ATM heist highlights need for newer secure technologies
09.26.16

News of card networks being hacked is become frighteningly common. Hacks, such as those that hit Target, Home Depot, and other big names, have prompted companies to add security features like chip readers into their POS devices. But that’s not the extent of the mischief, as this news story out of Taiwan illustrates.

On Sunday, July 10, 2016, hackers managed to infiltrate a network of bank ATMs belonging to Taiwan’s First Bank. According to reports, several people wearing masks accessed dozens of ATMs, spending just a few minutes with each machine and making off with the equivalent of $2 million in cash.

Investigators claimed that the machines were infected with three different malware files that instructed them to, in essence, “spit out cash” before deleting themselves from the software. This event has sent alarm bells through ATM manufacturers and owners, who now worry that their machines might also be at risk. Indeed, the number of ATMs compromised by criminals in the U.S. last year jumped 546%, according to FICO Card Alert Service.

What makes for better security?

All ATMs run software specific to their brand. Just like any other networked computer, these machines can be targeted by hackers or infected with malware—although doing so is often much more difficult than with the average desktop.

Heists like the Taiwan ATM event have prompted ATM owners to scan their machines for malware and decommission older machines that might be more susceptible to hacking. But, as with most things, an ounce of prevention is worth a pound of cure.

That’s why security procedures like tokenization are become more widespread. With tokenization, secure “tokens” are stored in the secure element of a user’s phone or in a cloud-based HCE software vault. Only the two machines involved in the transaction can read these tokens, signaling that the data are being transferred to a legitimate machine (and so, hopefully, a legitimate customer.)

Other security features include pseudo-random cryptographically secure algorithms, time and location limits, and single-use codes.

What the Taiwan heist shows is that, once a new technology gains widespread adoption, criminals will try to exploit it for gain—but technology can also be the answer to such threats. With experience, app developers and financial institutions are learning to pay closer attention to security features to prevent criminals from exploiting technology loopholes.