Murphy’s Law in ATM security
“Murphy’s Law” states that “Anything that can go wrong, will go wrong”.
The principles that excellently describe the situation we have today with ATMs were introduced back in the late 70’s.
The initial design of the machine (and also later designs) took it for granted that all ATM users are honest and follow rules set by banks and payment organizations.
ATMs vendors and owners (banks) have assumed that ATM devices are immune against criminals and fraudster’s attacks. In contrary; what we have learned the hard way is that they are not.
On the contrary– during the last 10 years it has been proven that criminals are very able and willing to exploit any weakness that was inadvertently “built-in” or left “unclosed” by the ATM Hardware and Software vendors.
For example, the smooth surface of an ATM fascia was and still is an open invitation for fraudsters to install a card skimmer by simply using double-sided scotch tape and fake bezel.
Alternatively the nice and smooth surface of a shutter invites criminals to simply attach a polished aluminum plate by using super glue or alike to steal the card’s holder money by trapping the cash.
Cash withdraw testing software and diagnostics tools designed to be used exclusively by authorized ATM service engineers for troubleshooting have been used by “engineers” and by fraudsters to perform unauthorized cash withdrawals.
The unencrypted data flow between ATM PC and cash dispenser is another weak spot exploited by criminals to perform so called “black box” attacks.
Very often, vendor build-in functionality of an ATM that was initially designed for greater service and user-friendliness, creates an “exploit” for criminals that can be used to steal money from the machine.
A good example is the so-called “reverse transaction”. The idea was to not affect or “freeze” the customers’ available balance money in case the cash withdrawal transaction was initiated, but for some reason was not completed. The money was to be retracted back into the ATM reject cassette and the transaction reversed at the processing center whilst not affecting the customer’s available balance.
This was a nice but technically complex and noble function. At the same time, this is a nice exploit used by criminals. Shortly after this function was discover, criminals quickly learned how to prevent cash to be transported back to the retract cassette. So, this allowed criminals to create a “money printing machine” – the ordered cash was extracted from the ATM yet the processing center or switch credited the customer’s account the ordered and “extracted” cash amount. The outcome? Almost all banks and processors have switched off this function today.
All these examples confirm that “Murphy’s Law” really applies in real life as well to the ATM industry.
This makes the process of finding all possible “exploits” on ATMs a very important part of ATM security. This is one of the reason why we posted the article.
A forecast of what criminals “can do and will do next” is the “signpost” directing us to where to focus our ATMs security-related activities on.
Recent attacks (including the case with “Cosmos bank) as well as information SPL recently received from some of its customers, clearly indicate the direction of criminal activity is turning from “stand-alone” ATMs to ATM clusters and networks
Today, malware is still targeting to compromise just the standalone ATM and its software. However attacks are moving very fast to processing and switching facilities, servicing groups of ATMs or ATM networks.
This process, in fact, is complicating ATM security problems and moves the issue up to the next higher level and bringing it into the category of “cybersecurity”.
A couple of years ago “phishing” based fraud wasn’t considered to be related to ATM security – today we have serious evidence to assume that at least in one case, this type of fraud was used to compromise the bank’s network to gain access to its ATM monitoring system and later to initiate unauthorized cash withdrawals on the ATMs monitored by the monitoring system.
As we can see, the IT system once developed to enhance the ATM network security has become victim of a totally unexpected type of attack. Murphy’s Law has been confirmed once again!
SPL recently made experiments that clearly show the type of attack known as “the fake host attack” is very much more likely to happen than it seemed before. So, do we need to wait until criminals again will show us “anything that can be done will be done” or will we be proactive and react to the thread ahead of the criminals’ schedule?
If the above situation regarding ATMs and ATM network security really concerns and worries you, please contact us!
Chances are that we already know how to prevent the next wave of attacks that may confirm once again that Murphy’s Law applies everywhere, including to the ATM world.
Subscribe to Our Newsletter