I haven’t used a bank ATM for years, thanks to the fact that I usually don’t carry cash (and when I need it, my lovely wife normally has some handy). I still remember one time when I was in Canada and stuck my card in one of the cash machines, and was amazed that Canadian money was dispensed. I was amazed at how the machine “knew” what I needed, until I realized that it was only loaded with that currency.
Well, duh. Many of you might not realize that underneath that banking apparatus is a computer with the normal assortment of peripherals and devices that can be found on your desktop. The criminals certainly have figured this out, and have gotten better at targeting ATMs with all sorts of techniques.
Back as recently as three years ago, most ATM attacks were on the physical equipment itself: either by placing skimming devices over the card reading slot to capture your debit card data or by forcing entry into the innards of the ATM and planting special devices inside the box. Those days are just a fond memory now, as the bad guys have gotten better at defeating various security mechanisms.
For many years, almost all of the world’s ATMs ran on Windows XP. Banks have been upgrading, but there are still a lot of XP machines out there and you can bet that the criminals know exactly which ones are where.
But there is a lot happening in new ATM exploits, and my post for IBM’s Security Intelligence blog on the history of ATM malware hacking talks about these developments. In fact, ATM malware is now just as sophisticated and sneaky as the kind that infects your average Windows PC, and ATM malware authors are getting better at emptying their cash drawers. For example, malware authors are using various methods to hide their code, making it harder to find by defensive software tools. Or they are taking a page from the “fileless” malware playbook, whereby the malware uses legit OS code so it looks benign.
There is also a rise in network-based attacks which exploit lax banking networking topologies (segmentation seems to be a new technology for many of them), or rely on insiders that either were willing or had compromised accounts. Some of these network-based attacks are quite clever: a hacker can command a specific ATM unit to reboot and thereby gain control of the machine and have it spit out cash to an accomplice who is waiting at the particular machine.
Sadly, there are no signs of this changing anytime soon and ATM malware has certainly become mainstream.