It’s easy to forget ATMs have been around so long.
When ATM machines began showing up in my Ohio hometown sometime in the late 1970s, my grandmother found the technology incomprehensible.
“Isn’t it nice that the banks give you money?” she marveled. We tried to explain to her that the banks weren’t “giving” you money; it was your own you were taking out. My grandmother would live another 30 years, but I’m not sure she ever truly understood an ATM.
I remember a favorite episode of the sitcom Three’s Company where the show’s star, Jack Tripper, attempts to withdraw money from an ATM. But, the machine malfunctions, and instead of giving him a crisp $100 it spits out of a blizzard of money. That episode aired in 1983.
Jackpotting threatens ATM security
A blizzard of money is occurring today at some ATMs, but they aren’t malfunctioning due to some innocent hardware glitch like in the sitcom. That seems almost quaint by comparison. The new cash dash is called “jackpotting,” and it arrived on U.S. shores earlier this year. Jackpotting was first seen at ATMs in Taiwan in 2016 and has since spread to Europe. In January the Secret Service began warning about attacks on U.S. banks in the Pacific Northwest and New England. Thieves got away with more than $2 million in cash.
Jackpotting is a method where thieves install malware in an ATM and sometimes make hardware changes to gain control of the machine, which will then spit out huge amounts of cash before rendering it useless.
“It is quite clever in that hackers dressed as ATM technicians attach a computer with a mirror image of that ATM’s operating system together with a mobile device to the targeted ATM,” says Kevin Curran, a professor of cybersecurity at the University of Ulster in Northern Ireland. Curran has studied the issue of ATM security and shared his thoughts with Smarter MSP.
So, what does an ATM have to do with an MSP?
ATMS and MSPS
Banks are increasingly turning to MSPs to manage their fleets of ATMs. Most banks simply don’t have the technicians or resources to service sometimes hundreds of ATMs in far-flung locations. ATMs are a natural fit for MSPs because they have many of the same vulnerabilities that haunt other systems, according to Curran.
“The majority of ATMs installed worldwide are running variants of the deprecated Windows XP. There are even some ATMs which run Windows NT, Windows CE, or Windows 2000. In effect, this means that many ATMS are running an operating system which no longer receives software patches for new vulnerabilities,” Curran says. Microsoft quit issuing security patches for ATMs running Windows XP in 2016. Many banks have been slow to catch up, leaving ATMs vulnerable.
Curran says this is where an MSP can play a role.
“The majority of #ATMs installed worldwide are running variants of the deprecated #WindowsXP. There are even some ATMs which run Windows NT, Windows CE, or Windows 2000.” @SmarterMSP
“ATM managed services do offer a plethora of advantages which are difficult to overlook,” Curran says. The General Data Protection Regulation (GDPR) is yet another layer of service that banks probably aren’t ready to take on, while MSPs are dealing with this issue daily.
“ATM managed services provider should be able to navigate the law in a more assured manner than singular banks. ATM deployers discovered to be noncompliant with PCI DSS/GDPR can face large fines in addition to potential liability for the cost of any resulting fraud. Managed service providers can offer centralized 24/7 inbound/outbound help desks,” Curran says.
Beyond GDPR, Curran says that the IT needs of an ATM need constant upgrading, and MSPs can offset costs for the banks by making it easier to budget.
“Banks know the importance of resilience and redundancy for maintaining business continuity in ATMs. Overall, managed services providers can offer more control of service levels and performance,” Curran says.
Nick Palmer, Head of International Sales for Moscow-based cybersecurity firm Group-IB, tells Smarter MSP that “Banks should be aware of modern attack trends and events to be prepared and on the hunt for such styles of attacks,” which he says, have in some cases included placing physical explosives in an ATM. Even the most on-top-of-their-game MSP would have trouble combating military-style explosives.
Teresa Wilson is the owner of ATMS by Teresa, an ATM MSP based in Louisville. Wilson services more than 100 ATMs in southern Indiana and rural Kentucky. So far, jackpotting and other malware issues haven’t been an issue in her corner of the country she tells Smarter MSP.
“I worry more about the ATMs being stolen,” Wilson says.
The Future of ATMS
ATMS seem so yesterday. I never carry cash. You can buy a soda with plastic now, so why bother? But apparently I’m not representative of the rest of the world. Curran says the number of ATMs is rising, and around nine out of 10 cash-machine users take money out at least once a month. And, in the United States, six out of 10 mobile-banking users with smartphones still named the ATM as one of the most important ways they interact with their bank. So what is the future of these cash-rich machines?
Curran says the sophistication level of the attacks will continue to rise. Hackers are even resorting to using endoscopes (think your last doctor’s visit) to find internal portions of an ATM where they can attach a connector to allow them to sync their computer with the ATM. Curran says a previous Ploutus.D attack caused one ATM to continuously dispense cash at a rate of 40 bills every 20 seconds.
According to Curran, ATM managed service providers are increasingly using security defense measures, such as scheduled and random physical checks of ATMs, installing detection systems to take an ATM offline if anything is attached to the card reader, keypad, or fascia. “Jitter technology” is also being introduced, which uses a start-stop motion when a card is inserted and network behavioral analytics that recognize anomalous or out-of-character behavior at a terminal.
MSP owners like Wilson keep an eye out for ATM behavior issues.
“I keep a close eye on my card-readers and skimmers,” she says. She adds that for her ATMS, located largely in gas stations and retail establishments, “The software is pretty stable if people connect them correctly. I haven’t heard any reports of people getting hacked as long as they are connected correctly.”
For Wilson, she says compliance issues and regulations are bigger threats than distant jackpotting attacks in big coastal cities.
“I have ATMs in rural areas where there is not a bank around in 15 miles except for my ATM; I am their bank,” Wilson says.