How vulnerable are bank ATMs?

Topics ATMs | ATM PIN | cyber security

At least 22 people of the same locality in Kolkata lost more than Rs 5 lakh in early December, as fraudsters possibly using skimming machines at multiple ATMs emptied bank accounts within hours of salaries and pensions being deposited. On another “Black Sunday” in August 2018, more than 50 people lost over Rs 20 lakh. 

How vulnerable are ATMs worldwide? About five or six years ago, a restaurateur in the American state of Tennessee, along with his associate, withdrew more than $400,000 in $20 bills around Nashville over a period of 18 months. Using a special button sequence and some insider knowledge, they allegedly reconfigured ATMs to believe they were dispensing $1 bills, instead of the twenties actually loaded into cash trays. The vulnerabilities of ATMs can be illustrated in numerous such instances.

ATM jackpotting is the exploitation of physical and software vulnerabilities to get the machines to dispense cash. There are mostly three ways to rob an ATM — remote (involving remote-controlled malware), almost remote (a Bluetooth keyboard) and physical. There has been a string of smash ‘n’ grab robberies in countries such as the US, where trucks are crashed into stores and ATMs hauled out. Poor security, defunct CCTV cameras and easy availability of cheap, high-tech skimming devices are major reasons for ATM frauds around the world.

Skimer, a Trojan able to steal funds and bank card data, was introduced in 2009. Logic attacks have become increasingly popular among cybercriminals since then, through other malware families, including GreenDispenser, Alice, Ripper, Radpin and Ploutus, among others. Micro cameras are also sometimes placed either above the keypad or where bank forms are kept. They capture PINs, which enables card-cloning for fraudulent cash withdrawals.

How can ATM security be enhanced? It can be done by increasing awareness, tightening security measures, and incorporating new technologies for security.

Many customers are careless; they use overly simple and non-random PINs (such as date of birth), and do not change PINs periodically, compromising security. Are banks careful about such issues? In 2014, two 14-year-old boys of Winnipeg, Canada, managed to crack the password of a Bank of Montreal ATM on the first try, using a default factory password (000000) that had apparently never been changed. They had used the operating manual of the ATM, available online, to find almost all the information needed to reprogramme the ATM. 

The implementation of chip technology to prevent card skimming has been successful in many places. Also, we know that the PIN is encrypted and decrypted during transactions, and several computations occur within the ATM where the PIN is converted into a binary string. Several sophisticated modes of attack, such as side-channel attacks, are practised by attackers using this simple feature. Essentially, side-channel attacks are based on statistical methods used to estimate the PIN. American cryptographer Paul Kocher pioneered such techniques.

Several types of side-channel attacks are practised by hackers. The “power-monitoring attack”, for example, uses the fact that a “1” involved in computation consumes more power, and a “0” consumes less power. The power consumption curve, if recorded by a sensor, can be statistically analysed to estimate the PIN. In similar fashion, a “timing attack” is based on measuring how much time various computations take within the ATM — the PIN can be statistically estimated by analysing this. Similarly, an “electromagnetic attack” relies on leaked electromagnetic radiation, which can directly provide plain-texts and other information, and “acoustic cryptanalysis” uses sound produced during a computation.

To make a system perfectly secure, “mutual information”, which is a measure of association between the message to be sent and stored, actually should be zero. Such an idea was introduced by Claude Shannon, known as “the father of information theory”. This essentially requires that when any information is converted to binary string, they are needed to behave like the outcomes of repeated independent flips of a coin, so that no pattern can be identified from the binary string of data. This can be ensured by introducing suitably designed fake computations within the ATM, so that the power consumption curve, time consumption, electromagnetic radiation, and produced sound curves become either flat or completely random, bearing no information of the PIN or the user.

Also, financial institutions have been experimenting with viable implementation of biometric-enabled authentication systems for their customers. Banks in Japan, for example, have widely deployed biometric-enabled ATMs using fingerprint or finger vein scans. Citigroup in the US attempted to use iris scans of customers. In such cases, the ATM communicates with the bank server by encryption and decryption of biometric information only. Also, cardless ATMs are now coming in the domain. So, the dynamics of ATM usage is being changed with added security features. However, privacy might be a serious issue for biometrics-enabled ATMs, and the system should comply with the law of the land.

To conclude, the continual war between hackers and banks over ATM security is going to be dynamically redefined — no doubt about that.   
The writer is professor of statistics, Indian Statistical Institute, Kolkata


Business Standard is now on Telegram.
For insightful reports and views on business, markets, politics and other issues, subscribe to our official Telegram channel