Much has been written about the cyber threats facing ATM owners today. The reason for the constant increase in the number of attacks on these devices is simple: the general level of security of modern ATMs is such that for fraudsters, attacks on them are often the easiest way to gain access to the bank’s money. Naturally, the banking industry responds to these attacks by implementing a set of protective measures, but the threat landscape is constantly changing. To help banks know what to expect from cybercriminals in the near future, we have prepared an overview report on future cyber threats targeting ATMs. We hope the report will help the industry be better prepared to counter the next generation of attack tools and techniques.
The report consists of two papers in which we analyze all existing authentication methods used in ATMs, as well as methods expected to be implemented in the near future, including NFC authentication, one-time password authentication and biometric authentication systems. Additionally, the report examines possible attack vectors, including malware, network attacks, and attacks on hardware components.
We looked into the black market situation for this type of technology and were surprised to find that twelve manufacturers are already offering fake fingerprint scanners, also known as biometric skimmers. At least three other manufacturers are conducting research to create devices that will be able to illegally obtain data from identification systems based on the pattern of veins on the wrist and the iris of the eye.
This is an important trend. After all, the problem with biometric identification is that, unlike passwords and PIN codes, which can be easily changed if hacked, fingerprints or iris cannot be changed. Accordingly, if your data once ends up in the wrong hands, its further use will be fraught with risk. This is why it is extremely important to ensure that such data is effectively protected and transmitted securely. Biometric data is also recorded in modern passports - known as biometric passports - and visas. Thus, having stolen a biometric passport, an attacker receives not only the document, but also the biometric data of its owner, that is, virtually all the information by which a person’s identity can be established.
Attackers can also gain access to biometric data by hacking into a bank's infrastructure. This is also a serious problem: if you lose your customers' biometric data base, you will not be able to correct the situation by simply reissuing "exposed" payment cards. This is an irreparable loss, and the industry has never faced such a threat before.
Overall, network attacks on ATMs will be a major headache for financial security officials in the coming years. The fact is that, based on our experience in conducting penetration tests, a bank's network infrastructure is very often built in such a way that hackers are able to gain access to its critical elements, including the ATM network, and take control of them. This situation will not change in the foreseeable future for a number of reasons, in particular the sheer size of financial institutions' networks and the labor and financial costs that would be required to modernize them.
However, by publishing this report, we would like to draw attention to the issue of ATM security now and in the near future and help accelerate the development of a truly secure ecosystem around these devices.
Read the full report here (English)
Read attack descriptions here (English)
The report consists of two papers in which we analyze all existing authentication methods used in ATMs, as well as methods expected to be implemented in the near future, including NFC authentication, one-time password authentication and biometric authentication systems. Additionally, the report examines possible attack vectors, including malware, network attacks, and attacks on hardware components.
We looked into the black market situation for this type of technology and were surprised to find that twelve manufacturers are already offering fake fingerprint scanners, also known as biometric skimmers. At least three other manufacturers are conducting research to create devices that will be able to illegally obtain data from identification systems based on the pattern of veins on the wrist and the iris of the eye.
This is an important trend. After all, the problem with biometric identification is that, unlike passwords and PIN codes, which can be easily changed if hacked, fingerprints or iris cannot be changed. Accordingly, if your data once ends up in the wrong hands, its further use will be fraught with risk. This is why it is extremely important to ensure that such data is effectively protected and transmitted securely. Biometric data is also recorded in modern passports - known as biometric passports - and visas. Thus, having stolen a biometric passport, an attacker receives not only the document, but also the biometric data of its owner, that is, virtually all the information by which a person’s identity can be established.
Attackers can also gain access to biometric data by hacking into a bank's infrastructure. This is also a serious problem: if you lose your customers' biometric data base, you will not be able to correct the situation by simply reissuing "exposed" payment cards. This is an irreparable loss, and the industry has never faced such a threat before.
Overall, network attacks on ATMs will be a major headache for financial security officials in the coming years. The fact is that, based on our experience in conducting penetration tests, a bank's network infrastructure is very often built in such a way that hackers are able to gain access to its critical elements, including the ATM network, and take control of them. This situation will not change in the foreseeable future for a number of reasons, in particular the sheer size of financial institutions' networks and the labor and financial costs that would be required to modernize them.
However, by publishing this report, we would like to draw attention to the issue of ATM security now and in the near future and help accelerate the development of a truly secure ecosystem around these devices.
Read the full report here (English)
Read attack descriptions here (English)
