Banks urged to upgrade ATM security systems amid threats of fresh cyberattacks

By Anna Fedorova

The FBI contacted banks last month to warn against a potential large-scale, highly choreographed operation known as an ‘ATM Cash Out’, which would see millions of dollars fraudulently withdrawn from cash machines all around the world in just a few hours via hacked bank accounts or payment card processors. The alert said small to medium-sized financial institutions are most at risk due to potential lack of budget or less stringent cybersecurity controls.

Just three days after the warning was issued, an attack was carried out on Cosmos Bank of India’s ATM server by cyber criminals linked to North Korea’s Lazarus Group, resulting in the theft of $13.5 million across 28 countries.

According to reports, the hackers managed to bypass the bank’s security systems and used cloned cards to access ATMs across the world, while the bank’s SWIFT international payments system is also said to have been compromised. The attack, carried out between 11 and 13 August, consisted of more than 12,000 transactions in total.

But this is not the first time such criminal activity has taken place. In late 2013, an organised crime group launched the Anunak malware campaign targeting financial transfers and ATM networks of financial institutions across the globe. The following year, the coders improved the malware into a more sophisticated version, Carbanak, which they used until 2016, before developing an even more sophisticated wave of attacks based on the Cobalt Strike software.

The gang carried out attacks on more than 40 countries, resulting in cumulative losses of more than €1 billion for the financial industry, according to Interpol. The Cobalt malware alone allowed the criminals to steal up to €10 million per heist. In March this year, the leader of the gang was finally arrested in Spain.

With cases of ATM fraud taking the news headlines, cybersecurity experts have called for banks to review the security measures and operational systems on which their ATMs are running to avoid future attacks.

A key concern is that many ATMs are still running on Windows XP, an operating system that as of 2016 is no longer supported by Microsoft. Although a large number of operators have already upgraded to Windows 7, this will also become obsolete in 2020, meaning ATM owners will be faced with another investment decision.

“Currently, a number of ATMs are still running on Windows XP, an unsupported operating system, leaving them open to a huge amount of risk as this software is no longer being patched. It is guaranteed to be vulnerable,” says Barrie Dempster, head of cybersecurity consulting at BlackBerry.

Technically, banks are not obliged to upgrade their systems to Windows 10 until Windows 7 reaches end-of-life status in 2020.

However, Angel Grant, director for identity, fraud and risk intelligence at RSA Security, points out: “Waiting until the last minute creates a risk of not completing the process before the cut-off and having to keep out-of-date software in place. The ensuing lack of regular security updates and patches from running unsupported software will increase the risk of exposure to malware-driven threats.”

Another lower cost, open source option for ATM owners is the Linux operating system, according to experts. The advantage of an open source operating system such as Linux is that security experts can help identify security flaws and eliminate them before they become a threat to the public. One large ATM operator that has already made the switch is Banco do Brasil, with an estimated 40,000 ATMs.

However, even once the system is upgraded, the work should not end there. The FBI recommends banks should conduct regular monitoring of their ATMs, which RSA Security says should be extended to all digital channels.

According to the cybersecurity company, this should include monitoring for “the presence of remote network protocols and administrative tools that can be used to pivot back into the network; encrypted traffic travelling over non-standard ports; and network traffic to regions where you would not expect to see outbound connections.”

BlackBerry’s Dempster adds: “While ATMs can be hacked remotely through software, [they] are [also] particularly susceptible to attacks from physical access to the machine because they can be fairly easy to break into – many typically have a padlock or other physical lock to the running computer system at the back. In fact, the smaller machines in-store are more vulnerable than the ones in walls as they are a freestanding machine so you have more access points.”

According to Mark Gazit, CEO of data analytics software provider ThetaRay, the detection and prevention of cyber fraud is particularly important because of its link to money laundering, with money gained through these means often financing terrorism, human trafficking and the narcotics trade.

However, ATM fraud is particularly difficult to detect, because the hacked computers within the machines are usually controlled by a remote server located abroad that sends a command to an ATM to dispense cash at a given time – a technique known as “touchless jackpotting”. A criminal gang would then use cash mules to remove the cash from the ATM before any fraudulent activity is detected.

Gazit says: “These guys are really sophisticated; they never steal more than five notes from a single ATM. There are usually 10,000 notes in one ATM, so such activity is hard to detect, there is no evidence, and it is hard to identify the perpetrator. It is almost like a perfect crime.”

However, there are innovative solutions coming to market that employ artificial intelligence techniques that could make it much easier for banks to detect fraudulent activity before it takes place. ThetaRay is one such provider, which can help banks with ATM monitoring and threat detection, anti-money laundering and fraud detection. Its systems can be used by banks through the cloud or via on-premises solutions to help identify potential cybercrime up to 70 days before it is committed, Gazit says.

The systems use a self-learning programme that mimics the activity of a human brain in detecting suspicious activity, and is able to adapt itself to new requirements without the need for costly updates.

Gazit says: “Instead of looking for rules and patterns, our system acts more like a human brain. For humans, it is really easy to have intuition or a gut feeling. Computers would not do this, they have to analyse things.

“Our system identifies automatically when there are suspicious transactions. We have found hundreds of thousands of people financing ISIS through micro transactions, for example.”

The CEO believes solutions based on artificial intelligence are “the future” in the war on cybercrime, and could help banks avoid costly ATM system updates.