In an era of digitalization and unlimited connectivity, an increasing number of banks are reporting fraud cases connected to their Automated Teller Machines (ATM).
One way to prevent ATM attacks is to monitor the ATM network directly and on a 24/7 basis. The objective of ATM Monitoring is to stop client data theft by preventing malicious individuals from infiltrating the system directly through ATMs or by using malware that infects the organization from inside to eventually reach ATMs.
Related post: ATM and POS Fraud: Preventing Bank Card Hacks
There are two different types of ATM monitoring:
ATM Monitoring consists of the combined methods to get a holistic view of the risk that a bank may be exposed to.
Unfortunately, ATM security is currently weak because banks tend to focus primarily on physical security as opposed to information security. In most cases, they have on premise security agents looking out for suspicious behavior or monitoring security camera footage.
Banks typically analyze operations or the information generated when machines are used. Then, they report whether a credit card has been stolen or is no longer valid, or whether somebody is attempting ATM skimming by plugging a fake card reader into the ATM. In any case, there is no real global security in terms of internal bank security or repeated suspicious behavior.
As mentioned above, we see an increasing number of sophisticated ATM attacks. The latest attacks are originating from inside the bank, from a malware targeting the ATM network and infecting multiple machines. For example, an employee could open a suspicious email attachment which could turn out to be an ATM malware attack that infects the bank servers and eventually the ATM servers. A virus could then spread to several ATMs and simulate communications with the bank's headquarters to enable a fraudulent credit card (with a certain code when inserted) to control the entire machine by gaining server validation for this card use. Physical campaigns can determine where this fake card is used by organized teams trying to steal millions of dollars from ATMs.
Financial institutions are worried about these new attack types and seek ways to protect their systems to avoid potentially disastrous consequences. In general, attacks causing massive withdrawals are more costly than physical ATM attacks. If you empty 5 ATMs at once with an ATM network attack, knowing that a few million dollars can be available in machines, the impact would be massive. Malware attacks are much more costly from an operational perspective, especially compared to stealing 5 credit cards in a row from ATM users to retrieve only a few thousand dollars from their bank accounts.
The way ATMs work is that they perform simple requests to validate whether the card number is known, whether the user is authorized and what the maximum allowed amount is to be retrieved in order to send an approval to the server using a private signature.
A commonly known case of ATM fraud is to open the machine and connect a cell phone that emulates the bank server. The phone uses a software that replaces the communication with that server. This can be prevented with ATM Monitoring because a holistic security system is added to the current physical ATM security and gathers the information collected from all monitored ATMs. Log monitoring helps identify fraudulent cards and massive ATM attacks.
An ATM monitoring solution provides a complete view on the information lifecycle collected from the machine, the client's credit card as well as malware infection from emails and the servers.
By monitoring cash-dispensing machines, you can also know if a collaborator is in collusion with a criminal group. For example, the collaborator (a bank employee) may have been paid to give privileged access to a fake client (Client A). The collaborator receives $100,000 to perform a fund transfer. The collaborator then collects the username and password previously left on a colleague’s desk and uses it to cover his/her identity and access the bank server. The collaborator figures out the password to access Client A’s account and edits the sum deposited in the account from $10 to $1,000,000, simply by adding a few zeros. Client A is a millionaire and the collaborator is not discovered.
Without 24/7 security monitoring, security elements can slip through the cracks. For instance, attacks usually occur outside business hours. At that time, less workforce is available, individuals lack focus or are not swift enough to react.
If you shift to a 24/7 Security Operations Center (SOC) that provides continuous and systematic attention, the chain reaction of a Sunday morning at 3:00 am will be as responsive as on a Monday at 4:00 pm. The benefit of ATM monitoring is that it leverages the distinct competencies and capabilities of a SOC. ATMs represent a different source of logs but they contain the same kind of information analyzed for other types of monitoring. Therefore, Information Security Analysts go through a similar log processing process with no additional training.
Of course, one may wonder why ATM Monitoring software alone cannot be used to detect frauds. The difference between ATM Monitoring as a software and as a service is that software can’t understand all potential attack scenarios — human intelligence becomes key. The ATM Monitoring service is delivered by Analysts who deal with a large variety of cyberattacks on a daily basis. Analysts leverage their comprehensive security knowledge to interpret specific cases that wouldn't normally be detected by a software.
Hitachi Payment Services, producer of ATMs, owns valuable information about ATM hacks from ATM frauds reported directly by clients. As a partner benefiting from direct threat intelligence, is a pioneer in ATM monitoring and has a competitive advantage that allows us to be one of the first vendors in the world to deliver a 24/7 ATM protection service.
Interested in learning more about the benefits and costs of ATM Monitoring? Contact us here.
