The now infamous Wannacry ransomware attack has affected thousands of computers and numerous organizations around the world, but U.S. credit union ATMs are relatively low on the threat list, pros say.
The ransomware, also known as WCry or Wanna Decryptor, has spread to more than 150 countries, including the United States, according to an alert from the Department of Homeland Security’s Computer Emergency Readiness Team. It appears to get in through holes in the Windows operating system and then holds user data hostage until they pay a ransom of roughly $300. In a statement issued May 12, Microsoft said it released a security update back in March that addressed the vulnerability Wannacry exploits. Many organizations hadn’t applied the security update, however.
FedEx, Spanish telecom giant Telefónica, French automaker Renault, German railway company Deutsche Bahn and Russia’s interior ministry have all reportedly been hit by Wannacry. Ambiguous reports of shut-down ATMs in India have also surfaced, though two experts told CU Times that American credit union ATM operators shouldn’t panic.
“Even for those ATMs that haven’t been updated or patched, or ATMs that are still running Windows XP, the ATM itself — even though it’s a Windows-based operating system — isn’t running through the internet, or it doesn’t even have internet access,” said Gary Walston, EVP and co-founder of ATM management company Dolphin Debit. “In order for that ransomware to get into the ATM, it would either have to take a physical breach at the ATM level itself or some other type of network line breach. That really isn’t plausible, because any of these ATMs that are communicating are running through, in most cases, a virtual private network, or a VPN.”
Also, ransomware like Wannacry typically isn’t a ploy to get into a credit union’s other operating systems via ATMs either, said Al Pascual, who is senior vice president, research director and head of fraud and security at digital financial advisor firm Javelin Strategy & Research.
“It’s kind of the other way around,” he explained.
At this point, credit unions should be cautious and keep their ATMs updated and compliant in regard to Windows XP and Windows 7, but they shouldn’t panic, Walston said.
“They just need to check their protocols and make sure that their ATMs are secure and can’t be breached in a physical sense. That’s the other reason why they really don’t need to panic: because this kind of ransomware, or any kind of a large-scale breach, most of those hackers are looking for systems that are so widespread and so large that small ATM networks, or individual ATMs, just aren’t a big enough target for them to worry themselves with,” he said.
Pascual said that although there have been some recent examples of criminals taking advantage of remote ATM access, skimming is still the biggest threat to ATMs.
“The goal isn’t just to encrypt all the data on the ATM,” he said. “A lot of the malware that ends up on ATMs is skimming malware, designed to jackpot the ATM and get it to dispense all its money. In those cases, I would be concerned. Imagine a malware that is as prolific as Wannacry with more than a single functionality.”
“That’s just a matter of time,” he added.
