Criminals will continue to attack until bankers become proactive and monitor events in Europe

By Randy Phillips

ATM skimming first appeared in 2002 but it wasn’t until 2010 that it began to spread globally. As technology advanced and 3-D printers arrived, we started to see a real transformation in skimming attacks. The large bulky overlay skimmers and fascia cameras were replaced with all-in-one units that contained the skimmer and the camera. These were still an overlay for the card reader slot but had become much smaller and more efficient.

Vendors introduced physical blockers that were installed on the sides of the card reader and created anti-skim detection or ASD to combat the overlay devices. Physical inspections also became the norm. This worked until the criminals found another method of attack.

For almost two decades now this scenario has played out again and again. Each time the criminals find a new way to attack, a solution is developed and then we wait for the next method of attack to arrive. You see, part of the problem is that we are reactive and not proactive.

I had the opportunity to speak at an international ATM convention and an attendee from Europe asked me why the U.S. is always playing catch up to deter skimming. At the time, jackpotting was all over the news. He pointed out that jackpotting had been around in Europe for many years already.

He was right! Yet here we were in the U.S., worrying about whether our ATMs were going to be attacked. We hadn’t paid any attention to the news coming out of Europe, even though most of the methods of attack start there!

We’ve come a long way from the days of overlay skimmers, but guess what? They’re still out there and still being used. Even today, you can still buy parts on the Internet to create your own overlay skimming device! Why? Same reason as with the comparison to Europe: If skimming hasn’t hit our geographical area of this country, we probably haven’t given it the attention that we should have, so the criminals continue to attack.

Layering new levels of protection

As mentioned before, with each new method of attack, we respond with a solution to try and stop it. What this means is that your toolbox keeps getting bigger and we must keep layering on new levels of prevention.

For overlay skimmers, we still need physical blockers and ASD software because the bad guys are still looking for that low-hanging fruit and an easy attack. Jamming signals are still effective as well, but some of the skimmers have figured out a way to strip the noise from the data tracks. Inlay throat devices made a brief appearance but gave way to the more recent methods.

That brings us to the deep insert skimming device and ultimately to shimming devices. There’s a difference, but the solution is the same. Both devices take advantage of the fact that there is a very small amount of unused space in the ATM card reader slot. That space is where the criminals deploy the deep insert skimmer and/or shimmer.

The solution is a simple part that is installed to remove the open space. When I last checked, the part cost less than $500 and a technician can install it in less than 15 minutes. If you haven’t investigated this, I would suggest you call your ATM vendor today. I’ve seen different numbers tossed around, but it’s safe to say that an ATM skimming attack can easily cost you $10,000 or more.

Physical attacks

So, what is trending in Europe these days? Physical attacks! The European Association for Secure Transactions (EAST) recently released a report on four types of physical attacks against ATMs. The first two are brute force, either ripping out or pulling the ATM from its foundation. The third type is an attack with tools. Criminals will use thermal cutting tools to penetrate the ATM chest.

The fourth and potentially most destructive method is a gas attack. This attack involves pumping a flammable gas or explosive material into the dispenser slot and then igniting it. Sometimes it works, sometimes they end up incinerating the cash and sometimes they blow up the whole building.

We’ve seen physical attacks here in the U.S. Someone with a piece of construction equipment and a chain rips the ATM right off its foundation and carries it away. This type of attack has been trending upwards in the U.S. Only time will tell whether gas attacks will become prevalent here.

Here’s the good news: ATM vendors are already well aware of this and have solutions available. Cash degradation solutions can be used to render the cash useless if the safe is breached. Solutions are also available to detect and neutralize flammable gases. Alarms and sirens can also be tied in as well.

The challenge with physical attacks is that you can only do so much to harden the ATM and its surroundings while still making it easily accessible. The answer to limiting this type of attack is to implement tracking devices within the ATM canisters and/or adding a degradation tactic such as staining dye or glue. Once word gets out that all that effort won’t pay off, maybe the criminals will think twice about punching a hole in the wall of your institution.

