Forty-nine years ago, if you needed cash you had to head to your bank and request it from the clerk at the counter. But on the 27th of June 1967, all that changed. On that day Londoners had their first opportunity to withdraw funds from their accounts via a new specialized cash machine, which later became known as an automated teller machine, or ATM for short.
Since then, this technology has taken over the world, placing close to three million machines around the globe and still adding on average 280 new machines every day.
Apart from the convenience ATMs have brought to regular users over the years, they have also attracted the attention of criminals. With space for thousands of bank notes in each machine, the potential gain is so high that some criminals are still trying, via brute force, to liberate the contents (and by that we really mean using brute force) ripping machines from walls or stealing them whole.
Others opt for more sophisticated methods, such as building bogus parts for the machine that are very hard to spot, a.k.a. skimmers. These include fake panels, displays, PIN pads, card acceptance slots, hidden cameras and of course their combinations.
If criminals succeed in their attempts, they can use the obtained data to impersonate their victims, empty the account or sell the information to other malicious actors online. However, the latter option is not very lucrative anymore as prices for payment card data have slumped from hundreds of dollars per (corporate) card in 2010 to just a few dollars at present.
Last but not least, there are also attackers that focus mainly on the software flaws in ATMs. Unfortunately, cracking ATM security is sometimes less difficult than it should be. A large chunk of ATMs still run outdated or unpatched software such as Windows XP or Windows XP Embedded (in 2014 this still represented 95% of all machines worldwide), both of which are beyond the end of their lives.
As reported in a series of blogs by security researcher Brian Krebs, cybercriminals are trying various tricks to make the machine spit out cash.
One of them is to connect via its USB ports hidden behind the outer shell and then installing malware that will release the cash. Some ATMs still automatically run anything on an inserted USB device and can easily get infected. Last year, skimmers also came up with a new type of assault dubbed “black box”. After disconnecting the ATM’s cash dispenser from the core of the machine, they connect their own small computer, issuing fraudulent commands that release cash. Another technique observed in the wild was misuse of the machine’s internet or phone cable connection for man-in-the-middle attacks, intercepting customer information on its way online.
So what does this mean for you as a regular ATM user? Customers are mostly targeted by hardware techniques and thus it is better to be aware of and know how to spot them. To make it easier, we’ve complied some of the advice offered by banks and law enforcement agencies for you.
ATM security: 5 tips for avoiding scams
- First of all, check your surroundings and be sure that people in the queue behind you are at a reasonable distance.
- Check the ATM before using it. If you find anything suspicious, such as loose or crooked parts, adhesive tape residues or any other visible damage, avoid using it and contact the operator of the machine. Be very careful in popular tourist destinations that are often targeted by criminals.
- Cover the keypad when entering your PIN. This way you can protect it from hidden cameras or recording devices possibly installed on the device by fraudsters.
- If possible, opt for an indoor ATM as they offer less access to criminals that want to install skimmers.
- If the machine doesn’t dispense money, return your payment card after the transaction or after hitting “cancel”, immediately contact the bank or financial institution that issued the card.
by Ondrej Kubovic, ESET