October is over and so is the month’s annual focus on putting cybersecurity to the top of everyone’s agendas. But obviously vigilance about cybersecurity shouldn’t let up once Halloween is over.
And this is especially the case for the financial institutions which are always in the cross hairs of cyber criminals and fraudsters.
The importance of avoiding cybersecurity complacency was underlined in 2023 for the sector when not just one but two new different kinds of ATM jackpotting scams emerged.
We wrote about the FiXs ATM malware attack in April. But there was another new jackpotting attack on ATMs reported in May. The second ATM attack combined shimming, which hides a thin hardware device in the ATM card reader to steal card data, and a relay attack, where an attacker intercepts and manipulates cash withdrawal communications. Unlike a skimming attack that fixes hardware on the outside the ATM, a shimmer is inserted inside the ATM terminal to read a victim’s card credentials, which are immediately transferred by Bluetooth to the fraudster’s mobile phone.
What is interesting is how the fraudster then does a network transfer to a second mobile phone that connects with another ATM compromised with skimmer hardware to complete theft of money.
How 2023 saw two new kinds of cyberattacks on ATMs shows how threats are always evolving and span more than just jackpotting but other even more sophisticated attacks like man in the middle exploits. Indeed, the majority of global ATM crime incidents involved digital fraud attacks (79%) compared to physical attacks like tearing out an ATM using a tractor (20%). (Source: Crisis and Crime Management Intelligence System – ATM Crime Trends – Q2 2023)
Banks and ATM operators need to keep a laser focus on securing their self-service banking channel especially as it is modernised and aligns with their omnichannel banking strategies.
SO, WHAT FUTURE STEPS SHOULD THE INDUSTRY BE CONSIDERING?
As in all areas of cybersecurity, intelligent automation and machine learning will be and is extremely useful in executing key tasks from detecting attacks to automating remediation and device security management on fleets of ATMs and ASSTs.
So, it is no surprise that artificial intelligence is being suggested as an important defence for the self-service banking channel. However, many ATM operators have found deploying current AI for behavioural analysis and detection and response has led to ATM malfunctions and outages. This also is related to how some banks and operators try to shoehorn general-purpose cybersecurity solutions into what is a specialised field.
When ATMs are considered as critical systems, there is still a lot to learn about where AI protection could be implemented on current and next generations of ATMs. Certainly, there will be more advanced AI present in current and future generations of ATMs, and these could be another attack surface that needs defending.
ZERO TRUST APPROACH
What is going to of more fundamental benefit to banks and ATM operators will be how they have adopted a zero-trust strategy that ensures nothing is executed on an ATM or ASST unless it has been previously authorised.
Auriga’s Lookwise Device Manager (LDM) applies a Zero Trust approach, as well as utilising the knowledge of the network infrastructure, and the attacker’s tactics and techniques. It provides the most comprehensive layered protection model for ATMs, ASSTs, and other critical devices at all stages of the attack lifecycle, ensuring full availability of services for customers.
Robust network security policies are considered essential, and currently, there are solutions with a higher degree of protection than network firewalls, such as application firewalls, which not only control communications but also regulate which processes can engage in them. Furthermore, more advanced solutions like microsegmentation are more secure and advisable, as they employ secured channels with controlled certificates for each connection, even though they come with a higher deployment and maintenance cost.
Banks and other ATM operators are increasingly applying zero trust strategies. Indeed, we are seeing ATMs properly classed as a fixed-purpose operational technology critical device. This is creating the potential for ATM protection that reduces the attack surface on the self-service channel and its key operational processes, transforming its weaknesses into strengths.
To learn more about how cybersecurity for self-service banking is evolving, please check out our LDM resources.