ATMs Are a Cyber Risk

Share this

Cyber risks are always changing and evolving thanks to the criminals who keep getting savvier. Business email compromise, phishing, card compromise, synthetic identities, and ransomware are all in the news daily and high on the cyber concerns list. We might not think of ATMs–those large iron boxes full of cash–as cybersecurity risks, however, ATM risks have quickly reemerged as a legitimate cyber threat. So legitimate, in fact, that the FBI and the Secret Service have issued warnings regarding a global cash-out scheme. Documented cash-out schemes have resulted in millions of dollars in losses for single institutions.

What would you do if a large amount of ATM cash came up missing?

Spotting the Threats

Criminals have figured out a much easier alternative to physically attacking an ATM, and can now rob your ATM using a computer. They hack the computer used to control the ATM, walk by, retrieve the cash, and then erase all traces of compromise. These attacks can be difficult to detect because most ATMs have web-based interfaces, and the criminals are using malware and viruses, so the scheme can be executed either locally or remotely. ATM attacks have been, and are expected to continue to be, highly successful. The more common schemes include:

  • Jackpotting –ATM is physically/logically attacked. No customer information needed.
  • Unlimited operations – ATM network and cloned cards (including gift and chip cards) are attacked. A card number and PIN are required.
  • Skimming – Devices attached to the ATM to capture cardholder data.

Often, when executing these schemes, the criminal has control of the ATM operating system, allowing them to alter account balances, turn off security/tampering notifications, and change cap amounts enabling the withdrawal of large sums of cash. Any security obstacles the ATM has enabled can easily be overridden. To further evade security settings, attacks are often carried out on a weekend or holiday, a time when IT administrators may not be closely monitoring alerts.

Perhaps most frightening is that an attacker does not have to be sophisticated to carry out a scheme. Malware needed to perform these attacks is sold on the dark web and requires very little expertise to install, comes with step-by-step instructions, and includes an app to determine the current level of cash in cash cassettes.

Bucking the ‘Small Institution’ Theory

I often am told that cybercrimes are low on the priority totem pole because the institution is “small” and in a remote location thus criminals have no desire to target them. The fact of the matter is, the criminals are after EVERY institution. Both small and medium-sized businesses continue to see an increase in attack frequency and sophistication. These businesses may lack the funding, expertise, executive support, and understanding of cybercrime, thus not increasing security measures and budgets to fully protect themselves. The FBI warns that historic compromises have included small- to medium-sized financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities.

The risk is real and believing in this “small institution theory” could put you at even greater risk. It is important that the Board of Directors and key management understand that a cybercrime does not have to be a large takeover, such as ransomware or worming. Less noticeable attacks such as installing cryptominers, abuse of Microsoft office programs, or use of your system in a distributed denial of service (DDoS) attack, are just as serious and can be equally damaging. The time to protect yourself is now.

Protecting Your ATMs

  • Identify and Organize: Like all other risks, the bank should identify and quantify the level of risk associated with ATM cybercrimes by completing a written, on-going risk assessment. Considerations that may be on the assessment include: web-based interfaces, third-party risk, jackpotting, skimming, unlimited operations and physical security. A data flow diagram should also be in place so there is a clear understanding of how ATMs are connected to the network, segregated, and protected.
  • Protect and Detect: Upon identification of risks, a plan to mitigate and protect against those risks must be implemented. The plan could include: control of physical access, isolation from the main network, encryption, written policies and procedures, robust password management, real-time patch management, prevention of the autorun feature and external device use, limiting administrator user access and implementation of application whitelisting.
    • Quick detection of a compromise should be at the forefront of ‘protect and detect’. Detection techniques should include: an understanding of your system so any deviation can quickly be investigated, monitoring (real-time) of system hardware and software, and security alerts, including alerts for unexpected opening of the top hat compartment and use of a USB or other external device.
  • Educate, Train and Test: Humans are always the first line of defense in any attack, thus it is vital to educate all employees, management and the Board of Directors of the always evolving cyber risks. The resources to stay current on new threats are widely available. It is critical that the evolution of threats be continuously communicated.
    • Annual training is the norm for cyber risks, however more frequent training is becoming the recommendation. Traditional forms of training and testing, such as policy review and tabletop discussion, should remain on the training line-up, however more advanced, cyber focused methods, such as social engineering and internal control assessments, should also be implemented. All players must understand the steps to take in the event of an actual or perceived attack. A robust incident response plan and testing is an excellent plan to execute the understanding.
  • Monitor Third-party Providers: Through all of these steps, it is important to monitor vendor management of third-parties helping to implement, maintain or control your ATM. As stated by the Federal Reserve, the use of service providers does not relieve a financial institution’s Board of Directors or senior management of their responsibility to ensure outsourced activities are conducted in a safe-and-sound manner and in compliance with applicable laws and regulations. Further, the FDIC states that an institution’s Board of Directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risk arising from such relationships, to the same extent as if the activity were handled within the institution.

The best way to safeguard your institution(s) against cybercrime is to structure a good offensive plan to protect your institution and deter infiltrations, as well as develop a strong defensive program that encompasses training and education to seal your cyber entry points and allow for immediate action should an attempt be made.

How Behavioral Change Benefits the Bottom Line

Changing Behavior Creates a More Sustainable Business As a business owner or high-level manager, you have the enormous power to effect change in beha...

Tough Times for Ag Loan Renewals  

Informed communication and negotiation with your lender is key “Prepare for the process – and bolster your loan chances -- by developing a good ...

Making Ag Board Meetings More Effective

Employ these simple practices to optimize engagement and decision-making Most agribusinesses participate in board meetings during the year to assess...

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>