After Alice: New Form of Malware Attacks ATM’s

In Terminator 2 (released in 1991), a young John Connor uses an Atari Portfolio to hack into and steal cash from an ATM machine. Almost 20 years later, the John Connor ATM hack became a reality as hackers learned how to attach mobile phones to an ATM through a USB port and to send SMS messages to that phone to trick the ATM into dispensing cash.

As if this did not already give banks and ATM owners headaches, in late 2016 cyber security experts became aware of an ATM malware program known as “Alice” — which eliminates the phone and SMS messages, although it still needs to be physically installed on the ATM. Once installed, a cyber-criminal simply enters a 4-digit code on the ATM’s keypad to force the machine to dispense its cash. The Alice malware does not rely on an ATM security flaw, but instead manipulates the machine’s operating system to perform what seems to be a normal operation.

Banks in Europe and Asia were prime targets for this form of attack (referred to as “jackpotting”) in 2016. Taiwan’s First Bank lost $2.5 million and Thailand’s Government Savings Bank lost $350,000 in coordinated ATM attacks. US and foreign banks are aware of Alice and similar families of malware and are enacting procedures to defend against ATM losses, but Alice represents a sobering number of trends for all banks.

First, hacker strategies to attack ATM’s are increasingly more sophisticated. Where previously hackers had used off-the-shelf resources, those resources are moving toward custom designs that reflect a higher degree of knowledge of the inner workings of ATM’s. That knowledge is shared within hacker communities on the dark web and elsewhere.

Second, even though hackers currently need physical access to install Alice-like malware into ATM’s, cybersecurity experts envision a day in the not-too-distant future where cyber-thieves access ATM controls through a bank’s internal network. The sub-networks that are used to operate ATM’s can be easily compromised after hackers gain entry into a bank’s primary information technology system. Large banks might have defenses in place to detect network hacking, but many network breaches occur at both large and small banks with no awareness of the breach by network administrators and cyber-security teams.

Third, hackers have devised a strategy to compromise the much-touted EMV cards that were trumpeted as a significant cyber-security breakthrough. Hackers accomplish this with a “shimmer” device that lifts EMV card data at a point of sale cash register and transmits that data to a cyber-thief who uses it to withdraw cash from an EMV cardholder’s account.

A bank customer’s liability for fraudulent ATM transactions is typically limited, and a significant part of losses from ATM fraud therefore fall on the banks whose ATM’s are the target of a cyber-scam. Banks have already dedicated substantial assets to protect their internal networks from cyber-attacks. With hacker advances into ATM fraud, banks will once again need to step up their efforts.

Cyber-security defenses are a necessary part of those efforts. Cyber-security insurance is the backstop that reduces a bank’s financial exposure to both direct and third-party losses that flow from a successful ATM attack. Banks can confer with their current insurance agencies to get cybersecurity quotes for insurance to cover this new breed of ATM attack. They can also work with specialty insurers, like Cyber-policy, that can assess the bank’s cyber risk exposure and that will work with the bank to reduce that exposure and to establish the optimum cyber-insurance coverage that the bank will need to compensate for prospective losses from ATM and other cyber-attacks.