Future Opportunities

Cybercriminals are siphoning millions from ATMs; here's how they can be stopped

Cybersecurity firm bets on machine learning to thwart thieves

A spate of high-profile thefts at automated teller machines (ATM) has sparked alarm and sent law enforcement officials in a tizzy.

But a British cybersecurity firm reckons swindlers can be stopped in their tracks with the help of machine learning and a bit of math.

ATMs have long been a target for criminals, although the style of attacks has evolved in recent years; from illegally tampering with the cash dispensing machines, many are now turning to more sophisticated means of gaining access, by infecting ATMs with malware.

Malware is a generic term for a variety of malicious software that can pose serious cybersecurity threats.

Earlier this year, a gang stole $13 million from ATMs in a three-hour, 14,000 withdrawal spree in Japan, while in Taiwan, hackers breached a major domestic bank in July and used malware to withdraw more than $2 million from dozens of ATMs, reported Reuters.

The Bangkok Post further reported a group made off with 12 million baht ($346,926) from ATMs belonging to the state-run Government Savings Bank (GSB) in Thailand in August.

More worryingly, the attacks aren't restricted to Asia alone.

Analytics software company FICO said in a study in April that the number of ATMs in the U.S. that were compromised by criminals rose 546 percent in 2015 over the previous year, the highest growth rate ever observed by the company.

Attacks on ATMs are just one of the major threats facing companies as hackers and cyber criminals have been using increasingly sophisticated means to attack targets ranging from the Democratic National Committee to technology firm Yahoo.

Analysts say that investing heavily on firewalls is no longer enough to contend with the multitude of cyber threats companies face. Often, an organization may not be aware of being compromised until much later, when most of the damage has already been done.

Harnessing the power of machines

Cambridge-based Darktrace's Asia Pacific managing director, Sanjay Aurora, told CNBC in an interview that malware can breach a company's network and sit idle for as many as 200 days, quietly gathering information before launching a major attack.

Because businesses can have hundreds of connected devices transmitting large volumes of data all at the same time, it is impossible for security personnel to track all the anomalies in the network before they morph into serious cybersecurity threats.

"That's where you use machine learning to interpret all the variety of so-called small events - some related, some unrelated - and use mathematics to say hey this is a leading indicator to an insider threat because I have not seen this there before," explained Aurora.

Education Images | UIG | Getty Images

Machines have superior processing power and can scan through huge volumes of data. Theoretically, a piece of computer software can be programmed to learn and become smarter in the way it catches anomalous patterns in a company's networks.

The advantage it has over traditional firewalls is that the latter looks only for known anomalous patterns and every time a new threat is uncovered, the code must be updated for it to be effective. And keeping a large network up to date with the latest security updates can take time and is costly.

Aurora said the thing organizations need to understand is that the "threat is inside, something will [always] bypass" the firewall.

Going after the weakest link

Banks and financial institutions are a key target for hackers because of the vast amount of money they handle regularly. Accordingly, these institutions invest heavily to protect their core assets, such as intellectual property and other vital information.

Given how extensive a big bank's network can be, other areas do not receive similar levels of protection. These so-called weak links are now attracting hackers' attention.

ATMs are one such weak link, said Aurora. Other cybersecurity experts agreed.

"ATM machines still rely on outdated operating systems like Windows XP, which is threat-prone, since Microsoft ended support for it in 2014," Dhanya Thakkar, managing director and vice president for Asia Pacific at Trend Micro, told CNBC by email.

Ending support implied Microsoft would not release any new security updates to protect the operating system against new threats.

Hackers typically attack ATMs using malware through the following steps, according to Thakkar:

  • Access the ATM system either physically or through a bank's internal network
  • Install a malware and infect the core of the ATM, which communicates with the bank's infrastructure, cash and credit card processing functions
  • Hackers can then withdraw all the funds in the ATM or steal data from cards used by others, including bank account and personal identification numbers.

Kaspersky Labs' Alexey Osipov said many hackers don't even go near an ATM machine to carry out an attack or profit from it.

"Different underground forums share and sell information about attacking ATMs," Osipov told CNBC by phone. Which means a person could theoretically write lines of codes for a malware and only "sell his intellectual property to other criminals."

In the case of the Thailand heist, however, analysis from American network security company, FireEye, suggested possible coordination among attackers in the virtual and the physical world.

FireEye's Daniel Regalado observed in an August blog post the malware used in the Thailand attacks - dubbed "RIPPER" - built on existing malware used to expel cash from ATMs, but also "used some interesting techniques not seen before."

Regalado noted the malware interacted with ATMs using a specially manufactured ATM card with an EMV chip that served as the authentication mechanism.

EMV, which stands for Europay, MasterCard and Visa — the three companies that originally started it — is a technical standard used by credit and debit payment cards that uses chip card technology. Users, for example, have to enter a personal identification number (PIN) to verify they are the genuine card holder.

"This malware family can be used to compromise multiple vendor platforms and leverages uncommon technology to access physical devices," he said.

Striking gold, taking the king's ransom

Another reason why attackers favor ATMs is because they offer access to significant amounts of cash in a very short time if they are compromised, according to Tony Jarvis, Check Point Software Technologies' chief strategist for threat prevention in APAC, Middle East and Africa.

"The machines themselves typically have no physical security and are unmanned," Jarvis told CNBC by email. "This means that if a criminal chose to attack an ATM late at night, they would typically be undisturbed for the duration of the incident."

Once hackers gain access to an ATM, they do not immediately go after the prized sum. Instead, they sit idly, or siphon relatively smaller amounts of money to remain undetected.

"They would usually let the machine continue stealing data from its customers for a couple of months before taking the king's ransom," said Thakkar.

Hackers can also easily move onto the broader networks of banks and financial institutions once they are done with the ATM branches, which could result in serious consequences. Apart from financial losses, there would also be a loss of trust, which is much harder to recover from, according to Aurora.

Once the hackers gain access into a network, Aurora said they would start learning to blend in before dropping off the radar. That leaves a small window to detect them and this is where machines have an advantage over humans.

"Before they fully blend in, they will do something and it's better to catch them there."

— Follow CNBC International on Twitter and Facebook.