In Light of USB ATM Hack, A Look at ATM Threats and How to Monitor For Ongoing Threats

Share Button

On New Year’s Eve, researchers unveiled that hackers had been able to physically hack into ATMs throughout Europe, using USB drives. This came as little surprise to those who follow ATM security, and understand the inherent weaknesses in the model.

To begin with, a significant percentage of ATMs still run Windows XP, which has already been deemed highly insecure even for individual system use, let alone on ATMs. The chart below indicates current sentiment of ATM owners, regarding their migration beyond XP.

Which statement best identifies your organization’s opinion regarding the future direction of the ATM operating system environment?

In other words, much of today’s existing ATM software architecture is still based on Windows XP, rendering it vulnerable to many of the same threats that can be used across a broad range of devices. While 20% of survey respondents had already started their upgrade to Windows 7 or 8, a full 53% had not even begun the migration.

Hackers increasingly view ATMs as an easy target for attacks, and lucrative ones at that. During the last 5 years, there have been several incidents involving malware-affecting ATMs  (including at Bank of America in 2010). Once installed, the malware can affect several aspects of the ATMs, doing things like emulating the host (to approve cash withdraw request), and capturing Track1/2 and PIN codes of credit and debit cards.

As these attacks start to cost banks hundreds of thousands, if not millions, across global, coordinated attacks, financial institutions are asking themselves what they can be doing to counter such threats. While upgrading to the latest software will help, it is only a matter of time before the attackers begin designing malware for the next generation of operating systems. So what can banks do?

As a first step, banks should look to conduct a full ATM software security audit, to understand their current security posture. This includes:

  • Reviewing the ATM network security
  • Reviewing their WinXP configurations
  • Scanning for malicious code at the XP level
  • Reviewing the NDC/DDC application and parameterization tables
  • Conducting a code review of personalized routines
  • Reviewing the software distribution strategy


Source: 2013 ATM Software Trends and Analysis

Once you have an understanding of your current security posture, continuous monitoring is critical for detecting unauthorized access as quickly and easily as possible, to prevent ongoing losses. This includes:

  • Network connection monitoring
  • File creation monitoring
  • File manipulation activity
  • Process usage monitoring
  • Malware detection
  • Real time reporting

No system is impenetrable. But as ATMs become a more frequent and lucrative target for attackers, financial institutions need to ensure they are taking the appropriate steps to make sure that cash is literally not leaving the bank through this highly attractive channel.

Related Posts

Cyxtera Helps Global Bank Shut Down Malware Injection Attacks Cybercriminals are nothing if not persistent. A large financial institution with a global presence has been experiencing a series of sophisticated malware injection attacks – despite the steady failure rate, the cybercriminals behind the attack campaign continue to persist.
Meet Lucifer: A New International Trojan The cat-and-mouse game between cybercriminals and security analysts never stops. Every so often, the mouse (in this case, represented by some kind of malware) pulls out front at a pace that catches that cat (the security solution) off guard.

Leave a Reply

Your email address will not be published. Required fields are marked *