The good news is that the grab-and-go method of ATM fraud is on the decline. The bad news is that criminals are using sophisticated cyber techniques to steal customer data and money.
Automated teller machines in their modern form have been around for almost 50 years. And, given that ATMs represent an apparently unattended box packed with cash, criminals have been keen on them for all that time. But attacks on cash machines - to steal not only money but customer data too - have been increasing significantly in recent years. How can they be stopped?
After harvesting data from the card monitoring service that it provides for financial institutions, US-based credit scoring and analytics firm FICO has found that in January-April 2015, attacks on debit cards used by people at ATM machines reached the highest level for that period for at least 20 years.
The most prevalent kind of attack on ATM devices, in the US at least, involves ‘skimming’. In this practice, criminals develop physical readers designed to skim information from cards as they are entered into devices. The target of the skim is the card’s magnetic stripe (the ‘magstripe’).
Even in the UK, where the more secure ‘chip and PIN’ is now the standard for card transactions, magstripe capabilities are still found on cards and terminals and used for transactions in countries without chip and PIN, and as a backup should a card’s chip fail.
First created by IBM engineers in 1969, the magnetic stripe encodes information on a credit or debit card. Under the ISO/IEC 7813 standard, the information is written to the card on three separate tracks, although the first two are the most significant, containing information including a holder’s name, account number, expiration data, and encrypted PIN (personal ID number).
Once appropriated, this data can be used by attackers to create new cards by simply writing the information to new cards with blank magnetic stripes. The cards can be purchased in bulk at a low price, and the magstripe writing equipment can be created using off-the-shelf components.
Skimmers are typically placed over the card slots on ATM devices, and will often be manufactured to mimic the specific manufacturer’s ATM model. The skimmer will read the device’s magstripe, storing it internally as it reads the cards, so that the attacker can retrieve it later.
“Devices have become a lot smaller and harder to detect,” says David Tente, executive director for the US and Latin American arm of the ATM Industry Association (ATMIA). “Some of the crime rings will pick a style of ATM from a major manufacturer where they know there are a lot installed, and they will have a skimmer manufactured that looks a lot like the outside of that ATM.”
Because magstripe cards have an associated PIN, the skimmer must also read this as it is entered. Approaches for PIN reading have included the use of tiny cameras pointed at the ATM’s keypad and time-synchronised with the card reader so that the attacker can match a visual record of the PIN entry with the card’s capture magstripe data. Other approaches simply overlay a fake PIN pad atop the ATM’s real one to accurately gather PIN data.
There are various approaches to mitigate skimming. One involves the jamming of magstripe skimmers with an electromagnetic signal, says Tente, effectively drowning out the data that they’re reading from the magstripe with a confounding signal. However, this has led to a response from the criminals: ‘stereo skimming’, in which a skimmer identifies the frequency of both the jammer and the information signal from the card skimming hardware, and subtracting one from the other to filter out the noise.
Another technology is EMV, the standard created by EuroPay, Mastercard and Visa that uses a chip to hold the credentials on credit and debit cards. EMV embeds a secret in a chip embedded on the card, which can be read by a supporting terminal. The terminal, in conjunction with the issuer, can authenticate the customer using a variety of models with different levels of risk.
The ‘chip and PIN’ variant of EMV is already used extensively in many parts of the world outside the US, but US banks and retailers are only just beginning to implement it. Many retailers there are using a lower-security variant called chip and signature, which relies on a signature check by a retail clerk rather than PIN entry.
Many ATMs already use chip and PIN entry, but many don’t. ATMs in bars and other establishments with lower security still rely on magstripe authentication, and can be particularly susceptible. The FICO survey showed that whereas debit card compromises at bank-based ATMs increased 174 per cent between January and April 2015, compromises at machines not located on bank premises jumped 317 per cent.
Over the next two years, liability will shift from the card issuer to the ATM owner if they do not also install chip readers, which could see a reduction in the number of ATMs located outside of bank premises.
The cat-and-mouse game between ATM vendors and attackers continues. But the battleground may also be shifting to inside the ATM, as criminals install custom malware designed to read the cards directly on the ATM itself. One example of such a malware attack is Suceful. Said by researchers at FireEye to have been created in August 2015, Suceful targets Diebold and NCR ATM machines. The malware retains a cardholder’s debit card and can read the debit card’s magnetic stripe.
Why are ATM machines susceptible to malware? The operating systems installed on the devices are often out of date, say experts. The ATM Industry Association found that just 38 per cent of the 425,000 ATMs in the US had migrated off Windows XP by the time Microsoft ended support for the operating system in April 2014.
Dmitry Bestuzhey, head of the global research and analysis team for Latin America at Kaspersky lab, says that slow patch-cycles can create valuable windows of opportunity for attackers.
“The attackers know that they have enough time to keep playing around with XP and to work on finding vulnerabilities and then make exploits for those vulnerabilities with no chance of Microsoft fixing it,” he says. “This is a sure thing for an attacker to get a clear infection vector, bypassing all internal Windows security mechanisms and in most cases, anti-virus protection that runs on Windows’ native architecture.”
The problem with out-of-date operating systems isn’t as dire as it seems, though according to Tim Erlin, director of security and product management at security firm Tripwire. Many ATMs use specialised, embedded versions of the operating system that are still supported.
