Most people these days are aware of the potential threats to our financial integrity caused by web-based threats. But financial system security is not only suffering in the online world. The humble ATM is increasingly becoming the target of scam artists with “skimmers” – fake card slot housings mounted over the real slots that “skim off” account details from ATM cards before allowing the transaction to proceed. For ATMs in high-traffic areas like shopping malls and convenience stores, it doesn’t take long to collect a healthy haul of numbers.

The trouble for ATMs actually started back in the 90’s, with the mass migration of ATMs from IBM’s OS/2 operating system to Microsoft’s far more widely-used, and consequently more vulnerable, Windows XP. Compounding the problem is that many of these ATMs are connected directly to regular networks inside the businesses that are operating those ATMs, making them directly vulnerable to Internet security threats. In the recent past, the “Slammer” computer worm shut down thousands of ATMs, and the W32/Nachi worm, also known as “Welchia”, rendered ATMs inaccessible in a denial-of-service attack.

In March 2009, Diebold, the largest US manufacturer of ATM machines, disclosed that a number of its ATMs in Russia had been attacked with so-called “banking Trojans”, malware designed to capture and print card and password information. While this attack required physical access to the ATMs, the installation of the malware could only have been accomplished by a team of experienced cybercriminals, and, critically, would not have been detected by conventional anti-virus software.

Earlier this year, 20 ATMs in Russia and the Ukraine were infected with malware similar to that used in the Diebold attack. Trustwave, which uncovered the attack, collected multiple versions of this malware, known as Zbot, indicating that the code was built to be polymorphic – to change its appearance so it can’t be detected by regular anti-virus software, which relies on being able to identify individual viruses in order to counteract them. The code is still surfacing at banks around the US and around the world, so clearly the attackers still have the upper hand.

Once launched in a network, Zbot, which steals online banking credentials, is particularly troublesome because of this morphing capability. A study by Internet security firm Trusteer found that anti-virus products effectively protect against Zbot only 23 percent of the time. Clearly, anti-virus software alone is not enough. And Zbot is just one of hundreds of thousands of malicious programs currently in circulation.

While many of the reported cyber attacks, on ATMs have taken place in Europe and Russia, US banks and businesses should not be complacent. President Obama has made it clear that the attacks in Europe have been noted, and that we would be naïve to think that similar incidents cannot happen here, given the interconnected nature of today’s global financial systems. And that has indeed turned out to be the case. Last year, an employee at a major US bank installed malicious software on his employer’s ATMs that allowed him to make thousands of dollars in fraudulent withdrawals over a period of seven months, all without leaving a transaction record, according to federal prosecutors.

So what does all this mean to individual and business bank customers? As with all things security-related, protecting your interests begins with vigilance.

1. Keep a watchful eye on your accounts. The moment you spot anything unexpected, telephone your bank. The phone is the safest way to report potential security incidents – you should never send details of bank accounts in an email unless the email is encrypted. If it turns out to be a false alarm, it’s still better to be sure. And it’s good for banks to know that their customers are concerned and keeping a close eye on transactions.
2. When you use an ATM, take a moment to examine the card slot housing to make sure it does not appear to have been tampered with, and that your card slides in easily. If you have any doubts, don’t use the machine. Find another, or go inside the bank to complete your transaction.
3. If you bank online, make sure your own network security is as bullet-proof as you can make it

And don’t be afraid to ask your bank what it’s doing to prevent ATM fraud. The ATMIA (ATM Industry Association) has a code of practice that was put together with the banks themselves, so there’s no excuse for those banks not following best practices for ATM security. You can request more information from the ATMIA at www.atmia.com.

To meet other security-minded technologists, join and become active in the Redwood Technology Consortium.

Pat Bitton is co-founder and partner at Euresto Partners, a sales and marketing consultancy specializing in working with security software startups, and has been a member of the Redwood Technology Consortium since moving to the area in 2004. One of her clients, Russian security developer SafenSoft, recently installed new security on 20,000 ATMs at Russia’s largest retail bank and provided some of the source material for this article.

Copyright 2010 Eureka Times-Standard Newspaper. The print version of this article first appeared in the 7/22/10 edition of the Times-Standard.