Hackers turn attention to ATMs

Criminals are hacking into bank systems to obtain card numbers from ATM databases

A new report into ATM crime from European security agency Enisa released today sheds worrying new light on the scale of threats facing banks on the high street.

While the rise in attacks on internet banking systems is well documented, the ATM Crime (PDF) research points to a 149 per cent rise in ATM attacks last year, including 10,302 so-called 'skimming' incidents.

Skimming involves the use of tiny spy cameras, false PIN overlays and even entire fake machines, often using Bluetooth wireless technology to transmit card and PIN details to a nearby laptop.

More worryingly, hackers are increasingly looking to launch attacks on the networks used by banks to connect ATMs with back-office systems, or on the operating systems and hardware used to run ATMs, in order to install software that collects customer PIN data.

Another tactic revealed by Enisa involves criminals hacking into bank systems to obtain card numbers from ATM databases.

"The thieves collect card numbers and, if necessary, alter the PIN for the cards they are planning to use. The thieves then sell the cards and their data to other thieves," the report said.

"Those thieves create ATM cards using the stolen information, and use the cards to withdraw cash from the accounts. The original thieves usually receive a percentage of the proceeds."

Enisa executive director Andrea Pirotti hopes that the report will go some way to raising awareness of the growing problem of ATM crime.

"ATM crime is likely to become even more attractive as the latest generation of ATMs is designed to dispense other services and products, such as phone top-ups and stamps," he said.

William Beer, head of the OneSecurity team at consultancy PricewaterhouseCoopers, argued that financial institutions need to wake up to the fact their ATM systems are now more easy for criminals to hack.

"Once upon a time they were running proprietary hardware and using operating systems and network protocols that were definitely not off-the-shelf, and these were difficult for the common criminal to replicate," he said.

"The fact that they've now moved to off-the-shelf hardware, standard operating systems and open network protocols makes the end game easier for the criminals – there needs to be a clearer recognition that these systems are vulnerable."

He added that banks need to be aware that such attacks, along with those launched on their internet channels, will seriously impact consumer confidence.

But there is also an opportunity for those who address these issues to differentiate by offering secure services, as long as they get their messaging right, he explained.