Australian banks are failing to take an international ATM hack warning seriously, a leading cybercrime analyst has warned, with depositors likely to bear the brunt of any breach.
The US-based Federal Bureau of Investigation issued a worldwide warning to banks in early-August surrounding the emergence of a new "ATM cash-out" hack.
The new method involves criminals hacking the internal systems of the automated teller and getting it to spit out cash for them to collect, compromising critical bank and consumer information in the process.
But a month on from the initial warning, the chief executive of the International Cyber Resilience Institute, Andrew Bycroft, has seen little in the way of action from Australian banks and has questioned how seriously they've taken the alert.
"So far the FBI has seen some activity and been highly suspicious of that area - they are putting out a warning - but I don't know how seriously that warning has been taken at this point in time," Byrcoft told AB+F.
He pointed to the outdated systems present on many ATMS. Bycroft claimed many were still running technology as old Windows XP - first released in 2001 and no longer supported with security updates from Microsoft for up to 10 years.
"A lot of [ATMs are] using out of date software and sometimes not even supported by the operating system vendor anymore so that means they can be quite vulnerable," Bycroft said. "[Criminals] can actually take control of them."
Spokespeople for National Australia Bank, and Commonwealth Bank relayed to AB+F that they take security seriously and were looking to evolve their processes, however, due to security concerns they would not reveal the software their ATMs run or how old it is.
Westpac and ANZ were contacted for comment. Despite not providing a formal reply, their respective media teams said they would be reticent to reveal the details of the ATM software as well.
Though Bycroft remained unconvinced. "Its probably because - if you look at Australian banks for example - it falls back to the Australian mentality overall. We tend to be very optimistic, we tend to think 'well it probably wont happen to us' but in reality Australia has been victim to many cyber crimes over the years."
"Usually we're not the first to be victims - it does usually turn out to be other entities in other countries - but obviously we should take it very seriously because there is a risk," he said.
According to Bycroft, the cost of inaction would be passed onto the consumer.
"If banks lose money, its more likely to mean fees go up to cover for those loses."
However, he remained sympathetic for the banks due to the huge undertaking that would need to take place to update their ATMs across the country.
"I think its quite difficult because of the fact they have to distribute it all over the country and sometimes, Australian banks for example, have operations offshore. So to actually go and roll out new releases and code to those is quite a daunting challenge," he said.
ANZ and CBA push back
The full ANZ and CBA responses are below:
NAB spokesperson - “We continually look at how we evolve and invest in security across the business. For example, in recent months we have moved all security-related operations under one division as we continue to strengthen and evolve the way we protect customers, our people and our shareholders. The move sees all elements of NAB’s security – from a physical, fraud and cyber perspective – come together in an integrated security model under new Chief Security Officer David Fairman, who has come to NAB from Royal Bank of Canada. As the world constantly evolves, unfortunately, so too does the sophistication of the way criminals act and we must constantly look for ways to improve, to deepen our perspective on security, to protect our people and our customers.”
CBA spokesperson - “As a bank we take security matters seriously. That’s why we employ high quality fraud prevention and detection technology, across all our channels including our ATM network. We invest heavily in ensuring this technology is kept up-to-date. We also have a dedicated team that regularly monitors unusual or suspicious activity so we can respond quickly if a security incident occurs. We work closely with law enforcement agencies and other banks to share information and understand potential threats. Any security warnings issued by these institutions are taken seriously and we act swiftly according to each individual circumstance to maintain the level of security our customers have come to expect from us.”