ATM Malware Attacks SpreadingNew Report Says Incidents Migrating to New Markets
Just a week after the international police organization Interpol issued an alert warning that criminals may soon use malware against ATMs around the world, a new report from the European ATM Security Team says at least 20 ATM malware incidents have been reported by a single unnamed ATM deployer based in Western Europe.
This latest development comes after a report earlier this month about so-called jackpotting attacks that had infected at least 50 ATMs in Eastern Europe, including Russia (see Malware Attacks Drain Russian ATMs). The jackpotting malware enabled criminals to within minutes drain these ATMs, netting attackers millions of dollars (see ATM Malware Attacks Rise in Europe).
As ATM malware continues to spread globally, security experts advise banking institutions and other ATM deployers to enhance the physical security of their ATMs; update operating systems; and work with equipment manufacturers to address software vulnerabilities.
In its just-released ATM Crime Report for the first half of 2014, EAST warns ATM malware attacks are spreading. EAST is an international ATM network that drives cross-border cooperation and information sharing to thwart ATM crimes.
Although the report notes 20 ATMs in Western Europe were recently infected by malware, EAST does not name the make or model of ATM that was compromised, but says the attack targeted a specific type of off-premises terminal.
ATM malware attacks have migrated within Europe in just the last nine months. Until recently, these malware attacks had been seen primarily in Russia, Ukraine and parts of Latin America.
EAST Executive Director Lachlan Gunn says the trend is troublesome.
"While [the latest incident] was one group of criminals attacking a single ATM type in a specific type of location, this is a worrying new development for the industry in Europe," Gunn says. "Through the EAST Expert Group on ATM Fraud, we have been working with the ATM vendors, and vendors of logical security systems and services, to communicate the steps that should be taken by ATM deployers and networks to mitigate these risks across all ATM types and locations."
ATM Fraud Trends
Because anti-skimming technology and payment card enhancements, such as EMV, have made skimming attacks less profitable, fraudsters are focusing more attention on ATM malware and card-trapping, EAST reports (see ATM Malware: Hackers' New Focus).
Among the 21 European countries included in the report, ATM-related fraud attacks have dropped 42 percent in the last year, according to EAST. But for the first time, card trapping incidents accounted for the majority of incidents reported.
Source: European ATM Security Team. H1 stands for the first six months of the year.
EAST warns of two types of ATM malware attacks that have been identified in the wild - both with the ability to compromise any Windows-based ATM.
"As a significant number of Europe's ATMs continue to use the Windows XP operating system, there are concerns that many remain vulnerable to ATM malware if the necessary preventive measures are not taken," EAST reports. "The main ATM vendors clearly highlight what these necessary preventive measures are."
One type of malware attack, known as jackpotting, hit the 20 ATMs in Western Europe. This malware takes control of the ATM's cash-dispensing function. After the virus has been installed, the ATM is rebooted and then automatically spits out cash.
The other type of malware attack affects an ATM's PIN pad, allowing criminals to intercept card and PIN data. This type of attack allows the hackers to create counterfeit magnetic-stripe cards.
Graham Mott, director of the LINK Scheme, the United Kingdom's ATM network, points out that mag-stripe cards can still be used for fraudulent online purchases worldwide or in markets, such as the U.S. and parts of Asia, where mag-stripe cards are still the norm.
But Mott says the main issue leading to the spread of malware is poor physical ATM security.
Hackers are targeting ATMs with enclosures that are easy to access, either with a universal key or a default passcode. Once attackers are able to open the enclosure, they install malware, usually by inserting a USB or CD that has the malicious code saved to it, Mott says.
Mott and Gunn urge ATM deployers to take steps to make it difficult for attackers to open the enclosures that house these machines.
But Gunn also notes that ATMs should be programmed not to reboot from any external media, such as a CD or USB. This would prevent the malware from running, even if it was installed, he says.
Still, ATM manufacturers, such as NCR Corp., are encouraging banks and others to ensure they are addressing operating system weaknesses, especially those related to Windows XP, which is no longer supported by Microsoft.
"Microsoft will no longer issue security updates for Windows XP Professional; this means that customers may lose their PCI-Data Security Standard (PCI-DSS) compliance," says Owen Wild, a security and compliance executive at NCR in a blog. "Basically, XP's security vulnerabilities will not be resolved or closed."