ATM Malware: Hackers' New FocusExperts Describe How Malware Offers Bigger Payouts than Skimming
Although malware attacks against retailers' point-of-sale terminals have been in the spotlight, banks and credit unions need to be aware of the emerging threat posed by malware attacks that target ATMs. That advice comes from Matthew Jakubowski, a security consultant at research and breach forensics firm Trustwave, and Graham Mott, director of the United Kingdom's ATM network, known as the LINK Scheme, who participated in a panel interview with Information Security Media Group.
Jakubowski says emerging malware attacks aimed at ATMs are a new area of focus for Trustwave's just-opened ethical hacking lab. And some of the exploits identified by Trustwave are not just being tested in the lab but already have been identified in the wild.
As ATM skimming attacks wane, because they are more risky and less profitable for attackers, Jakubowski says, malware attacks are increasing. "If attackers can find a way to compromise the software, it's going to give them a much bigger payout," he notes.
Mott says some of these attacks have already been successful at draining ATMs in the U.K.
"Malware attacks are the most concerning development in the area of ATM fraud, Mott says during this panel discussion with Jakubowski. "The criminals are spending a lot of time developing this malware, and the attacks have been very difficult to identify. The malware is very difficult to detect."
Pointing to an example of a recent malware attack waged against a leading bank in the U.K., Mott says the malware, which was installed over a bank holiday, went undetected for several days until the bank returned to regular business hours. The compromise was not detected until after the bank realized the ATM had been drained of cash, he says.
The attacks in the U.K. involve the physical installation of malware on the ATM, Mott says, which enabled hackers at a later time to withdraw money using only a passcode, rather than a card and a PIN. "The cash just keeps coming out until the ATM jams," he says. "It's completely bypassing the ATM's control system."
New Lab Testing Risks
Jakubowski says most of the ATM attack scenarios Trustwave is testing in its lab are similar to the one described by Mott.
"The majority of attacks being waged against ATMs today are physical attacks," which involve the physical installation of malware, Jakubowski says. "Some are network attacks, but most involve someone installing the malware with a USB," or some other device that involves physical contact, he adds.
In addition to testing security weaknesses exploited by hackers in compromised point-of-sale devices and ATMs, Trustwave's lab also is attempting to identify new vulnerabilities, Jakubowski says. The purpose of the lab is to conduct penetration testing projects that help businesses identify and remediate security vulnerabilities in their products before they're released.
"With labs like this, it helps us stay ahead of the threats," Mott says.
During this panel discussion, Jakubowski and Mott also review:
- The emergence of "jackpotting" attacks, which aim to quickly drain ATMs of cash before a compromise is detected;
- Cardless ATM attacks that allow hackers to drain money through so-called transaction replays, mobile phone communications and even passcodes; and
- Why old and new attack schemes continue to pose challenges for ATM deployers.
Jakubowski is part of Trustwave's threat intelligence team, which specializes in advanced research, ethical hacking, vulnerability scanning, incident response and post breach forensics investigations. He's nationally recognized for implementing theoretical, laboratory-tested physical penetration attacks by fabricating devices for practical use in real-world testing scenarios.
Mott joined LINK as head of development and external relations in 2006. His role also includes technical development, fraud management, physical ATM crime monitoring and serving as a liaison with LINK's 37 member organizations. Mott works closely with external organizations, such as the government, Bank of England, Treasury, police, service suppliers and regulators.