By Ondrej Kubovič posted 27 Jun 2016 - 02:16PM
Forty-nine years ago, if you needed cash you had to
head to your bank and request it from the clerk at the counter. But on the 27th of June
1967, all that changed. On that day Londoners had their first opportunity to
withdraw funds from their accounts via a new specialized cash machine, which
later became known as an automated teller machine, or ATM for short.
Since then, this technology has taken over the
world, placing close to three million machines around the globe and still adding on average
280 new machines every day.
Apart from the convenience ATMs have brought to
regular users over the years, they have also attracted the attention of
criminals. With space for thousands of bank notes in each machine, the
potential gain is so high that some criminals are still trying, via brute
force, to liberate the contents (and by that we really mean using brute force)
ripping machines from walls or stealing them whole.
Others opt for more sophisticated methods, such as
building bogus parts for the machine that are very hard to spot, a.k.a.
skimmers. These include fake panels, displays, PIN pads, card acceptance slots,
hidden cameras and of course their combinations.
If criminals succeed in their attempts, they can
use the obtained data to impersonate their victims, empty the account or sell
the information to other malicious actors online. However, the latter option is
not very lucrative anymore as prices for payment card data have slumped from
hundreds of dollars per (corporate) card in 2010 to just a few dollars at present.
Last but not least, there are also attackers that
focus mainly on the software flaws in ATMs. Unfortunately, cracking ATM
security is sometimes less difficult than it should be. A large chunk of
ATMs still run outdated or unpatched software such as Windows XP or Windows
XP Embedded (in 2014 this still represented 95% of all machines worldwide), both of which are beyond the
end of their lives.
As reported in a series of blogs
by security researcher Brian Krebs, cybercriminals are trying various tricks to
make the machine spit out cash.
One of them is to connect via its USB ports hidden
behind the outer shell and then installing malware that will release the cash.
Some ATMs still automatically run anything on an inserted USB device and can
easily get infected. Last year, skimmers also came up with a new type of
assault dubbed “black box”. After disconnecting the ATM’s cash dispenser from
the core of the machine, they connect their own small computer, issuing
fraudulent commands that release cash. Another technique observed in the wild
was misuse of the machine’s internet or phone cable connection for
man-in-the-middle attacks, intercepting customer information on its way online.
So what does this mean for you as a regular ATM
user? Customers are mostly targeted by hardware techniques and thus it is
better to be aware of and know how to spot them. To make it easier, we’ve complied
some of the advice offered by banks and law enforcement
agencies for you.
ATM security: 5 tips for avoiding scams
1.
First of all,
check your surroundings and be sure that people in the queue behind you are at
a reasonable distance.
2.
Check the ATM
before using it. If you find anything suspicious, such as loose or crooked
parts, adhesive tape residues or any other visible damage, avoid using it and
contact the operator of the machine. Be very careful in popular tourist
destinations that are often targeted by criminals.
3.
Cover the
keypad when entering your PIN. This way you can protect it from hidden cameras
or recording devices possibly installed on the device by fraudsters.
4.
If possible,
opt for an indoor ATM as they offer less access to criminals that want to
install skimmers.
5.
If the
machine doesn’t dispense money, return your payment card after the transaction
or after hitting “cancel”, immediately contact the bank or financial
institution that issued the card.