Earlier this year, federal regulators warned financial institutions against criminal attacks on their ATM systems. But instead of breaking into the physical machines directly, some criminals are now aiming at the bank systems that control the machines. Doing so, they withdraw as much money as they can using either ATM cards issued for fraudulent “mule” accounts they create, or by encoding stolen credentials of legitimate bank accounts onto magnetic stripe cards.
In this way, cyberthieves stole more than $40 million in one recent ATM cash-out attack, the Federal Financial Institutions Examination Council has reported.
Social engineering and phishing are two common ATM cash-out attack paths used to install malware, and sometimes they use a combination of those attack methods. The end result is that the bank employee or consumer is lured to click on a link or download an attachment that installs software. The software might spy on an employee’s activity to steal his or her passwords to burrow deeper into the bank’s network and ATM management system. An attack might also hijack a consumer’s online banking session using “man-in-the-middle” Trojan to gain access to a bank’s ATM network and locate nearby cash machines.
Even some multifactor security systems have been broken this way, says Dani Creus, a researcher with security software firm Kaspersky Lab in Woburn, Mass. For example, hackers have tricked a bank’s customers into installing Trojan software on their mobile phones to counter security text messages sent to consumers as secondary security measures.
Intrusion-detection and prevention systems, activity monitoring and warning alarms to notify staff about unusual changes are important measures against these attacks. But Phil VanMeerhaeghe, security engineer at Kansas City-based 10-D Security, recommends taking further steps to isolate ATM management systems altogether. “That way, the employees aren’t using it for other things,” he suggests. “That will help make sure that the system is pristine.”