There once was a time when stealing money from a bank ATM required actual physical manipulation of the terminal itself. Many criminal schemes have been repeated throughout the years, ranging from physical destruction of the terminal (ramming it with a vehicle) to the use of 'skimmers' to steal customer credentials. Successful ATM capers were not infrequent, but enough so that the existing logical security measures were generally considered sufficient.
Recently however, the risks may have escalated enough to warrant new attention to ATM security.
The vast majority of ATM's rely on versions of desktop operating systems which frequently require patching. Unfortunately, due to the operational nature of these devices, the vulnerability and patch management practices that are table stakes in enterprise networks are quite rare in ATM networks.
Information regarding these terminals and their protocols is readily available. It is very easy to find manuals for any specific terminal model. Further, there's a growing cadre of experienced and knowledgeable operators and service technicians.
The cybercriminal element has improved; both in terms of the malware in use and the advanced persistent strategies they follow. They are more skilled, focused and patient than ever.
So, while preventive security measures are failing in Information Technology networks, the ATM network is representative of many Operational Technology networks that often lack these measures entirely. Moreover, the attackers are no less sophisticated or persistent. Fortunately, there are detection technologies and risk management technologies that can expose attacks that may not otherwise be evident until the money is gone.
The attached paper, authored by Stefano Maccaglia and Jared Myers of RSA's Incident Response team, discusses some of the most popular malware that is currently being used to infect ATM's and the tools that security professionals can use to identify and defend.
Incident Response Report: Threat Detection Techniques - ATM Malware