As ATM Attacks Rise, Banking Group Improves Incident TrackingABA Expands Bank Capture Platform for Faster Theft Alerts
Banks are seeing intensifying attacks against their cash machines, which has prompted an industry group to collect more fine-grained detail on the incidents for defenders.
The American Bankers Association has collected statistics on ATM attacks for at least five years through its Bank Capture platform, which also tracks robberies, burglaries and larcenies, says Heather Wyson-Constantine, the ABA's vice president for payments and cybersecurity policy. About 60 percent of 91,000 bank branches in the U.S. voluntarily contribute data.
But the ABA has changed how ATM attacks are reported to collect more specific details, including plotting incidents on a map. It also now enables ABA subscribers to get real-time email alerts of incidents, Wyson-Constantine says.
The system potentially could give banks more timely warnings that trouble may be on the way, because criminal gangs often hit a region and move to another one close by soon afterwards.
The improvements were driven by a lack of information. There's no central repository for incident reports for attacks on ATMs, with bits of data coming from the U.S. Secret Service, ATM manufacturers and vendors, Wyson-Constantine says.
"I don't really think we got a full picture of what's going on," she says.
Attacks against ATMs are described by a variety of colorful terms, from jackpotting to shimming to skimming to card trapping. The ABA has added new fields in the database for those types of attacks as well as vandalism.
An ATM is "jackpotted" when an attacker is able to withdraw all of its cash. These types of attack initially were largely theoretical and rooted in studies from computer security researchers who found vulnerabilities in cash machine software. But jackpotting is a real threat now.
In July 2016, Eastern European men withdrew a total of $2.2 million from dozens of ATMs in Taiwan belonging to First Commercial Bank. Hackers infiltrated the bank's network in London, eventually navigating to its ATM fleet and installing malware (see Taiwan Heist Highlights ATM Weaknesses).
Just a few weeks later in a separate attack in Thailand, three groups of men working in six provinces commanded 21 ATMs to disgorge a total of 12 million baht ($350,000) (see 'Ripper' ATM Malware: Where Will Cybercriminals Strike Next?).
In November, the Russian security firm Group-IB warned that banks across Europe had seen jackpotting attacks from a group nicknamed Cobalt. The attacks did not involve any physical interventions with an ATM itself, but rather relied on software modifications made after a bank's network was compromised, or a "logical attack."
The ATM Shimmy
The Bank Capture database has always accepted reports on ATM skimming, where criminals attach a device to an ATM that record accounts details from a payment card's magnetic stripe. Those details can be used to create a cloned card.
A new field, however, has been added to accommodate relatively newer type of attack, called shimming. The attack is aimed at payment cards with a microchip using the EMV specification, which has been used worldwide but only recently adopted in the U.S.
A shimmer is a very slim device that's inserted into an ATM's card reader and either intercepts or manipulates data passing between the microchip and the ATM's chip interface, according to the European ATM Security Team.
"Once EMV was implemented in Europe, they started seeing an increasing in the shimming attack as well as some of the physical attacks," Wyson-Constantine says. "Our database has the ability to track when our members start reporting those types of incidents."
The Bank Capture database is open to financial institutions that subscribe. But the ABA plans to release general findings quarterly to the public. It is also using Cap Index, a crime-risk forecasting vendor, to analyze the ATM statistics it collects. Cap Index's reports will also released quarterly and annually on the ABA's website, says Kelly Tyson, manager for payments and cybersecurity policy.