Eavesdropping

One other method of physical attack has been increasing as well. Called “eavesdropping” or “wiretapping,” the crime involves cutting a hole in the fascia of the machine in order to gain access to the inside. Once inside, criminals use an endoscope to attach a card skimming device. The hole is then covered with a decal or new piece of fascia. A camera or keypad overlay is still needed to capture the PIN number.

Newer ATMs may come with a hardened fascia to prevent drilling. The other solution to “eavesdropping” is a good old physical inspection. So, you see, what’s old is new again, and round and round we go.

Remember the jackpotting scare? We quickly learned that the jackpotting attack at the time was targeted at stand-alone ATMs running outdated and unsupported software and didn’t really impact the banking world.

Once again, we need to turn our attention to Europe. EAST noted that in the first half of 2017, there were 114 black box attacks — an increase of 307% from the same time the year before. What’s a black box attack? In the crime, also known as a “cash out,” the perpetrators open the ATM top hat or penetrate the fascia to gain access to the dispenser cable. Once they do, they connect it to an external USB device and install malware. The malware instructs the machine to dispense all the money.

Toolbox essentials

Before we move on, let’s recap what we should consider having in our toolbox:

• Physical inspection — still valuable in detecting attacks
• Enhanced security — top hat alarms and unique, non-generic access keys
• Physical blocker — prevent the attachment of overlay devices
• Keypad shroud — inhibits views of the keypad input by a fascia camera
• Anti-skim detection software (ASD) — detects overlay devices
• Jamming signal — creates noise on recorded data tracks
• Card reader plate — eliminates space for deep insert and shimming devices
• Hardened fascia — inhibits penetration to reach hardware and cables
• Heat sensors — detects thermal cutting attacks
• Gas sensors — detects the presence of flammable gases and neutralizes them
• Concrete/steel bollards — Useful to discourage rip out or pull out attacks
• GPS track packs — Used to track cassettes after physical attack
• Cash degradation — dye or glue used to render money useless after an attack

Yes, that is quite a list of tools and some are much more expensive than others. Herein lies our problem with being reactive instead of proactive. To be proactive, it costs money — money for an attack that you may never experience.

Therefore, we traditionally wait until the problem arrives and then race to mitigate the attack. Keep this list in mind when replacing existing machines and keep this list in mind when planning long-range budgets.

Silence

Which brings us to “Silence.” Not silence, as if we’ve reached the end of our story. Far from it. Silence is a Russian-speaking criminal organization. They’ve been labeled as one of the biggest threats to the financial industry in Russia, Europe and several countries. They’ve been credited with stealing $4.2 million from ATMs since 2016 using jackpotting and cash out tactics.

Silence doesn’t fit the model of any of the attacks we’ve talked about so far. They have developed and deployed their malware using phishing emails. Now they have new tools and tactics and their reach is expected to go global. They have not yet attempted an attack in the U.S., but experts say they may attempt it as they grow.

In the last year, they have launched 16 new campaigns in other parts of the world. Most of the current phishing emails look like “mail delivery failed” notices and did not contain malware. Instead, the email contains a link that would allow them to remain undetected and gather information about the institution’s cybersecurity solutions.
Unfortunately, the experts are still gathering information and learning about Silence and their new tactics. That’s not good news if you’re on the IT side of your financial institution.

Silence isn’t conducting physical attacks on our ATMs, so why do I bring this up? Physical security and cybersecurity continue to overlap. These gray areas will continue to grow as our need for cybersecurity reaches deeper into other functions of our financial institutions. However, the need for physical security preventative measures continues to grow and the news continues to come out of Europe.

Randy Phillips is vice president of security management at Thompson Consulting Group. He began his career in financial institution security while still employed as a police investigator in upstate New York. His career in law enforcement provided his first exposure to the world of corporate security and financial crimes. Phillips is speaking on ATM skimming at TBA’s Security & Risk Management Conference Nov. 13-15 in Farmers Branch.