Unsecure ATMs should be quarantined too!

Each year, accompanied by travel companions, I tend to take more than a hundred flights all around the world. And practically everywhere these days we always pay by card or phone, and mostly contactless like Apple or Google Pay. In China you can even pay via WeChat when you’re at the market buying fruit and veg from grannies. And the sadly famous biovirus makes the use of virtual money more popular even still.

At the other end of the spectrum, you get the odd surprise: in Hong Kong, of all places, you need to pay cash for a taxi – always! In Frankfurt, of all places, last year in two separate restaurants they only took cash too. EH?!! We had to go on a long search for an ATM and withdraw euros instead of enjoying our post-dinner brandy. The inhumanity! :) Anyway, all this goes to prove that, despite there being progressive payment systems in place all around the globe, there still appears to be a need for the good old ATM everywhere too, and it looks like that need won’t be going away any time soon.

So what am I driving at here? Of course, cybersecurity!…

ATMs = money ⇒ they’ve been hacked, they’re getting hacked, and they’ll continue to be hacked – all the more. Indeed, their hacking is only getting worse: research shows how from 2017-2019 the number of ATMs attacked by malware more than doubled (by a factor of ~2.5).

Question: can the inside and outside of an ATM be constantly monitored? Surely yes, may well have been your answer. Actually, not so…

There are still plenty of ATMs in streets, in stores, in underpasses, in subway/metro stations with a very slow connection. They barely have enough broadband for managing transactions; they hardly get round to keeping watch of what’s going on around them too.

So, given this lack of monitoring because of the network connection, we stepped in to fill the gap and raise the security level of ATMs. We applied the best practices of optimization (which we’re masters of – with 25 years of experience), and also radically brought down the amount of traffic needed by our dedicated ‘inoculation jab’ against ATM threats – Kaspersky Embedded Systems Security, or KESS.

Get this: the minimum speed requirement for an internet connection for our KESS is… 56 kilobits (!!!) a second. Goodness! That’s the speed my dial-up modem in 1998!

Just to compare, the average speed of 4G internet today in developed nations is from between 30,000 and 120,000 kilobits per second. And 5G promises 100 million-plus kbps (hundreds of gigabits) (that is, if they don’t destroy all the masts before then). But don’t let prehistoric internet speeds fool you: the protection provided couldn’t be better. Indeed, many an effective manager could learn a thing or two from us about optimization without loss of quality.

Now, a few words about the protective functions themselves…

In addition to all the existing functions in KESS, here are the newly added ones. KESS is able to block:

  • Ports that are often used by the cyber-scum in their attacks: they scan for virtual entry points on the ATM to find the most vulnerable;
  • Brute forcing. This is one of the simplest but also most popular ways of finding out a password. The attackers test all possible combinations and, alas, often get the right one.
  • DoS attacks and exploits. If the bad guys do connect up to an ATM, they start to throw so much data at it that the poor old ATM’s hardware simply can’t cope with it all and just gives up and stops working. And that’s why they’re called DoS attacks – Denial of Service – they just stop providing the service they normally provide.

Now for a bit of showing off… KESS is used by large banks on thousands of ATMs all around the world. It’s also used by a great many transportation companies and retail giants. Accordingly, you can expect a reduction in the number of news items about hacked ATMs very soon – no matter where you are in the world. Still got questions? Head on over to the KESS product page.

PS: I really do hope that the issue of searching frantically for an ATM while away on vacation will soon become a pertinent one again. Eek: after two months of lockdown-isolation, you start to miss even unpleasant experiences such as that :).

Leave a note