While COVID-19 has drastically reduced our use of cash, rumours of its death are greatly exaggerated – at least for now. While the number of cash machines has been reducing, there are still over 60,000 ATMs in the UK and according to Link, a total of £81bn was withdrawn from them in 2020. Every one of these transactions is a possible doorway to a data breach. So, while digital currencies and payments seem to dominate the fintech news, the banking and finance sector can’t afford to neglect the risks posed by physical ATM security.

ATM threats

One leading bank in Thailand with 5,000 ATMs was reporting profit declines due to persistent losses from its ATM network as a result of both insider and external attacks. The dispersed nature of ATM networks makes them prone to internal attacks from maintenance and admin staff who may be susceptible to bribes to provide access to data. This is all too easy to do as ATM upkeep entails manual processing and multiple touchpoints. Staff and third parties could easily conceal unauthorised access and plug in external media hard drives with minimal risk of being caught – and the crime would only be spotted long after the incident had taken place.

The bank was also falling victim to persistent and sophisticated external threats from spoofed card infections via malware. This occurred because their legacy hardware did not have adequate application control to prevent malicious attacks.

On the face of it, ATMs seem like simple machines to interface and conduct transactions. However, physical ATMs also act as a portal to the wider network and a spoofed card can easily cause an ATM to lose connection with the central server, allowing it, or other machines on the same network to be taken over - without triggering any alerts or logs. In the absence of application control, ATMs can be emptied of their content without the bank being able to detect the threat and block the action.

ATMs in an online world

The problem is that physical ATM systems were built for a different era. Not only have customer behaviours changed, but the threat landscape has also evolved. Like many financial institutions, the bank in Thailand looking to protect its ATM network realised that it was time for a new approach – to focus on protecting the data itself, while adding comprehensive application control to block unauthorised processes. Making sure that all data is encrypted at the file level means that any information stolen by an insider or through external attack is rendered useless to the thieves.

The second part of the solution for protecting physically dispersed and complex systems like ATM networks is AI-powered application control. This provides 100% malware protection by simply blocking anything from running that is not on a personalised ‘allow list’ from a central management server. Any process that is not on the authorised list is denied by default and flagged to administrators with recommended actions. This approach blocks first and then asks questions later for guidance, when needed.

While cash remains ‘king’ for many of us, banks will still have to operate and secure their networks of ATMs so that ‘jackpot’ malware cannot be used to empty machines, and so data within ATMs and their networks is protected from theft.