Cyber risks are always changing and evolving thanks to the criminals who keep getting savvier. Business email compromise, phishing, card compromise, synthetic identities, and ransomware are all in the news daily and high on the cyber concerns list. We might not think of ATMs–those large iron boxes full of cash–as cybersecurity risks, however, ATM risks have quickly reemerged as a legitimate cyber threat. So legitimate, in fact, that the FBI and the Secret Service have issued warnings regarding a global cash-out scheme. Documented cash-out schemes have resulted in millions of dollars in losses for single institutions.
What would you do if a large amount of ATM cash came up missing?
Criminals have figured out a much easier alternative to physically attacking an ATM, and can now rob your ATM using a computer. They hack the computer used to control the ATM, walk by, retrieve the cash, and then erase all traces of compromise. These attacks can be difficult to detect because most ATMs have web-based interfaces, and the criminals are using malware and viruses, so the scheme can be executed either locally or remotely. ATM attacks have been, and are expected to continue to be, highly successful. The more common schemes include:
Often, when executing these schemes, the criminal has control of the ATM operating system, allowing them to alter account balances, turn off security/tampering notifications, and change cap amounts enabling the withdrawal of large sums of cash. Any security obstacles the ATM has enabled can easily be overridden. To further evade security settings, attacks are often carried out on a weekend or holiday, a time when IT administrators may not be closely monitoring alerts.
Perhaps most frightening is that an attacker does not have to be sophisticated to carry out a scheme. Malware needed to perform these attacks is sold on the dark web and requires very little expertise to install, comes with step-by-step instructions, and includes an app to determine the current level of cash in cash cassettes.
I often am told that cybercrimes are low on the priority totem pole because the institution is “small” and in a remote location thus criminals have no desire to target them. The fact of the matter is, the criminals are after EVERY institution. Both small and medium-sized businesses continue to see an increase in attack frequency and sophistication. These businesses may lack the funding, expertise, executive support, and understanding of cybercrime, thus not increasing security measures and budgets to fully protect themselves. The FBI warns that historic compromises have included small- to medium-sized financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities.
The risk is real and believing in this “small institution theory” could put you at even greater risk. It is important that the Board of Directors and key management understand that a cybercrime does not have to be a large takeover, such as ransomware or worming. Less noticeable attacks such as installing cryptominers, abuse of Microsoft office programs, or use of your system in a distributed denial of service (DDoS) attack, are just as serious and can be equally damaging. The time to protect yourself is now.
The best way to safeguard your institution(s) against cybercrime is to structure a good offensive plan to protect your institution and deter infiltrations, as well as develop a strong defensive program that encompasses training and education to seal your cyber entry points and allow for immediate action should an attempt be made.