Understanding Cyber-Attacks on Banks and the Current Cybersecurity Landscape


What is the current cybersecurity landscape in banking? ATMs and central servers, which are the systems that control ATMs, have become a popular target for cyber-attacks, and the pressing issue is growing worldwide. 58.16% of respondents to the ATMIA Global Fraud and Security Survey 2019 assessed that over the latest year ATM attacks, which includes both physical security breaches and fraud incidents, increased (compared to the 2017 figure of 53.85%).

Such ATM fraud attacks can be distinguished in:

  • Data fraud, resulting from data breach, such as account numbers, pin codes, and other
    personal data
  • Physical fraud, consisting of theft of valuable assets, such as cash by stealing cards
  • Cyber fraud – logical attacks to the systems and communications

An increasingly popular form of cyber-attack is the process of exploiting the physical and software-
based vulnerabilities of ATMs to get cash, known as ‘jackpotting’, as it results in an immediate
reward. In just the last five years, financial organisations have lost millions to jackpotting. The
Ploutus family of ATM malware alone, which originally appeared in Mexico in 2013, has created
losses of over 450 million dollars (€398 million) around the world.

Elida Policastro, Regional VP of the Cybersecurity division at Auriga, analyses the current cybersecurity landscape and what banks can do to protect their ATM systems from cyber-attacks.

The current era of digital banking offers lots of benefits to customers and such as a variety of app-based services. However, evolving technologies increase both the risks of new kinds of cyber-attack happening as well as the effectiveness of potential countermeasures and security solutions. Hence, there’s a need to stay ahead of the game by anticipating new methods of attack so that innovative solutions can be put in place in time to minimise those changing risks. In particular, the ATM ecosystem is complex with its heterogeneous hardware and software that is expensive and difficult to update – ATMs and customer touchpoints need to be available 24/7. Because of this, financial organisations usually don’t have the latest security policies in place, nor a centralised view of their attack surface. It is imperative they strike the balance between software deployment and hardware maintenance with keeping control of changes in software and hardware and ensuring it is as secure as possible.

ATMs are subject to both physical and logical attacks for a number of reasons: one is that the
physical cash inside acts as an incentive, and another is that cash machines contain confidential
information like debit card numbers and PIN codes, which can be stolen and sold. ATMs are also
appealing to attackers because they are often poorly monitored – little logical action is taken to
protect the data in them. In addition, cyber-criminals have also realised that ATM networks are one
of the weakest links in a bank’s security infrastructure, due to the fact that there is a lot of legacy
hardware and software in ATM networks. This is because of the high cost of upgrades and difficulty
to install. Unfortunately, this results in insecure systems that can be easily exploited.
On top of all of that, there are a lot of actors responsible for ATM upkeep that have administration
rights, including employees from the financial institutions, service providers, developers and
installers, meaning there is a real risk of insider threat.

One of the main ways cyber adversaries attack ATMs is via the ‘XFS layer’, a standard interface
designed to have multivendor software running on manufacturers’ ATMs and other hardware. While
the XFS layer uses standard APIs to communicate with self-service applications, there is no standard
way of secure authenticating that comes with it, making it easy for cyber-criminals to exploit this vulnerability. Cyber-attackers can, therefore, deploy malware into banking touchpoints such as cash
machines to trick them into giving ‘cash out’ commands and dispense money. The card reader may
also be compromised – able to steal card numbers and track the pin pad to learn pin numbers,
making the XFS layer a very attractive target. The importance of cybersecurity in banking is therefore
only going to increase.

When it comes to ATMs, typical endpoint protection security such as anti-malware technology is just
not enough. ATM networks and systems are critical infrastructure devices – they need to be
constantly available and so they require greater protection and a different approach. Financial
institutions entail a centralised security solution that protects, monitors, and controls ATM networks
from a central location so they can manage their entire banking asset network in one place and take
appropriate action, such as stopping malware spreading throughout the network from infected

Such modern technology solutions not only provide invaluable cybersecurity protection – they can
also save banking organisations time and money, as ATM and infrastructure management is
centralised into a single hub and actions can be executed remotely to quickly establish new defences
via techniques such as network segmentation or implementing new firewalls.
It is particularly important for banks to have several layers of protection in one single platform. Such
layers could involve full disk encryption, application whitelisting, hardware protection and file
integrity protection. To check the security plans and processes, banks should be assessed by
specialised security consultancies. Although financial organisations are making a concerted effort to
improve their security landscape, cyber-criminals are continuing to innovate their attacks, making it
an environment of threats that is evolving and advancing. From this, organisations have to
constantly be proactive in implementing and testing their cyber-defences.

Cyber Threat Intelligence (CTI) can be used as an early warning system to detect and contain
potential threats before they become incidents. This intelligence is essential for any businesses as
cybersecurity threats become increasingly indiscriminate. Once they become aware of any relevant
threats and vulnerabilities, then they will begin to understand where and how these can be
exploited, as well as the impact this may have on both the business and individuals. Awareness of
the threat landscape is vital for banks to understand what could be exploited and utilised for future
cyber-attacks. If they don’t, they open themselves up to the very real possibility of experiencing
security breaches, loss of sensitive customer data and of course stolen cash.

  • Gina is a FinTech journalist (BA, MA) who works across broadcast and print. She has written for most national newspapers and started her career in BBC local radio.