“There are a large number of ATMs that run supported versions of embedded Windows, and in those cases, Microsoft provides updates,” he says. Then, the problem lies with the fact that patch cycles for ATMs are often slow. “The owners have to install those updates,” he explained.
A mixture of low bandwidth and limited resources for testing software updates can slow down ATM software patches, warns Erlin. Some experts suggest that the attacks don’t focus on Windows itself, but on other critical software components.
“It is a very significant task for ATM deployers to migrate the core operating system running on their ATMs and it does take time to make sure new vulnerabilities are not introduced so I expect XP will be around for some time,” says Douglas Russell, director of risk management at ATM and self-service terminal security consulting firm DFR Risk Management. “Although this might sound risky, I can’t think of any ATM attacks that I have investigated that exploited XP specifically.”
Daniel Regalado, senior staff malware researcher at security company FireEye, believes that the important target when gaining control of an ATM isn’t necessarily the operating system, but rather a piece of software running in many of them, known as the extensions for financial services (XFS) software layer. Created by the European Committee for Standardization (CEN), this is a piece of middleware designed to handle requests between the software running on the ATM and peripheral hardware such as cash dispensers. It is therefore a crucial piece of the puzzle for malware writers.
“You can have system privilege (the most powerful) in the Windows OS, but that access won’t allow you to control the ATM,” he mused. “Still, you need to know how to control the XFS middleware.”
Different ATM vendors have their own implementation of the XFS middleware, but they are all based on a standard originally developed by Microsoft, called the Windows Open Services Architecture Extensions for Financial Services (WOSA XFS). This can enable attackers to target ATMs from multiple devices at once.
Suceful accessed XFS in its attack, and so did GreenDispenser, a piece of malware that focuses on stealing money. Once installed on an ATM, it displays an out of service message on the ATM, but dispenses cash from the machine upon entry of the correct PIN code.
When the criminal enters a static PIN code, GreenDispenser then displays a QR code on the ATM’s screen. The malefactor scans this using a related mobile phone app, which then displays a second PIN to be input by the user. It then provides an option to dispense money, or to ‘deep delete’ itself, wiping all traces of the malware from the hard-drive to avoid forensic detection.
How malware is installed
Malware can be installed on ATM kiosks in one of two ways: via direct physical access to the machine, or via the bank’s network.
“Most malware is introduced by gaining physical access to the PC within the ATM top box or cabinet and exploiting the ability to boot (or auto-run) from CD or USB,” says DFR’s Russell. Consequently, banks are now enhancing physical security, upgrading locks and installing alarm systems.
“Disabling the ability to boot (or auto-run) from CD and USB and initiating a robust BIOS password regime is crucial to preventing most of the attacks currently understood,” Russell says. “Other layers of security include anti-malware solutions such as whitelisting and applying a strong cryptographic relationship between the cash dispenser and the genuine ATM’s PC core.”
There are other forms of physical defence in the works, too. Swiss researchers have been inspired by the bombardier beetle, which sprays its attacker with a corrosive substance that it makes when under stress.
Scientists at the ETH Department of Chemistry and Applied Biosciences in Zurich copied the idea, creating a honeycomb-like film containing hydrogen peroxide and manganese dioxide that mix when the film ruptures under a sharp force. The resulting explosion of water vapour, oxygen and heat, at a temperature of up to 80°C, should be enough to discourage those tampering with cash machines.
The technique can also be used as part of a component to ward off gas or explosive attacks on ATMs when combined with ink used to spray banknotes. A DNA component can be blended into the ink and used to track the notes.
Some vendors are moving the core logic out of the physical machine altogether. NCR has developed Kalpana, an ATM platform running on the cloud that connects to slimmed-down kiosks based on the Android operating system, with little front-side logic. With the computing handled at the back end, there are fewer attack points at the ATM level, NCR executives say. It also lowers the cost of deployment and ensures that all ATMs are controlled using the same code.
Kalpana and its Android client, the Cx110, are also equipped to handle what some experts believe is the next step in ATM technology: contactless transactions. These can be made to work with a variety of methods. One involves near-field communications, in which a phone is tapped against a reader.
Another solution from Diebold, being tested by Citigroup in its New York-based innovation lab, is codenamed ‘Irving’ and uses iris-scanning technology in conjunction with a mobile phone screen, eliminating the ATM’s screen and PIN pad altogether. Florida-based FIS has piloted a ‘cardless cash’ system that scans a QR code displayed on the customer’s smartphone.
One challenge for these solutions is cost, warns ATMIA’s Tente, adding that usability is also a factor. “You still have to put a PIN in,” he points out; it’s simply entered on the mobile phone rather than on the ATM. “It’s one thing just tapping your phone on a transit terminal to get through the gate, but with an ATM you still have to unlock your phone and get it over to the ATM and put in your PIN. So you don’t save much in effort.”
Even in biometric systems, where PIN entry could potentially be eliminated altogether, there is another challenge: standardisation. There is no interoperability between these devices, which will stymie development, Tente warns.
The technology to help avoid ATM fraud is available, but ATM operators must make a decision about whether to implement it. This involves weighing up the risk of compromise against the cost of upgrading the terminal. When an operator fails to embrace new technologies, the customer could be the one who ends up paying.