Lift a pint to John Shepard-Barron, as we celebrate the 50th anniversary of the ATM (Automated Teller Machine) he devised, or did he? It matters not, ATM #1 was installed by Barclays Bank on June 27 1967, the the user punched in a PIN and lo and behold, the machine paid out £10. There are now well over 3,000,000 ATMs installed across the globe, all able to provide a bit more than ten quid.
And not to disappoint, the criminals (and white hat researchers) have been creating means to get the cash out of the machine, illicitly. We take at look at some of the more interesting, famous and infamous methodologies which have evolved over the 50 years of the ATM.
Hoist and Heist
The first ATM thefts were accomplished by members of the “Hoist and Heist” club of thieves. This methodology of stealing the entire machine and then cracking it open at their leisure remains viable today. Just a few days ago a cashpoint ATM machine was stolen from the Lloyds bank in Suffolk, East Anglia – it was ripped out of the wall using a JCB telehandler.
Who can forget when the late Barnaby Jack lit up the stage at the 2010 Black Hat conference showing how to “Jackpot” ATMs. The fits of laughter from the audience were evident as the ATM spewed cash out on to the stage.
Years later, we see jackpotting still in vogue, with ATMs across Europe spitting out cash, as evidence by the late 2016 simultaneous jackpotting attack which took place in more than ten countries.
And then, Russian and eastern European crooks demonstrated the move toward cardless manipulation of ATMs in Thailand and Taiwan. The thieves in Thailand hit 21 machines, and made off with $350,000, while the thieves in Taiwan hit an undisclosed number of ATMs, collecting approximately $2m.
While many criminals remain at large, law enforcement does have some wins. In May 2017 Europol had success with the arrest of 27 people across a number of countries in connection with black box attacks on ATMs.
Steal your credentials
We associate credential theft to the more modern epoch of skullduggery, yet, according to the Smithsonian, it was a simply a matter of months after ATMs first appeared in our walls that “proto-hackers in Sweden exploited [the inability to authenticate the user was the owner] to great advantage in 1968 when they used a stolen ATM token to withdraw huge amounts of money from different machines”.
Fill those debit cards and empty those ATMs
As if to define “organized crime”, in late 2012 and early 2013 we saw the draining of $45m from ATMs as teams of runners hit thousands of ATMs in a matter of hours in two separate attacks.
On December 21 2012, the criminals demonstrated they were no slouches when it comes to hacking skills. They infiltrated a credit-card processing company in India handling pre-paid credit cards. Once in, they then raised the withdrawal limits on five prepaid MasterCard debit accounts, and by using the prepaid cards, distributed to runners in 20 countries, the money flowed. The global take on that day was $5m.
A couple of months later, the same modus operandi was used, this time when a credit-card processing company in the United States was infiltrated. First, they raised the withdrawal limits on 12 cards issued by the Bank of Muscat in Oman. Then, at 3pm 19 February 19 2013, teams of runners hit the streets across the world: in a matter of hours, 36,000 transactions netted the criminals $40m.
Were lessons learned? Apparently not, as in late 2016 the Yakuza in Japan using phony cards hit thousands of ATMs at once and drained approximately $16m in two hours.
Then in 2014 we saw two Canadian schoolboys who had studied an ATM operations manual visit a Bank of Montreal ATM, where, using the instructions they had found in the manual, gave themselves admin rights and took over an ATM. Surprised that the technique had worked, they promptly went in to a branch and alerted the bank.
ATM, let me diagnose you
London police arrested three individuals in late 2014, who figured out that if you put the ATM in diagnostic mode, you could induce it to share the money within as part of a test. The three hit 50 ATMs over the course of a May Day holiday weekend, and collected $2.58m.
Are ATMs here to stay? We think so, at least for the time being – as will the continued attention to cracking ATMs by criminals, whether remotely or literally.
The Accenture-ATMIA 2016 ATM Benchmarking Study reckons that the “ATM will retain its importance for banks and consumers alike in the foreseeable future”.
Banks and ATMs now offer services other than simply dispensing cash, including paying bills and cardless withdrawal among them. And with the increased number of ways in which crooks can get access to ATMs, the level of investment by operators in defensive measures can also be expected to increase. The following diagram, from the study, shows the level of adoption of the various defensive measures, with humans – security guards at ATM lobbies – being the least adopted practice and adding alarms to ATMs the most popular.
The study concludes the criminals are well resourced, and the challenge to protect ATMs remains a struggle as “ever more sophisticated attacks to which the channel [ATM] is subject”. We agree.