By Eric Howes, KnowBe4 Principal Lab Researcher. Every so often someone flags an email with our Phish Alert Button that isn't a phishing email but is still very interesting. In this case, it's a security alert from a large payment processor, sent to financial institutions with ATMs. Having read it, my head is now spinning. The full email is below, but let me give you the highlights:
- Apparently some banks and credit unions (or the contractors they rely on to service their ATMs) have been in the practice of stashing physical keys to their ATM machines in or near the machines. Let that one sink for a moment. This is like the old trick of hiding the keys to your car under the sun visor -- or, for that matter, keeping your passwords stored on a Post-it note under your keyboard.
- In the year 2019 there are still banks using ATMs that do not encrypt network traffic back to the bank. Yep, some banks are still partying like it's 1989. And -- surprise, surprise -- the bad guys figured this out and are now exploiting these lax security practices.
Here's the email:
SUBJECT: Action needed - Important ATM security alert
The United States Secret Service recently advised us of a technique used by "bad actors" to dispense cash from ATMs by intercepting its communications to the terminal owners. Attackers will unlock the ATM container, often using physical keys being stored on or around the ATM, then disconnect the network cable and attach their own device to capture and analyze ATM communications. They will use counterfeit payment cards and alter the communications with the financial institution to cause the ATM to dispense cash fraudulently.
We recommend the following actions to prevent this type of attack:
- Review security practices regarding physical key management (e.g., don’t hide physical keys in or near the ATM in an area that is accessible to outsiders)
- Prioritize the review and investigation of alerts at unencrypted ATMs related to physical tampering/vandalism/door activity/or communications errors, to ensure activities are expected (e.g., routine/scheduled maintenance at the time of the alert, etc.)
- Encrypt ATM traffic using TLS encryption. While the card data is encrypted, other facets of the transaction are not, which is how the attackers are able to use their own cards and change the approval/decline codes and transaction amount. Keep your ATMs safe and secure by adding the optional Transport Layer Security (TLS).
In addition to the above recommendations, it is a general best practice to work directly with your ATM hardware / software vendor(s) to ensure appropriate anti-malware updates have been applied. To report suspicious activities, please contact either the USSS office or their Global Investigative Operations Center (GIOC) via email, tel: 202-406-6009.