Perpetrated Attacks at ATM Locations
Increased ATM Attacks in North America
Recent man-in-the-middle (MiTM) attacks seem to be increasing in specific regions including North America. These attacks intercept the authorization message received by the ATM following a cash withdrawal request. The declined transaction message is modified to indicate that the transaction has actually been approved. The result is that the ATM dispenses the amount of cash requested by the perpetrator but the account is not debited because the transaction was officially declined by the issuer.
The perpetrator gains access to the communications electronics within the ATM cabinet or compromises the communications wall socket near the machine. They target ATMs that do not verify the integrity of the authorization messages or do not effectively encrypt transaction messages.
Because this attack is not prevented by declining the transaction, the issuer’s withdrawal limits do not mitigate losses, but the losses are suffered by the ATM owner rather than the issuing bank.
Defense Against Authorization Manipulation
For the best defense against these types of attacks, ATM deployers should follow these steps:
- Use latest version of Transport Layer Security (TLS) between the ATM and local communications hub or modem.
- The latest TLS version is 1.2. For Hyosung models: Customer Setup > Select Processor > TCPIP. For Genmega/Hantle models:
Customer Setup > Change Processor > SSL.
- The latest TLS version is 1.2. For Hyosung models: Customer Setup > Select Processor > TCPIP. For Genmega/Hantle models:
- Set local withdrawal limits.
- Utilize surveillance cameras.
- Physically secure the local communications wall socket.
- Enhance security of ATM cabinet or top box. Use your own lock rather than factory lock.
- Deploy a range of sensor technologies to detect attacks such as vibration sensor that detect cutting or drilling.
- Train staff and service personnel to be vigilant in detecting any changes to the machine that may indicate unauthorized access.
- Discuss with location to make sure they know who your ATM service staff is and what they usually wear (uniform, logo’d shirt, etc.)
For additional details, visit ATMIA’s Best Practices. Contact Dan with questions.