ATMs are critical points of service for consumer banks and credit unions. They empower the customer base to perform most transactions without human interaction and also mean that account holders can access their money outside of business hours. There are 3.2 million ATMs installed worldwide, according to research, with the global ATM market handling $12.6 trillion in transactions. 

ATMs are the primary way that many consumers interact with their banks and credit unions. This is true not only in North America and Europe, but also in Asia, Africa, and South America. Currently, around half of the world’s ATMs are installed in Asia and the Pacific region. There has been some competition because of the rise of mobile banking and e-wallets, but ATMs and cash withdrawals are still common. 

All this is to say that ATMs are critical features of the financial ecosystem. They’re also at risk. Historically, ATMs have faced extensive physical security challenges. Stories abound of thieves “compromising ATMs” to steal cash at their leisure, especially with ATMs in remote locations that are geographically separate from bank branches. This is the classic risk that banks and credit unions take with ATMs. Thieves can steal the physical keys to the boxes on top of the ATM, or even use jackpotting to drill into the machine and mess with the software. 

Digital risks are also common, including software vulnerabilities that enable a form of virtual jackpotting designed to allow cash theft. Something to understand as well is that ATMs have all the characteristics of an Internet of Things (IoT) device and many of the same technology risks. 

ATMs as IoT Devices

Ignoring the new class of “smart ATMs” that are overtly IoT devices, even traditional machinery meets the qualifications for a connected device. ATMs will communicate information back to a central location to validate cardholder identity, they’re remote systems distributed often outside a bank branch, have cameras and an interface, and often run on specific types of limited operating systems. They can have motion sensors and dye packs to deter theft, some of which can share useful digital data with banks.

The IT elements built into even the most basic of ATMs make them a prime target for threat actors to attack remotely. If they’re connected to the network, as with fleet management solutions, then those technologies make it possible for cybercriminals to move laterally. This is also the case with the new breed of ATMs that are connected to the bank’s back-end, where historically they were attached to air-gapped OT networks that were at least nominally separate from the bank’s core systems. 

ATM operating systems are feature-limited and designed to perform a few functions. This is similar to other IoT devices that function within specific parameters. ATMs do follow some standard financial industry data security and application protection standards, which makes them at least nominally more secure than other IoT systems. 

That said, even PCI-DSS compliance can’t necessarily protect against console access should cybercriminals plug a keyboard and mouse into the ATM or for that matter against remote breaches. Financial institutions need to ensure that their ATMs are just as protected as any other IoT device as a result. 

Cybersecurity Risks Facing ATMs

ATMs have long operated on a security-through-obscurity approach. This is no longer valid in the modern world, if it ever was, and as such there are substantial risks facing ATMs that banks need to resolve. 

To start with, the banking sector has new privacy rules and data protection regulations that they have to consider. Banking information is personal data that needs to be protected under GDPR in Europe, and the PCI-DSS framework for financial data protection does cover ATMs. From a cybersecurity perspective, assuming that ATMs are secure because they’re obscure devices doesn’t make that much of a difference. 

If the ATM is connected via new technologies that allow for better identity verification and maintenance, then there is an internet-accessible attack surface that can be at risk from threat actors. Any device that can be found on the internet via an IP address could add to a financial institution’s attack surface and create the possibility of lateral movement. 

Using ATMs as an access point, attackers can find ways to understand how the network is designed and how it works. Once they’ve gained network access,  it’s possible to perform a man-in-the-middle attack against the communication between the ATM and the bank’s back-end communications. This allows threat actors to then compromise their target’s broader infrastructure. A few ways this could proceed include:

• Attackers can initiate passive monitoring, which may result in the theft of customer information.
• They can opt for ATM jackpotting, or cash-out attacks, in which criminals install malicious hardware/software (or both), forcing the ATM to empty the cash dispenser on command. 
• Another attack could be changing a dispensing denial response from the bank’s server into an approval command, and dispensing any amount of cash into the hands of the thieves using any card they have on hand.

The screen content that customers see on an ATM is a program. If an attacker can plug in a keyboard and mouse, it’s trivial to interact with the underlying operating system (OS).

OS vendors have made it much easier to harden servers against network attacks, disable unneeded services, use host firewalls, require authentication, etc. It is still very difficult, however, to harden an OS against an attacker with console access, because there are many keyboard shortcuts, obscure user interface controls, and other tricks that can allow access to the underlying OS.

A bank may manage thousands of ATMs across a large geographic area. To keep costs down, software changes need to be performed using remote automation, often with limited bandwidth. The deployment of disk encryption can result in problems that may require a physical visit. For example, an ATM may lose power during a key step in the initial disk encryption. After disk encryption has been deployed, it adds complexity to the boot-up process and can make troubleshooting more difficult.

Physical visits translate into maintenance expenses that some budgets may choose to avoid, but by limiting encryption, attackers have a wider window of opportunity if they ever do get their hands on a disk. If that happens, the aggregate risk can climb up quickly to affect many ATMs across that bank’s extended infrastructure.

How Asimily Helps Defend Connected ATMs

The Asimily platform is designed expressly with IoT devices in mind. It’s built to monitor traffic to and from IoT equipment, such as ATMs, and surface anomalous behavior that might indicate an attack in progress. 

Asimily also provides vulnerability information on high-risk security issues with our proprietary algorithm that digests vast amounts of information from places like EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. This leads to quick solutions for newly known vulnerabilities that customers can quickly deploy, truly reducing risk.  

Asimily customers also receive peace of mind from knowing what ATMs and other IoT systems are attached to their networks and which ones need the most mitigations. With this insight, as well as improved monitoring, Asimily customers can better defend their ATM networks and by extension access to even more critical systems, such as SWIFT. 

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.