The rise of digital payment services, as announced by tech giants Google, Apple and Facebook, bodes imminent trouble for Automated Teller Machines (ATMs). Nevertheless, it will be some time before a complete transition to digital payment services takes place. With twice as many dollar bills in circulation today as compared to two decades ago, ATMs will remain significant in the financial realm in the foreseeable future.
Since its inception in June 1967, ATMs have revolutionised the way we interact with money. Despite the rise of digital payment modes, the number of ATMs installed worldwide has reached a substantial 3 million as of last year – that's a ratio of 144 people to one ATM – an ostensible testament to its prevalence. This shows that ATMs will remain a relevant and integral part of our daily lives.
Unfortunately, the challenges that lie ahead for payment services are not simply limited to digital currency. ATM security has been repeatedly threatened by criminal syndicates.
Traditionally, perpetrators have been compromising ATMs through physical intrusion and skimming. Now, the paradigm has shifted. Perpetrators no longer have to circumvent the physical security measures, instead they can simply do it all at the click of a mouse. Various ATM hacking methods have been devised, such as penetrating the ATM network, injecting malware to gain full access to the system, and then stealing cash from the ATM. By taking the stealthy cyber route, criminals can breach ATMs at a bigger scale across wider networks.
On top of that, crimes associated with ATM hacking have been steadily on the rise, posing severe challenges to the reliability of ATMs. From 2013 to 2015, more than 100 banks across 30 countries have been undermined, and the culprits made off with nearly one billion dollars. In recent times, we have seen the proliferation of ATM security breaches in the Asia Pacific region. On 9 June this year, two hackers were arrested in Thailand for using fake electronic cards to withdraw S$15,342 from various ATMs across the city. That week, the Denpasar Police in Indonesia apprehended a man using an ATM skimming device to siphon money. In the same week, six cyber criminals have been arrested in India for using China-produced electronic cards to gain access to bank accounts through ATMs. Clearly, with ATM hacking crimes happening almost every other day all over the world, security is a pertinent issue that banks and financial services providers can no longer afford to ignore.
Despite the rapidly evolving nature of criminal activities and the advancing expertise of criminals in navigating and manipulating the cyber world, ATM security systems remain overwhelmingly traditional and vulnerable to attacks. The age-old attitude of 'don't fix it if it isn't broken' towards security in ATMs has lost its relevance in a world where cyber criminals are quickly gaining traction in cyber warfare. A successful ATM security breach can result in irreversible consequences for instance, loss of customer credibility. Therefore, it is an absolute necessity for banks and financial services providers to constantly research and improve on ATM security.
Adapting ATM security systems to meet the emerging challenges requires a comprehensive understanding of the current malware and cyber criminal technologies targeting ATMs.
Though ATM hacking cases have only received attention in relatively recent times, the very first malware targeting ATMs appeared way back in 2009. The malware, known as Trojan Backdoor.Win32.Skimer, allowed criminals to access cash dispensers and skim data from electronic cards used in affected ATMs. This malware targeted a specific type of ATM which was produced by a leading ATM manufacturer.
Thereafter, many malware targeting ATMs have emerged due to the relatively low physical security of most ATMs. This enables easy exploitation of ATM systems. Now, ATM hacking strategies have advanced to the extent that breaches can occur with or without the aid of malware.
Nonetheless, malware remains a popular tool for criminals to exploit ATMs while evading immediate detection. In 2014, a notorious malware Tyupkin was discovered to have compromised the infrastructure of ATMs, thus enabling jackpotting. In the following year, a new malware produced by the Carbanak syndicate was revealed. Similar to Tyupkin, this malware manipulated a number of common weaknesses in ATM technology and infrastructure. To make matters worse, these malware are easily obtainable online. The successes of ATM security breaches have spurred the emergence of various new ATM-focused malware. These increasingly powerful malware culminated in several high-profiled criminal cases as mentioned earlier.
Security researchers have delineated several weaknesses within the ATM technology and structure that enable ATM frauds to occur. The multiple touch points of ATM present both physical and cyber security vulnerabilities.
Firstly, there tends to be a lack of physical security over ATMs. Closed-circuit Televisions (CCTVs) accompanying ATMs have done away with the need for manpower to supervise financial transactions. While this has improved the cost efficiencies of banking services, unmanaged CCTVs provide a false sense of security and can be undermined by advanced criminal strategies. Moreover, ATMs are designed and installed such that external parties can seamlessly gain access to the PC within the ATM and the network cable attaching the machine to the Internet. Even with incomplete physical access to the ATM, criminals are able to install microcomputers to give themselves remote access to it. Weak physical security makes it possible for hackers to physically input a fake processing centre. This processing centre is a counterfeit duplicate of the bank's software and processes payment data like the original, allowing hackers to issue commands to the ATM and manipulate it for illicit purposes.
Besides loopholes in physical security, there are also vulnerabilities in the cyber security of ATMs. One of which is antiquated operation systems. Currently, nearly all ATMs are personal computers (PCs) running on extremely outdated operation systems such as Window XP. This exposes them to malware infections and attacks via exploiting the old systems. Most ATMs uses XFS standard, a special software, which allows the ATM's PC to interact with banking infrastructure, hardware and cash and credit cards processes. Unfortunately, the XFS standard is an obsolete and insecure technology specification, created to be a common ATM software which is able to comply with any equipment, regardless of the manufacturer. A successful malware infection in an ATM will grant the hacker absolute authority over the ATM, such that the hacker can transform the PIN pad and card reader into a skimmer. Furthermore, without the need for authorisation, hackers can instruct the system to dispense all its money.
There is also insufficient emphasis on the risk profile of ATMs. Every financial institution dedicates rigorous analysis to the risk profiles of investments because they determine the profits and losses of the corporation. There is no reason why this effort should not be extended to ATM security as well, given that ATM security breaches can amount to heavy losses. Until a security breach happens, banks assume that ATMs are always operating under ordinary conditions and nothing goes awry. As a result, there lack software integrity management, antivirus solutions and authentication for the applications in charge of issuing commands to cash dispenser. Furthermore, there are many vulnerable software operating within the ATM infrastructure, ranging from outdated flash players to remote administration tools with thousands of bugs. Given these potential vulnerabilities in ATMs, it is obvious that the risks involved with ATMs are extremely high. Without sufficient analysis and research into the security of ATMs, financial institutions remain ignorant and hence, vulnerable to ATM security breaches.
The above vulnerabilities outline common ways through which security of ATMs are breached. However, with sufficient vigilance and constant security improvements, ATM security breaches and frauds can be safely avoided. The prevention of ATM hacking involves multiple parties, in particular ATM manufacturers with the necessary skills to enhance security and resolve these current weaknesses. The current difficulty lies in the direct corporate interests of ATM vendors; they are primarily concerned with the sale of their products, neglecting to mend the flaws of existing systems.
Hence, for ATMs to remain a dependable and secure financial apparatus, it is in the core interests of banks, vendors and financial service providers to cooperate and constantly modernise their ATM security systems.