Head Office, Johannesburg, South Africa

How cybercrime is affecting ATMs and how you can avoid it

Visa and MasterCardFor the longest time cybercrime was one of those concepts that everyone recognised but very few actually understood. The stereotypical representation of cybercriminals in the media said a lot about how much we actually knew about them – they were always faceless hooded figures running unintelligible lines of code on black and green computer screens. But recently the true nature, scope and might of cybercrime is becoming more exposed.

Three years ago, the Norton Report showed that South Africa had the third highest cybercrime victims. The South African Banking Risk Information Centre (Sabric) then added a price tag to that statistic, reporting that South Africa loses around R2-billion a year to cybercrime attacks like phishing and internet fraud.

Any machine or device that is connected to a network and processes cardholder information can be targeted during a cybercrime attack – including ATMs. In this blog we’ll look at how these attacks happen and what you can do to avoid the risk.

From once-off loots to extended and coordinated heists

The most common type of cybercrime attack on ATMs is called a “cash-out” or “jackpot” attack and it is facilitated by ATM malware installed through the server that the ATM is networked to. The malware allows the attackers to instruct the ATM to dispense all of its cash stock.

The first malware of this kind, called Skimer, was discovered in 2009, but since then ATM malware has become more sophisticated, making it harder to detect and combat. Like GreenDispenser, which was discovered last year. This particular malware would instruct the ATM to display an out-of-order sign, but with a few keystrokes attackers could empty the machine’s cash vault and then delete the malware, leaving the ATM machine with virtually no sign of intrusion.

GreenDispenser was also coded to work only if the year is 2015 and the month is earlier than September, which, according to Proofpoint, indicates a higher level of coordination and sophistication that is becoming more common with these attacks.

Just how bad can it get?

Here are a few examples of ATM cybercrime attacks to help illustrate the magnitude of this type of danger:

Over July and August this year, 12 million Thai Baht (nearly R5 million) was stolen in a “jackpot” heist from 21 ATMs owned by the Government Savings Bank (GSB) in Bangkok, Thailand. A spokesman for ATM manufacturing company, NCR, confirmed that the malware behind the attack was a new strain called “Ripper”. Thai police have announced that they have identified the suspects behind the cybercrime and will be issuing arrest warrants.

In an attack that hit closer to home, approximately R300 million was illegally withdrawn from 1400 ATMs in Japan using forged Standard Bank South Africa credit cards. The credit cards were cloned from the existing card data of Standard Bank’s account holders and all of the money was withdrawn within three hours. While authorities in both Japan and South Africa are still working together to find the perpetrators of the attack, Standard Bank assured the public that their customers had suffered no financial loss because of it.

Another “jackpot” attack was reported in Taiwan after T$ 70 million (over R30 million) was withdrawn from several ATMs belonging to Taiwan’s First Bank over the course of a weekend. According to reports, three different malware strains were used to hack the machines’ network server and cellphones were used to instruct the ATMs to dispense all the money.

Don’t be a statistic

While the rate of cybercrime continues to rise in South Africa and we become a bigger target for international cybercrime syndicates, the law isn’t keeping up. As it stands in South Africa, cybercrime hasn’t been legislated as an offence that an individual can be prosecuted for. Charges of theft can be brought up against cybercriminals if personal financial gain is proven, but cybercrime isn’t yet defined as a crime in South Africa. There is hope, however, in the form of the Cybercrimes and Cybersecurity Bill (2015) which hasn’t been passed yet, but which was drafted to make direct prosecution for cybercrimes in South Africa possible.

Until the bill becomes law, it’s important that everyone in the financial services industry stay vigilant. ATM machines are useful and necessary business tools, and the only way to continue enjoying them is by making them safer. If you’re considering getting an ATM installed in or around your business – and why wouldn’t you be? – you need to align yourself with a supplier that adheres to the latest payment security standards.

Paycorp and ATM Solutions have been PCI-DSS compliant for six consecutive years. Download our ATM brochure to learn more about the different installations we have available.