Although skimming attacks remain the No. 1 ATM fraud concern in the United States, so-called "black box" attacks loom as a growing threat.
See Also: How to Measure & Communicate Return on Cybersecurity Investments
Black box attacks against ATMs already are on the rise in Europe, according to two new alerts from ATM manufacturer NCR Corp.
In a black box attack, criminals cut holes into the fascia or top of the ATM to gain access to its internal infrastructure. From there, the ATM's cash dispenser is disconnected and attached to an external electronic device - the so-called black box. The box sends commands to the dispenser to push out cash, bypassing the need for a card or transaction authorization.
T.J. Horan, vice president of fraud solutions for FICO's Card Alert Service, says black box attacks, such as those now plaguing Europe, will eventually emerge as a serious threat in the United States as well. Meanwhile, new research from FICO confirms that ATM skimming is still a much larger problem in the United States than in other parts of the world.
"We just released data that indicated ATM skimming increased 546 percent from 2014 to 2015," he says. "That is the largest year-over-year increase we've seen in the 20-plus years of the FICO Card Alert Service."
FICO's research, which is based on the analysis of thousands of U.S. ATMs, shows that off-premises retail ATMs were most often targeted, with 10 times as many of those terminals being plagued by skimming attacks in 2015 than in 2014.
"Criminals are targeting non-bank ATMs, which are more vulnerable," Horan says. "In 2015, non-bank ATMs accounted for 60 percent of all compromises, up from 39 percent in 2014."
Horan says black box attacks are likely to spread to the U.S. because they "are consistent with the trend toward an increase in compromises at non-bank-owned ATMs. Criminals are targeting weaker links in the system, including sometimes hacking into machines and not just simply installing skimming devices. These types of attacks are more common at non-bank locations and show the blurring of lines between skimming and certain forms of cybercrime."
Shirley Inscoe, a financial fraud analyst at consultancy Aite, offers a similar assessment: "Skimming continues to be a huge concern in the U.S., but it would not be surprising for these black box attacks to migrate here from Europe. Based on how the scam works, it would work here just as well."
And Al Pascual, head of fraud and security at Javelin Strategy & Research, says the recent rise in black box attacks in Europe should serve as a warning for U.S. ATM deployers.
"Skimming in the U.S. will only get worse at unattended terminals, including ATMs, until they have largely been upgraded to accept EMV cards," he says. "Even then we will not be out of the woods, as the black box warnings out of Europe should be a warning ... that once we close one door on fraud, fraudsters will open another. A metal box that spits out cash will always be an attractive target for criminals, and both information and physical security will continue to evolve to protect ATMs until cash is a thing of the past."
Black Box Resurgence
Black box attacks, first identified in 2012, have made a resurgence in Europe in recent months, says Owen Wild, global director of security solutions for NCR. "They seemed to slow down as they were replaced by the malware attacks," he says. "But over the past quarter, we have seen a rise in the occurrence of the black box attack. Further, we have seen it appear in new regions. ... As we have seen with every other form of ATM crime, no region should expect that they are immune. Crime expands, and now expands as quickly as ever."
Off-premises, retail ATMs have historically been the most vulnerable to black box attacks, according to NCR's alerts, because attackers have to physically manipulate the ATM. But bank branch ATMs are proving to be just as vulnerable, NCR notes.
An April 14 alert from NCR notes black box attacks waged against through-the-wall NCR Personas ATMs, which are typically located at bank branches, were on the rise in Italy. And in an April 18 alert, NCR notes that black box attacks waged against the NCR SelfServ ATM line, which is designed for off-premises and branch/lobby deployment, were on the rise in Germany.
Back in March 2015, NCR reported a rise in black box attacks in India (see Alert: Indian ATMs Face New Attacks).
In its most recent alerts, NCR points out that ensuring ATM software and hardware are up to date is critical for mitigating risks associated with black box attacks. "Fleet modernization is an important part of staying secure," the alerts note. "Modern architectures containing modern technologies are critical in the defense against criminals."
Planning a Defense
Graham Mott, who heads up the LINK Scheme, the U.K.'s central ATM network, says black box attacks "require a great deal of technical knowledge and significant investment in resources." But they can be blocked through a range of measures, including physical defenses, he says. "Therefore, while they can result in large losses, if successful, a layered approach to security should prevent them from occurring."
Closely monitoring and regularly inspecting ATMs is the best way to detect a black box or skimming attack, says Aite's Inscoe. "Machines that are not closely monitored or inspected frequently are at the highest risk," she says. "It is so easy for criminals to attach skimming devices, and in many cases, cameras to catch the PIN when it is keyed. Methods of matching the color and material on the ATM surround or camouflaging the device on a gas pump or other machine have made detection of skimming devices more difficult. This is extremely lucrative for the fraudsters, so attacks will continue to rise."