The US Secret Service is warning financial institutions that jackpotting attacks – where ATMs fraudulently dispense cash – are now a risk in the US, according to Krebs on Security. Two cybersecurity experts with VASCO Data Security (which serves more than 10,000 customers and helps more than half of the top 100 global banks protect their online, mobile and ATM channels) offer perspective.
John Gunn, CMO at VASCO Data Security:
“The security that protects ATM transactions has improved significantly over the past several years, including using EMV chip cards and enhanced authentication using consumers’ mobile phones, so criminal are being forced to revert to more brazen physical attacks on ATM machines.”
David Vergara, Head of Global Product Marketing at VASCO Data Security:
“With banks’ focus on digital channels, like ATM and mobile, to drive down costs and better serve customers, it’s no surprise that cybercrime is following. The relatively low-tech skimming attacks still represent the vast majority of ATM losses, but more coordinated attacks using physical access to the machine (i.e. master key and keyboard) along with more sophisticated malware are enabling much bigger paydays for hackers. This trend will continue until banks have addressed key vulnerabilities. And to beat the bigger issue of skimming, banks should consider cardless security technologies like mobile authentication via visual cryptogram. Also, this is a good time to consider some of the myths around ATM safety and security:
Myth 1: It’s easy to see and avoid devices implanted in ATMs for theft
Fact: Criminals use ATM interface components for theft that are custom designed to fit seamlessly into the card readers of specific manufacturers. Some of these appliances can be tough for even a trained specialist to spot quickly and casually.
Myth 2: Chip Cards Fully Stop Hacking
Fact: The launch of chip card technology (EMV) began a decade ago in Europe and has been spreading throughout the world, and has helped cut card fraud, but even EMV can’t always prevent fraud. EMV protections can be circumvented through ultrathin metal or plastic devices installed in the readers, for example.
Myth 3: It takes a sophisticated hacker to steal from an ATM
Fact: It doesn’t take a sophisticated hacker to defraud an ATM. In California, five teens were arrested for putting card data theft devices at three ATMs located in banks. Today, any interested party can become a professional thief in this segment with a modest investment in cash.
Myth 4: ATM security must depend on the customer
Fact: Although some IT and security professionals cite customer carelessness in ATM fraud, the fact is that there is a growing risk vector that has nothing to do with customer mistakes. Researchers have found that IoT devices such as personal smart clocks or pulse physical activity controllers can be used to steal an ATM access code. By collecting hand movement information, researchers could accurately guess passwords and access codes with up to 80% success on the first try.
Myth 5: Thin copy devices or hidden cameras are the only ATM attack strategies
Fact: Bank security professionals need to look at and beyond reader devices and hidden cameras – there’s a new array of ATM fraud technology, such as Bluetooth-enabled devices that install on circuit boards. When fraudulent components are integrated into ATM circuits, thefts can potentially continue for years undetected.