Attacks against ATMs across Europe using ATM malware and ATM jackpotting techniques have failed miserably in the first half of the year, with criminal gangs making less than €1,000 from only one single successful robbery.
In total, banks reported 35 incidents involving ATM malware and ATM jackpotting (aka black box or logical) attacks across Europe, according to a report published this week by the European Association for Secure Transactions (EAST), a non-profit organization that tracks criminal fraud in the EU financial sector.
“Malware was used for 3 of the attack attempts, and the remainder were ‘black box’ attacks,” the report said.
“Related losses were down 100% (from €0.25 million to €0.00 million), although a small loss (less than €1,000) was reported in one case.”
This now marks two consecutive years during which criminal groups have failed to steal any money using ATM malware.
ATM malware was never successful in Europe
ATM malware was first spotted in Europe in 2017. Attacks have always been rare and unsuccessful. While the use of ATM malware has been widespread in other parts of the globe, Europe’s higher standards for the banking industry have paid dividends.
To install ATM malware on an ATM, criminals need access to an open USB port, CD/DVD slot, or networking sockets. However, many banks across Europe have taken precautions against such attacks, either through the use of physically-secured ATMs, or ATMs running security software to detect malware.
This has made cases of classic ATM malware very rare, compared to other parts of the globe, still running older ATM systems.
In the table below, readers will see that ATM malware is grouped together with “logical attacks.” This is because logical attacks, also known as ATM jackpotting or black box attacks, are an evolution of ATM malware.
Because connection ports have been secured on most modern ATMs, during a black box attack, criminal gangs drill holes in an ATM’s case to connect a laptop to the ATM. They use the laptop to install the ATM malware on the ATM’s internal computer, and then they instruct it to release bills stored on the ATM.
But just like ATM malware, ATM jackpotting attacks have been going down. The main reason is that jackpotting (black box) attacks permanently destroy ATMs, require expensive tools, and take a long time time to execute.
“This fall in logical and malware attacks is very good news and reflects the work that has been put into preventing such attacks by the industry and law enforcement,” said EAST Executive Director Lachlan Gunn.
But these improvements have also pushed criminal groups towards other forms of ATM fraud.
One of those forms has been “physical attacks,” during which crooks use physical force to break the ATM and steal its cash store. Criminal gangs have been seen raming ATMs with vehicles, blowing up the ATM using explosives, or downright stealing the entire ATM to crack it open later, at another location.
Physical attacks have been quite popular, but they haven’t been the top form of ATM fraud because they, too, permanently destroy ATMs, and crooks can only steal money in small quantities — usually somewhere between €9,000 and €15,000.
As a result, criminal groups have turned their gaze to techniques that can be reused countless times.
TRF — criminal group’s new favorite ATM fraud method
The banking industry has been tracking these types of attacks under the name of ATM terminal-related fraud. This category includes the use of ATM skimming and techniques like transaction reversal fraud, both silent techniques that can be re-used on the same ATM many times over.
Both techniques have been very successful across the years in Europe, causing between €250 million and €350 million in losses per year.
But according to EAST’s latest report, there’s been a paradigm shift in the first half of 2019, with the use of ATM skimming devices reaching an all-time low and going down in favor of the lesser-known technique of transaction reversal fraud.
Transaction reversal fraud, or TRF, involves using glitches in the normal mode of operation of an ATM.
In a TRF attack, crooks enter a valid card in the ATM, enter a correct PIN, and request a valid cash withdrawal. However, when the ATM ejects the payment card, the criminal leaves the card in the ATM slot.
The idea is to leave the card in the slot until the ATM thinks the card jammed and it needs to cancel and reverse the previous bank transaction, effectively re-adding the money to the crook’s account.
At this point, the criminal uses a tool like a screwdriver to force open the ATM dispenser shutter and take the cash bills that had been previously prepared to be dispensed for the now-canceled transaction.
EAST said that such attacks have become the predominant form of ATM fraud in Europe, accounting for 5,649 incidents in the first half of 2019, up from 2,292 last year, and accounting for 45% of all ATM fraud.
For the foreseeable future, EAST said this trend is expected to continue, with ATM malware, jackpotting, and card skimmers going down, and TRF attacks going up.
However, just as the banking sector reacted to card skimmers and ATM malware, protections in the form of software updates will eventually make TRF inefficient in the coming years, and force crooks towards the third category of physical attacks.