers can gain illegal access to ATMs, banks need to adopt a holistic and proactive approach to security, according to experts.
“Protecting ATMs requires a holistic security approach that addresses both the physical security and cyber security aspects of the network,” says Foo Siang-tse, managing director at Quann.
When it comes to physical security, a key measure is proactive monitoring. ATM CCTVs need to be well maintained and monitored in real-time, if possible. Every ATM alarm activation also has to be taken seriously, a vulnerability which was abused recently when attackers triggered the alarm repeatedly so that when a real attack did take place, the alarm would be ignored.
As for cyber security, Foo says it advisable that banks utilise the latest models of ATMs which boast of modular compartments that try to mitigate the vulnerabilities of multiple touch points. Each modular compartment is accessible by different parties only for the purpose of their job functions, so that a technician should not be able to access the cash and card compartments.
Banks should also become more aggressive in preventing attacks that could ruin their reputation and disrupt business operations, because it is always more difficult to play catch up once a breach occurs.
Alexey Osipov, lead penetration testing expert, Kaspersky Lab suggests forcing vendors to fix vulnerabilities in ATM software and hardware components, reviewing the XFS standard for security, implementing mutual authentication for “trusted dispenses,” and strengthening cryptography and integrity control over the data transmitted between the ATM hardware units and its computer.
“Keep in mind that proactive analyses of security issues is better, and often much cheaper, than forensics,” says Osipov, further recommending banks to conduct regular ATM security assessment and penetration testing to understand their vulnerabilities and improve security systems. “Security is not a once-a-year-audit but a permanent process,” he says.
In photo (from left to right): Foo Siang-tse, Joerg Reuter, Ryan Flores, Naveen Bhat
If you want to pitch a topic and know someone who can provide us with insights for our Vendor View section, email Roxanne Uy at firstname.lastname@example.org
Do you know more about this story? Contact us anonymously through this link.