The Biggest Threat to ATM Security Isn't Card Skimming but Misconfiguration

Posted by UpGuard

The Biggest Threat to ATM Security Isn't Card Skimming but Misconfiguration

For believers of the old adage love of money is the root of all evil, it comes as no surprise that most data breaches are carried out for financial gain. Verizon's 2016 Data Breach Investigations Report (DBIR) reveals that the 75 percent of cyber attacks appear to have been financially motivated; suffice to say, it's not surprising that ATMs are constantly in the crosshairs of cyber attackers. 

When it comes to ATM exploits, however, credit card skimming understandably gets all the media attention: it accounts for more than 80 percent of ATM fraud, and—in line with the public's fascination with devicescard skimming fits the consumer archetype for card-related crimes. Typically, a perpetrator attaches a bogus card reader on top of an existing reader, sometimes coupled with a hidden pinhole camera or false numeric keypad for capturing customer keystrokes. 

Source: skimmers capture both card data and PIN keystrokes. Source:

Certainly, if your financial data is stolen, it might as well be at the hands of a skilled cyber criminal equipped with secret agent-style gear. The last thing you'd want to hear is that it all came down to a simple misconfiguration.

monitor your configs

Unfortunately, ATM misconfigurations are prevalent across the globe. This isn't surprising, given the underlying technologies that drive the majority of today's ATM kiosks. Most are still running Windows 7 and XP under the hood, and—as this German bank discovered—are highly flawed and exploitable. Microsoft ended support for Windows XP back in 2014, which means the antiquated OS hasn't been patched for over two years. This invariably means that all ATM machines running Windows XP are vulnerable 0-day exploits as well as existing critical vulnerabilities such as MS08-067, a flaw that allows remote code execution.

Future Card Threats Hinge on Misconfigurations

With EMV technology embedded in new credit cards and ATM readers, magstripe card-based skimming and data theft may become a thing of the past. MasterCard is giving ATM owners until October 1st of this year to adopt EMV chip technology or risk being liable for fraud if resulting compromises ensue. Visa also plans on enforcing similar rules in October of this year. As of now, only 20 percent of U.S. ATMs have been updated or replaced with EMV-capable technology.

Unfortunately, this opens up another dimension of possibilities for financial data theft. Bank of America, Chase, and Wells Fargo have announced plans to update their ATMs to dispense cash with a smartphone and banking app, no ATM card required. Chase in particular has publicly laid out its plans for integrating mobile devices into its new model for ATM securityits first generation of updated machines will authenticate customers with a code displayed in their Chase mobile app, with future versions utilizing NFC and services like Apple Pay and Samsung Pay.

If this isn't setting off alarm bells, consider that by 2017 75% of mobile security breaches will be caused by mobile application misconfigurations. According to Dionisio Zumerle, principal research analyst at Gartner:

"Mobile security breaches are — and will continue to be — the result of misconfiguration and misuse on an app level, rather than the outcome of deeply technical attacks on mobile devices... a classic example of misconfiguration is the misuse of personal cloud services through apps residing on smartphones and tablets. When used to convey enterprise data, these apps lead to data leaks that the organization remains unaware of for the majority of devices."

So while updating ATM machines with EMV technology may curb credit card skimming, mobile device integrations on the horizon dramatically broaden the attack surface of ATMs, especially considering the prevalence of mobile security breaches and application misconfigurations. Misconfiguration is the biggest culprit behind security compromises and downtime; this goes for all computing devices—desktops, servers, routers, network appliances, and ATM machines, Windows-based or otherwise. UpGuard's resilience platform keeps your infrastructure's IT assets free from misconfigurations by scanning your whole environment for vulnerabilities, shining the light on infrastructure security flaws before they're exploited by cyber attackers. 

How does UpGuard help IT Security?

More Articles

The Amex Partner Data Breach and Downstream Liability

If you're one of its 140 million cardholders around the globe, American Express wants you to know that your data is safe. The data breach recently announced by the U.S.' second largest credit card network reportedly involved a partner merchant and not Amex itself.
Read Article >

The Nightmare Scenario: When Your Security Provider Becomes a Security Problem

You’ve spent months with your team designing your company’s security strategy-- you’ve demoed and chosen vendors, spent money, and assured your users that this investment will pay off by keeping their business safe.
Read Article >

Top Retailers Who Should Know Better

The following is a list of 11 online retailers who really should know better when it comes to security.
Read Article >

Topics: vulnerabilities, data breach

UpGuard Customers