The Biggest Threat to ATM Security Isn't Card Skimming but Misconfiguration

For believers of the old adage love of money is the root of all evil, it comes as no surprise that most data breaches are carried out for financial gain. Verizon's 2016 Data Breach Investigations Report (DBIR) reveals that the 75 percent of cyber attacks appear to have been financially motivated; suffice to say, it's not surprising that ATMs are constantly in the crosshairs of cyber attackers. 

When it comes to ATM exploits, however, credit card skimming understandably gets all the media attention: it accounts for more than 80 percent of ATM fraud, and—in line with the public's fascination with devices—card skimming fits the consumer archetype for card-related crimes. Typically, a perpetrator attaches a bogus card reader on top of an existing reader, sometimes coupled with a hidden pinhole camera or false numeric keypad for capturing customer keystrokes. 

Card skimmers capture both card data and PIN keystrokes
Card skimmers capture both card data and PIN keystrokes. Source: cbiaonline.org.

Certainly, if your financial data is stolen, it might as well be at the hands of a skilled cyber criminal equipped with secret agent-style gear. The last thing you'd want to hear is that it all came down to a simple misconfiguration.

Unfortunately, ATM misconfigurations are prevalent across the globe. This isn't surprising, given the underlying technologies that drive the majority of today's ATM kiosks. Most are still running Windows 7 and XP under the hood, and—as this German bank discovered—are highly flawed and exploitable. Microsoft ended support for Windows XP back in 2014, which means the antiquated OS hasn't been patched for over two years. This invariably means that all ATM machines running Windows XP are vulnerable 0-day exploits as well as existing critical vulnerabilities such as MS08-067, a flaw that allows remote code execution.

A few days ago, Taiwanese computer manufacturer Acer disclosed that "a flaw" in their online store allowed hackers to retrieve almost 35,000 credit card numbers, including security codes, and other personal information. How secure are these digital outlet stores, and what are the chances that if you use them you'll end up like Acer's customers?

Future Card Threats Hinge on Misconfigurations

With EMV technology embedded in new credit cards and ATM readers, magstripe card-based skimming and data theft may become a thing of the past. MasterCard is giving ATM owners until October 1st of this year to adopt EMV chip technology or risk being liable for fraud if resulting compromises ensue. Visa also plans on enforcing similar rules in October of this year. As of now, only 20 percent of U.S. ATMs have been updated or replaced with EMV-capable technology.

Unfortunately, this opens up another dimension of possibilities for financial data theft. Bank of America, Chase, and Wells Fargo have announced plans to update their ATMs to dispense cash with a smartphone and banking app, no ATM card required. Chase in particular has publicly laid out its plans for integrating mobile devices into its new model for ATM security—its first generation of updated machines will authenticate customers with a code displayed in their Chase mobile app, with future versions utilizing NFC and services like Apple Pay and Samsung Pay.

If this isn't setting off alarm bells, consider that by 2017 75% of mobile security breaches will be caused by mobile application misconfigurations. According to Dionisio Zumerle, principal research analyst at Gartner:

"Mobile security breaches are — and will continue to be — the result of misconfiguration and misuse on an app level, rather than the outcome of deeply technical attacks on mobile devices... a classic example of misconfiguration is the misuse of personal cloud services through apps residing on smartphones and tablets. When used to convey enterprise data, these apps lead to data leaks that the organization remains unaware of for the majority of devices."

So while updating ATM machines with EMV technology may curb credit card skimming, mobile device integrations on the horizon dramatically broaden the attack surface of ATMs, especially considering the prevalence of mobile security breaches and application misconfigurations. Misconfiguration is the biggest culprit behind security compromises and downtime; this goes for all computing devices—desktops, servers, routers, network appliances, and ATM machines, Windows-based or otherwise. UpGuard's resilience platform keeps your infrastructure's IT assets free from misconfigurations by scanning your whole environment for vulnerabilities, shining the light on infrastructure security flaws before they're exploited by cyber attackers.

Ready to see
UpGuard in action?