Legacy authentication won’t cut it against ATM jackpotters

Fraudsters are attacking ATMs to hit a big pay day. Through an increasingly popular method known as jackpotting, malicious software and/or hardware is installed onto ATMs to force the machines to spit out cash.

While banks across Europe and Asia have previously dealt with the threat, financial institutions and ATM operators in the U.S. are on high alert since the first jackpotting attack took place stateside in January 2018. With low security and a high volume of cash on hand, ATMs are a prime target for cyberattacks. Thieves are even using SMS-based phishing attacks on new cardless ATMs to turn stolen banking credentials into cash.

With the threat on the rise, how can banks boost the security and avoid considerable losses? The answer lies in a layered security approach that addresses three primary attack vectors.

ATM jackpotting seems to be focused on stand-alone ATMs in pharmacies, airports or big-box retailers where they are more vulnerable. One of the most significant steps to making ATMs less vulnerable is ensuring that all operating system and firmware updates take place. Running unsupported or legacy software is a huge risk, and security experts suggest updating to boost security.

Banks can also block the execution of malware by implementing application whitelisting. Another important step is issuing custom keys and code signing of ATM transactions. With the right best practices in place, banks can better safeguard transactions that take place on ATMs.

Many of the attacks on ATMs begin by targeting a bank employee and using their authorized credentials to plant malware on the server side of the ATM system. Russian hackers used this tactic to steal $2.4 million from the National Bank of Blacksburg, in which the bank’s internal computer systems were hacked and security controls disarmed.

While strong password requirements and two-factor authentication can help, thwarting these increasingly sophisticated attacks requires extra effort. This includes advanced authentication that leverages out-of-band transaction verification. These techniques can be deployed in a variety of ways, but using a mobile identity application provides a modern approach that is more convenient for bank employees.

Even if banks guard against the first two attack vectors, hijacking user accounts remains a problem. Before EMV or “chip-based” ATM cards, criminals were routinely skimming the magnetic stripe data off consumer cards and duplicating them to siphon funds from ATMs. But if you shut down fraud in one channel, it will inevitably move to another.

Cardless ATMs provide a convenient phone-based alternative to cards, but implementation can leave security gaps. Banks should embed digital identities within their mobile banking application and use QR codes or out-of-band transaction verification to authenticate consumers — this enables the same ID to be used online, in branch or on the phone.

Criminals are only going to get smarter about the methods they use. However, banks can implement a modern authentication solution to meet unique use cases and security requirements without sacrificing user convenience.