Older ATMs Under Fire as IoT Starts to Bite

With their global networks of Automated Teller Machines (ATMs), the banks have some of the longest-serving machines to be accessible via the Internet.

The first cash machine went in service in 1967. Some of the oldest ATMs still in service date back well before the millennium to a time when network security was relatively unsophisticated.

Protecting connections between large numbers of disparate ATMs and the banks’ processing centers using Virtual Private Networks (VPNs) is usually the first step.

Yet, some banks have not yet taken even these basic protective measures.

As the Internet of Things (IoT) starts to permeate every aspect of business, the need to protect the communications of machines both new and old is becoming more urgent.

For example, in the past 12 months cybercriminals have successfully carried out remote attacks on ATMs. This illustrates perfectly how important secure remote connectivity has become for machine-to-machine (M2M) environments.

The first ATM was unveiled 50 years ago at a London branch of Barclays Bank.

In all the succeeding years, the basic components that make up an ATM have not changed that much.

Many banks still have 20th century ATMs in everyday use.  The use of outdated, insecure software is widespread, and mistakes in network configuration are common while critical physical components are often not properly guarded.

At the same time, more and more ATMs are being connected to the Internet of Things. Vulnerable ones are easy enough to find if you know where to look – via an IoT search engine like Shodan for example.

Without properly secured connections, stealing money remotely from ATMs is the cybercrime equivalent of taking candy from a baby.

In 2016, banks in the UK, Russia, Netherlands and Malaysia were attacked by malware that allowed cybercriminals to take control of cash machines.

The technique, known as touchless jackpotting, requires no physical tampering. It allows cybercriminals to attack poorly protected ATMs remotely from anywhere in the world via the global ATM network completely undetected by security services.

The number of touchless attacks on ATMs is on the rise. According to the European ATM Crime Report, 28 incidents were reported in the first half of 2016 (up from five during the same period in 2015).

The security threat to ATMs is similar to any other network threat with the exception that thieves are actively searching for machines that are in some way vulnerable.

Older ATMs that have recently been connected to M2M environments are particularly at risk.

Despite some of the strictest regulatory obligations and their attractiveness to cybercriminals, it appears that retail banking is no different than any other sector in quickly moving forward with IoT while comprehensive security measures lag.

For different reasons, some of the most vulnerable ATMs still do not have any network protection at all.

It is possible to protect connectivity between ATMs and the banks’ data processing centers in a number of ways.  Options include firewall or MAC-authentication and, of course, VPNs.

Generally speaking, bank ATM networks use advanced encryption to protect the sensitivity of the financial data being exchanged.

Nevertheless, the rise of remote ATM fraud shows some banks still have work to do in this respect. Securing ATMs with VPNs comprises four essential components:

1. Automatic/Always-on Connectivity — The VPN client is set to connect to the VPN automatically and remain connected. In the event of a disconnect occurring, due to network downtime for example, the VPN client look to reestablish the session as soon as the data connection comes back up.


2. Authentication — As everyone knows, ATM transactions are authenticated using two or three human factors namely the customer’s ATM card, their unique PIN and, in some cases, their fingerprint or retina scan. In modern ATMs the customer’s smartcard, in combination with a smartcard reader inside the machine, provides another layer of security to assist the digital side of the authentication process.


3. Management — It is highly desirable that ATM VPN connections should be centrally managed. A VPN management tool allows IT administrators to update configurations, upgrade software and manage certificates remotely. The only alternative is to perform the updates manually using a memory stick or CD. This requires giving someone physical access to every machine. It can give those with criminal intent an opportunity to gain access to the machine, inject malicious software or attach a device inside the machine and take control over it.


4. High Availability – Connections between ATMs located in the branch offices of banks or in retail stores and the main network must never break down. This means high network availability provided by a professional VPN system supported by several backup systems.

In summary, global ATM networks are fast becoming machine-to-machine environments.

The age of some ATMs and the primitive nature of the software they run on mean they are vulnerable. It is a combination that risks leaving security loopholes for cybercriminals to exploit.

Network access control via the deployment of VPNs coupled with prompt patching of every server on the network is essential to eliminate security threats.

Centrally managed VPN software can easily scale up to managing and ensuring secure interactions between thousands of ATMs communicating with their data centers.