Malware and skimmers, explosions and hammers: How attackers go after ATMs

Share this…

Survey, YouTube offer proof that people are blowing up ATMs to get the cash inside.

What was the best way to steal cash from an ATM in 2015? Skimming still remains king, but a survey of 87 members of the ATM Industry Association (ATMIA) says that card trapping and transaction reversal fraud are on the rise around the world.

In November 2015, ATMIA internally published a survey (PDF) describing the state of ATM hacking in the previous year, from how ATMs were attacked to how much money was lost from the attacks. The results showed that ATM operators were wising up to skimming operations, in which devices are placed in or on the ATM to capture card information so the skimmer can reuse the card numbers later. This caused “a deflection of crime from traditional electronic skimming towards more physical and less sophisticated forms of attack, especially card trapping and Transaction Reversal Fraud.”

Fourteen percent of respondents said they saw an increase in card skimming hacks, but 28 percent of respondents said they actually saw skimming operations decrease. Still, credit card skimming outpaces other techniques for committing ATM fraud overall. Of those instances of skimming, 73 percent involved skimmers placed within the ATM, and 27 percent involved skimmers placed on the verification device of the bank access door.

According to Douglas Russell, director of DFR Risk Management and the lead author of the ATMIA survey report, skimming was most common in the US, where magnetic stripe cards are the main transmitter of card information. On October 1, 2015, the US began a shift to EMV-compliant, chip-based cards, primarily to reduce fraud like skimming. “Certainly in Europe and other regions that have extensive EMV deployment, it has significantly reduced skimming,” Russell told Ars in an e-mail. “I hope we will see similar results in the US over time.”

Eighteen percent of respondents said that card trapping, in which a criminal traps a person’s ATM card in the machine and then extracts it when the victim leaves, increased in 2015. Card trapping is not seen as a very effective method of fraud because the victim usually immediately knows that they can’t get their card out of the ATM and calls the bank to replace the card quickly afterward. But that’s not always the case—an absent-minded person at the terminal could forget to call the bank for hours, giving a window for the thief to make some withdrawals. “It is likely that card trapping is increasing as initiatives to reduce skimming (such as EMV) make it more important for the criminal to obtain the actual genuine card,” Russell told Ars.

Sixteen percent of respondents also said that transaction reversal fraud seemed to increase in 2015. Earlier this month Kaspersky Lab wrote about a clever transaction reversal fraud scheme it had uncovered, which requires that criminals infect a bank’s servers with malware that rolls back ATM transactions after they occur. Because the bank’s computers don’t notice that money is being withdrawn, criminals can take nearly unlimited sums of cash without the bank triggering a hold on their funds.

Respondents also said that of all the “technologically sophisticated” ATM hacks they saw, 75 percent relied on malware, whereas 11 percent used “black box” attacks in which the attackers gain physical access to the inside of the machine, disconnect the money dispenser from its computer, and reconnect the dispenser to the criminals’ computer of choice. Fourteen percent of attacks were primarily due to “network compromise.”

Put a little muscle to it

Sometimes, however, criminals prefer to set the more nuanced, intellectual hacks aside and simply smash the ATM with a hammer. Of the real-life brute-force attacks perpetrated on ATMs that occurred within the last year, survey respondents said that “cutting attacks using torches, angle-grinders, and saws were the most common type of physical attack, reported by 35.91 percent of respondents.”Six percent of respondents said they experienced a vehicle or “ram raid” attack, where the criminals ran a vehicle into the ATM to break it. Russell said the kind of brute force used by attackers can differ by region or by where the ATM is located. “In the US, ATMs deployed inside stores are sometimes not anchored as solidly as they should be and can be removed manually or ‘pulled-out’ using a vehicle and chains,” Russell said.

The survey added that “explosive attacks (gas, solid ,and other) were identified as the second most common type of physical attack by 26.77 percent of respondents, which surpassed manual physical attacks using non-powered hand tools at 25.35 percent.” Russell said that these kinds of attacks are most often seen in Europe, South Africa, and South America.

“In Europe, an explosive gas mixture is often used, while elsewhere solid explosives such as the type used in the mining industry are used. Often the cash is destroyed, but on occasion they are successful. Collateral damage can be significant, particularly if perpetrated by amateurs,” Russell said.

Making it rain

The survey also asked respondents to estimate how much they lost at the hands of each type of attack. With skimming, respondents estimated that they lost $650 per card and $5,000 to $100,000 per incident. With malware- and black-box-based attacks, respondents said they lost an average of $104,000 per incident.

Physical attacks were responsible for $200,000 to $2,000,000 of loss per year, with an average of $41,400 per incident, including collateral damage, the respondents said. Card trapping, on the other hand, can net a criminal an average of $300 per card and cost an ATM operator up to $150,000 per year.

Luckily, respondents feel that the continued global transition to chip-based cards is having a positive effect on reducing credit card fraud. “58.7 percent of respondents said the cost of EMV fraud prevention has been worth it,” ATMIA wrote. (That’s significant for retailers in the US, who have been reluctant to introduce the friction of adopting a new technology into their business.)

“The second piece of good news is that the number one ATM crime for several years, skimming, finally seems to have peaked and is perceived to be decreasing for the first time ever,” the survey report continues. “This is, of course, due in part to EMV migration. It is also testimony to the effectiveness of the industry’s most popular antiskimming solutions. Nevertheless, this form of attack is still the highest ranked threat in our industry (but only just), and there are no grounds for complacency.”

Finally, the survey asked respondents where they would like to see increased security research. Data encryption and card number encryption made the list, as did biometric identification technology and Near Field Communications transactions (NFC-enabled ATMs could transmit card information to the ATM with a tap of a phone or a card). And, winning the generalist award, one respondent simply replied that they would like to see more research in “cyber.”