ATM Fraud , Fraud , Risk Management

Attackers 'Hack' ATM Security with Explosives

As U.S. ATM Operators Face EMV Deadline, Physical Attacks Surge in Europe
Attackers 'Hack' ATM Security with Explosives
The aftermath of an explosive gas attack. (Source: Merseyside Police)

Europe has been seeing a surge of exploding ATMs.

See Also: Three and a Half Crimeware Trends to Watch in 2017

Unlike the Galaxy Note 7 debacle, however, the culprit isn't engineering problems with lithium ion battery packs, but rather criminals using explosives to attempt to steal cash from ATM safes.

In the first six months of 2016, police in Europe cataloged 492 explosive attacks, up from 273 attacks for the same period in 2015. The European ATM Security Team reports that 110 involved solid explosives, while the rest utilized explosive gas.

With U.S. ATM operators facing an Oct. 21 deadline from MasterCard to make their machines EMV-compliant - Visa's deadline follows one year later - the attack report is a reminder that fraud isn't the only challenge when it comes to trying to secure ATMs.

Of course, the use of explosives is especially concerning from a public safety standpoint.

"This rise in explosive attacks is of great concern to the industry in Europe as such attacks create a significant amount of collateral damage to equipment and buildings as well as a risk to life," Lachlan Gunn, EAST's executive director, says in a statement.

ATMs - especially aging ones - have long been a target for attackers who are able to physically access the device and override security controls via black-box attacks, or to launch remote attacks using malware that allows money mules to "cash out" or "jackpot" the machines, instructing them to spit out cash.

And European ATM attacks are no exception. Comparing the first half of 2015 to the same period of 2016, EAST found that these so-called "ATM logical attacks" rose 560 percent - from 5 to 28 incidents - resulting in the loss of €400,000 ($440,000) in the first six months of 2016.

Explosive Attacks

Video footage shared by Italian police of two attackers using explosive gas to rob an ATM.

But some attackers opt instead to launch physical attacks against ATMs, which may involve "ram raids" that utilize a heavy object to knock them down, enabling attackers to drag them away and use drills to penetrate the safe. Explosive attacks, meanwhile, often involve pumping explosive gas, such as a combination of acetylene and oxygen, into the ATM's safe using flexible tubing, then detonating the gas to gain access to the safe.

Explosive gas attacks, while widespread across mainland Europe, appear to have not yet hit the United States, perhaps because it's easier and less risky to steal accounts and clone cards. Meanwhile, the use of explosive gas in Great Britain first debuted in 2013 when a gang of five men began blowing up ATMs, allegedly stealing £800,000 ($973,000) from 30 ATMs. Subsequently, police disrupted an alleged offshoot of that gang that blew up 10 ATMs across England and Scotland over a 12-month period, with U.K. police announcing in June that eight related suspects had been arrested and charged.

Physical ATM Attacks Rise

Comparing the first half of 2015 to the first half of 2016, physical attacks against ATMs in Europe rose 30 percent, EAST says, to reach 1,604 incidents. Here's what each such attack netted, on average:

  • Robbery: €20,017 ($22,000), referring to robbers attacking a person who is reloading an ATM safe or transporting related funds;
  • Ram raid or burglary attack: €17,327 ($19,000), referring to ripping the whole ATM out (ram raid) or else directly attacking the ATM safe;
  • Explosive attack: €16,631 ($18,300), referring to a burglary attack involving explosives.

As EAST notes, those physical attack figures "do not take into account collateral damage to equipment or buildings, which can be significant and often exceeds the value of the cash lost in successful attacks."

EAST says the results are drawn from reports shared by 20 European countries, which collectively count 367,423 ATMs.

Fraud Attacks Increase

ATM fraud is also a growing problem. In Europe, ATM-related fraud attacks increased 28 percent in the first half of this year, compared to the same period last year, although card-skimming attacks decreased by 21 percent, according to EAST. The most typical type of fraud involves transaction reversal fraud, in which an attacker tricks an ATM into thinking that it hasn't dispensed cash, and so crediting it back to the account, while in reality the attacker has obtained the cash, typically by using a physical tool known as a claw.

For the first half of the year, losses due to ATM fraud increased to €174 million ($191 million), up from from €156 million ($171 million) in losses in the year-ago period.

But Europe is no ATM fraud outlier. Earlier this year, card analytics firm FICO reported that it saw a 546 percent increase in ATM fraud in the United States from 2014 to 2015. FICO declined to detail how many such incidents it's counted. But it predicts that criminals will continue to target unattended ATMs that aren't EMV-compatible.

EMV Liability Shift for ATMs

MasterCard, however, has set an EMV liability shift deadline of Oct. 21 for operators of ATMs in the United States. After that date, operators will be responsible for any fraud that involves an EMV-enabled card that's used in their ATM, unless the ATM is EMV-compatible, in which case the card issuer is liable for the fraud.

The upside of an EMV chip is that it can be used to generate a behind-the-scenes, one-time cryptographic code to authenticate that the card itself is legitimate. Security experts say that should take a big bite out of skimming, in which thieves intercept card details - enabling them to use cloned cards to steal cash - because EMV chips are supposed to be difficult to clone.

ATM Upgrades Pending

But it takes time to EMV-enable an ATM. U.S. ATM vendor NationalLink says that for each machine, the ATM operator must:

  1. Assess whether an EMV upgrade kit is available. If not, NationalLink says the ATM must be replaced;
  2. Obtain an EMV upgrade kit, ranging in price from $260 to $700;
  3. Ensure ATM software is upgraded to an EMV-compatible version;
  4. Hire an ATM technician to install the EMV card reader assembly in the ATM;
  5. Enable the card reader to read the EMV chip.

MasterCard estimates that 40 percent of U.S. ATMs will be chip-enabled by the end of October. While that's a far cry from full compliance, it does compare favorably to the rollout of EMV-compatible point-of-sale terminals - only 20 percent were EMV-compatible by the end of October 2015, when the EMV liability shift for POS terminals took place. Experts say that's because many smaller businesses have delayed upgrading their POS terminals, whereas many ATMs are operated by financial services firms or organizations that manage thousands of the devices.

But some ATM operators report that upgrade kit supplies are scarce. Jim Shrayef, principal of Brooklyn, N.Y.-based ATM operator and supplier Everything ATM, told The Wall Street Journal that of the 5,000 upgrade kits he's ordered from a supplier, so far only 1,000 have arrived. "I cannot get the product I need to satisfy the demand," Shrayef said.

Another challenge, however, has been getting EMV debit cards into consumers' hands. To date, only one-third of branded MasterCard debit cards are chip-enabled, compared with 88 percent of its branded consumer credit cards. Visa, meanwhile, tells The Wall Street Journal that 42 percent of its branded debit cards have chips, compared with 64 percent of its branded credit cards.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network