Deception Technology – Protecting Your Bank’s ATM Infrastructure

Cyber attacks on automated teller machines (ATMs) have been running at full throttle for years. With over 3 million units, the automated teller machine remains a highly accessible and attractive target for cyber attackers. There are many attacks across the globe each year, although most do not reach the visibility of the public unless required by local law and legal disclosure. Only the largest attacks make the news. Banking trojans that start with a simple malware-laced email may ultimately enable the complete compromise of banking application systems and automated teller machine networks (ATMs). Banks in the U.S., Germany, Ukraine, China, Russia, and many other countries have been hit at all levels with ATM-targeted attacks.

ATMs have always been an attractive target – they provide direct reach to cash with potentially no traceable transactions. In the case of wire transfer fraud, such as by creating fraudulent transactions with SWIFT, it is still possible to catch up with the transfer of cash before the party responsible can extract it from the electronic accounts. Not so with cash. It is easily used, generally untraceable, and easily converted into bitcoin for anonymous storage.

Most attacks on ATMs today involve penetration of the ATM network and the insertion of special code that enables the cyber attackers to program the release of cash at designated ATMs. Sometimes this happens based upon timing – at a designated time the machines literally begin to spit out cash. Other times the transaction is set up so that a special pin code triggers the cash expulsion. In other instances, the attack requires a small physical intervention to the ATM panels to find a USB port, where inserted code once again triggers the expulsion of cash. There are many variations on these themes.

Carbanak – Banking Cyber Weapon

Some of these attacks on ATMs are more sophisticated than others. Carbanak is an example of one such highly sophisticated banking cyber weapon. After considerable reconnaissance, Carbanak enables the remote control and activation of ATM cash disbursement using network connectivity with no required interaction on the ATM front panel. In the case of Carbanak, local personnel have to be present to show up on a timely basis and scoop up the cash as it’s disbursed. Forensics has determined that these attackers have modified existing bank databases and increased the balances in targeted accounts. This makes it hard to decipher the trail of the attacker and even harder to see if fraud had actually happened. Consider the technical complexity of such an attack. It’s an almost impossible situation to unwind.

Framed differently, the cyber thieves behind these sorts of tools have stepped up in sophistication and capability to the levels of a nation-state level attack. They are well-funded and are working non-stop to penetrate your bank and access and exfiltrate your funds. They may have teams of up to 50 software developers, possibly even more, working on building out these applications. In the case of Carbanak, the software has well over 100,000 lines of sophisticated code. When a set of source code was obtained by FireEye and examined, this code demonstrated all of the known obfuscation and evasion techniques, along with a few unknown.

The takeaway, as always, is that in the current environment heading into 2020, cyber attackers will successfully penetrate your banking and ATM networks. This you cannot stop. What you can do is detect them as early as possible in the Kill Chain and move decisively to shut down their attack. The normal mix of defense-in-depth cyber defense can slow them down and stop many of them, but not all of them. In sharp contrast, deception technology presents them with a Gordian knot they cannot cut. Deception technology puts them in an impossible situation and tilts the battlefield in your direction.

In every situation, reconnaissance is a critical part of the Cyber Kill Chain that these attackers deploy. Even a ping directed towards an Acalvio decoy will produce a high integrity alert. Absolutely no one should be near the decoys in your bank networks, let alone among your ATMs. Once you are alerted to their activities, you can decisively shut them down before they can further damage.

Acalvio deception technology is also optimized to protect your automated teller machine infrastructure.

The deception technology decoys in ShadowPlex are interspersed within your banking network and will constantly be in the way of attacker reconnaissance. Every way they turn, attackers will face the high probability of detection. At any point in time, when they touch a deception decoy, Acalvio will identify them at high certainty and issue an immediate alert to your security operations center team.

Find out more about Acalvio and how deception technology can help you reduce risk and maintain compliance. We’d be pleased to introduce you to our latest technology and share information about customers that have used Acalvio ShadowPlex to protect the most sensitive enterprise and government networks.