ATM hackers steal $10m across 28 countries in audacious bank heist
Lu Zurawski, Practice Lead Retail Banking, ACI Worldwide
ATMs rely on operating systems just like domestic computers, so it is common for ATMs to use versions of Windows or Linux. And just like with home PCs, owners need to keep their systems up to date with the latest releases of security software patches. Without such defences, enterprising criminals may be able to discover vulnerabilities in the operating system. They may be able to plant viruses, malware or modified programs which allow them to alter the computer’s program. For domestic users, this leads to distress when digital accounts and passwords become compromised. For ATM owners, this leads to fraudsters robbing a bank.
Most recently, a large volume of operators upgraded their software when Microsoft finally stopped supporting the Windows XP operating system in 2016. This usually led to an upgrade to Windows 7, which itself will become obsolete in 2020 – so ATM owners are facing yet another investment decision today.
But there are also operators (particularly those using older machines) that have continued to use older software based on alternative risk assessments which assume that hackers cannot access the ATM computer unless they are bank employees with access to the back of the machine, and that all such activities are carefully observed and monitored. Their logic is that the cost of upgrading old machine hardware as well as funding the new operating system licence fees is not quite justifiable.
This kind of thinking sounds somewhat cavalier, so it is no surprise that news stories emerge frequently about ATM gangs being able to infiltrate bank staff, then setting up malware which causes ATMs to dispense cash at their command – a technique known as “touchless jackpotting”. Bank systems may indeed be able to monitor irregularities and react by shutting down ATMs and involving law enforcement agencies at known trouble spots. But gangs are pretty savvy and nippy – their “cash mules” could remove tens of thousands of pounds before any police turnup.
With Windows 7 support ceasing in 2020, operators may look again at lower cost, open source operating system alternatives like Linux. Some of world’s largest ATM operators like Banco do Brasil with an estimated 40,000 ATMs have already made the switch. But the most common response will be a migration to Windows 10. As well as maintaining the latest security defences, perhaps this upgrade cycle may also lead to a consideration of new touch screen capabilities, interactive video and modern digital services that look beyond just cash dispensing.
Barrie Dempster, Head of Cybersecurity Consulting, BlackBerry:
With increasing security measures in place, it’s becoming more and more difficult to hack cards, so criminals are aiming for machines. ATMs in particular can be vulnerable to attacks – partially because they offer an immediate pay-out. Many are at the end of slow dial-up links so require manual updates with an often quite slow connection depending on region, and a lot of suppliers may not necessarily have the bandwidth to ensure an engineer is manually travelling to each machine to update them.
Currently, a number of ATMs are still running on Windows XP, an unsupported operating system, leaving them open to a huge amount of risk as this software is no longer being patched. It’s guaranteed to be vulnerable.
While ATMs can be hacked remotely through software, ATMs are particularly susceptible to attacks from physical access to the machine because they can be fairly easy to break into – many typically have a padlock or other physical lock to the running computer system at the back. In fact, the smaller machines in-store are more vulnerable than the ones in walls as they’re a freestanding machine so you have more access points.
We see a lot of stories in the news about the security issues of a number of devices, and it’s the same for ATMs – the security should be considered from the groundwork and should be robust on installation, both for software and physical. Even when suppliers update software to Windows 10 or any other up-to-date software provider, they should be treated like any other high-profile device and it should be a priority to have engineers regularly do due diligence and patch or update where necessary.
- TerraPay joins forces with Diamond Trust Bank Uganda, to simplify global money transfers in Uganda Read more
- Security Bank drives digital transformation of wealth management business with Avaloq Read more
- Prove Identity Partners with TargetData to Continue Expansion into Brazil Read more
- Satago Joins the NayaOne Marketplace Read more
- Hummingbird Launches Automations Product To Take On Time-Consuming Compliance Tasks Read more