ATMs Need Better Protection From Malware

Lawrence Chin


In 2016, payments by credit or debit cards will exceed the use of cash for the first time in history. Although the popularity of electronic payments will continue to grow, cash will not be phasing out anytime soon. Society’s use of cash has been ingrained over many centuries and may take another few generations to wane. Even as banks everywhere continue to reduce full service branches, ATMs will fill that void for most mundane transactions – including cash withdrawals. So ATMs will continue to be part of the banking ecosystem for the foreseeable future, and we need to have a fresh discussion about how to protect them.

ATMs Are Targets

Physical attacks on ATMs started shortly after their launch in the late 1960s. In more recent times, ATMs have also been subjected to logical attacks. The first reported cases of malware on ATMs cropped up in 2009, when Skimer was found in Europe. However, since 2013, the popularity of ATM malware has grown as Padpin/Tyupkin, NeoPocket, Suceful, GreenDispenser and Ripper have made headlines over the years. In general, the objective is to steal cardholder information for future fraudulent actions or to directly dispense cash without appropriate authorization.

In July 2016, over US $2 million was stolen through the ATMs of a major bank in Taiwan. Malware was reportedly used to dispense cash upon demand to the attackers. Shortly thereafter, US $400,000 in thefts from ATMs in Thailand were also reported. The Ripper malware enabled the thieves to withdraw cash with the use of a special EMV chip card to “jackpot” the infected ATM. In both cases, the banks had to disable their ATMs while investigations and remediation activities occurred. This was obviously an inconvenience to their customers and surely resulted in negative publicity for the banks involved.

Current Protection of ATMs

For the most part, ATMs are an extension of a bank’s internal network. Some are connected via a third-party service provider while others are simply a part of the bank’s corporate network. In far too many instances, there is no true separation of the ATM from the internal network. Consequently, traffic (both good and bad) can flow freely to and from the ATMs. In the Thailand attack, it was reported that the internal bank network was breached, and one of their own software distribution tools was hijacked to deliver the malware to the ATMs.

Best practices offered by manufacturers and industry groups (e.g., ATM Industry Association, European ATM Security Team) generally call for the use of antivirus, anti-malware and application whitelisting to protect the ATMs. Additionally, hardening of the underlying operating system, encrypting communications, and firewalling are also recommended. The reality is that not all of these measures are consistently deployed. Moreover, traditional antivirus has proven to be ineffective in many cases in corporate networks. Application whitelisting, for example, would not have stopped the delivery of malware via the legitimate software distribution server in the Thailand case.

New Approaches Are Needed

Since ATMs will be part of the landscape for many years to come, their protection from logical attacks needs to evolve. Instead of relying on legacy antivirus and anti-malware solutions, more advanced endpoint protection is needed. The current recommendations from ATM manufacturers are no longer up to the task. Banks, ATM owners and operators should push their suppliers to adopt and certify more sophisticated solutions to prevent malware and exploits from compromising these devices. These solutions may also include protections for boot-up, or software run from removable media, and to limit execution only to authorized software signed by trusted vendors.

However, not all responsibility falls on the ATM manufacturers and their devices. Banks, ATM owners and operators need to provide layered protection for the ATMs as well. As an externally facing system, the ATM should be segregated from the internal corporate network.  Some degree of network segmentation would limit communications to known and expected elements in internal networks. This would prevent lateral movement from random, compromised corporate devices to the ATMs. Network segmentation is one of the most important, but often neglected, practices for cybersecurity.

For more information about the Palo Alto Networks approach to advanced endpoint protection and further discussion on network segmentation for the financial services industry, please visit:

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS