Software attacks on ATMs are rising – here’s how to stop them

While cash use is declining statistically, the rate of decline has slowed in recent years – and governments are taking steps to protect access to cash across the Nordics, the UK and soon across the whole EU. As a result of this recent legislation and other factors, cash use in the UK (for example) grew by 8% in 2023^1. 

“losses from software attacks against ATMs rose by 8% last year.”

These factors mean the obligation to manage and protect ATM networks will be with financial institutions for decades to come. Meanwhile, data from the European Association for Secure Transactions (EAST) shows² that losses from software-related crimes against ATM networks rose by 8% last year and cost European ATM operators more than €100 million in the first six months of 2023 alone.

At a time when the need to manage the cost of ATM services has never been greater, this article looks at the different attack vectors criminals use against ATMs – and how to defend your network against them.

From jackpotting to black boxes – how criminals hit ATMs

We all know how ingenious criminals can be – and a recent study by Europol³ only confirms this relentless creativity. Typically, criminals will seek to route their attacks on ATMs through the operating system and vendor platforms to exploit bugs and gaps in security to trick the system and access cash. Methods favoured by criminals include:

• Jackpotting: one of the most widespread attacks, this is performed in one of two ways. Either the criminal uses malware which sends commands to the dispenser, or uses their own hardware device connected directly to the dispenser to cash-out the ATM and empty it of cash.
• Malware: Malware attacks are comprised of two phases. First, the criminal prepares the ATM by infecting it with malware. The malware then waits on the ATM undetected until the criminal visits the ATM and triggers the dispense command via a special PIN or touchscreen command.
• Black Box attacks: Black box attacks involve the disconnection of the ATM dispenser from the ATM PC. An external “black box” device such as a laptop or tablet is then connected and fraudulently re-paired with the dispenser and sends cashout commands directly to the cash dispenser.
• Man in the Middle: These attacks focus on communication between the ATM’s PC and the acquirer’s host system. The malware fakes host responses to dispense money without debiting the criminal’s account. Typically, the malware is triggered during transactions with preconfigured card numbers.
• Shimming: Software shimming, a development of “Skimming” malware, involves the interception and/or manipulation of information between an EMV card and the chip interface of a card reader at the ATM, allowing the criminal the possibility to withdraw money on another ATM at the same moment in a so called “relay attack.”
• Transaction Reversal Fraud: This involves an attack that generates multiple error codes and an unnecessary payment reversal. These attacks can be tricky to isolate and detect before financial losses occur, especially if changes to the ATM host applications are required.

Putting a stop to ATM fraud losses

ATM Security

There are a number of preventative measures financial institutions can employ to reduce or eliminate the threat of software attacks on their ATMs. At Tietoevry Banking, we have combined these measures into a single, powerful software suite, known as our Multi-Vendor Suite or MV Suite, which provides full-spectrum protection against software attacks.

The graphic above shows a full range of protections on offer. Highlights include:

• Hardening of the software suite and verification by running external security testing for every main release.
• A Unified Extensive Firmware Interface (UEFI) Secure Boot system (vendor/hardware dependent) that protects your ATM’s PC against the installation of malware either in its hardware or before starting the operating system (OS). This feature maintains the integrity of your OS throughout the boot process.
• A Trusted Platform Module (TPM) to prevent the installation of operating systems from any device other than those trusted by your organization. This module is mandatory for all our MV Suite installations. Installation is halted if no TPM is detected.
• Bitlocker Drive Encryption that ensures the hard drive in your ATM’s PC is not tampered with when offline. We embed this module in Windows 10.
• Applocker – also embedded in Windows 10, this is a set of rules that allows or denies apps based on their unique identities. Only specified users or groups can run certain apps, and only those apps required for terminal operation can be executed.
• OS Lockdown. This prevents operators from making system changes during the installation process. Essentially, it limits the Windows OS to those functions essential to terminal operation, and applies strict security rules to govern these functions.
• Supporting Anti-fraud hardware: our MV Suite supports hardware security products from a wide range of vendors, including anti-skimming devices and encrypted communication to cash dispensers.

Improved ATM protection – a necessity

As the provision of cash services becomes more expensive and governments demand ATM networks be maintained, operators need to find a cost-effective means of protecting their ATMs from increasingly sophisticated software attacks. As a full member of EAST, Tietoevry Banking’s ATM Services division actively contributes to the fight against fraud of all kinds: our MV Security Suite provides best-in-class protection from all kinds of software attack on ATMs. With more than 25 years’ experience of protecting over 100 financial institutions across Europe, we are a market leader in the identification and prevention of fraud.

¹See Payments Cards & Mobile, “UK Statistical Yearbook 2022-2023” at www. paymentyearbooks.com

²EAST, November 2023, “European Payment Terminal Crime Report”: https://www.association-secure-transactions.eu/industry-information/payment-terminal-crime/

³Europol, December 2022, “Guidance and Recommendations regarding attacks on ATMs”: https://www.europol.europa.eu/about-europol/european-cybercrime-centre-ec3

To discuss better protection for your ATM network, get in touch with Per Bjarne Valstad in Tietoevry Banking’s ATM Services division: