ATM hack attacks caught on video

The recent Capital One breach of more than 100 million customer records has left consumers worrying about banking safety. But the threats extend far beyond customer records, as hackers are increasingly finding ways to attack ATMs.

“We know for a fact that ATM crime and fraud does cost the banking industry and financial services industry billions of dollars per year,” said David Tente the executive director for the U.S. and Americas for the ATM Industry Association, ATMIA. The trade group includes financial institutions as well as ATM manufacturers.

The U.S. Secret Service gave CNBC surveillance video from two incidents that showed people attacking ATMs in broad daylight.

“I’ve seen surveillance footage of technicians dressed up as actual technicians come up to a department store where the ATM was located right by the front door. And there was pedestrian traffic,” said Greg Naranjo, a Secret Service special agent in charge from the Miami field office.

“And they’re working on this ATM for approximately 30 minutes when they finally install their device and depart and then have the cashing crew come in and cash out the machine,”

These attacks and others cost $3.5 million between late 2017 and early 2018, according to the Secret Service, which protects Americans from financial crimes.

For these physical attacks, one criminal plants a device on the back of the ATM, which is one reason why . Depending on how it’s programmed, the machine could just spit out cash. But most of the time, criminal accomplices walk up and insert a card and enter a PIN to make it look like they’re real customers.

To learn how to pull the attacks off, Naranjo says, criminal gangs have set up training facilities in South and Central America.

“They have stolen machines from banks. They have training rooms with different types of ATMs,” he said.

Physical attacks like these are on the rise. In a recent survey of ATM operators that the ATMIA shared with CNBC, 57 percent of respondents said physical attacks are increasing.

The survey also found that stand-alone ATMs not connected to a bank were the most common for fraud. Stores and shopping malls were other common locations for fraud.

Physical attacks are not the only threat ATMs need to watch out for. Hackers can remotely access a bank’s servers to get it to allow ATM transactions, according to IBM Security’s X-Force Red, a team that does penetration testing.

“We intercept the traffic, the response from the bank and change the ‘deny’ response to an approval,” said David Byrne, the global head of methodology for X-Force Red.

CNBC visited IBM’s ATM testing lab outside Toronto where the team demonstrated how this attack worked.

Byrne demonstrated how a CNBC reporter could take out money using a grocery loyalty card and an old student ID. Any card with a magnetic stripe would work.

“The street thug that the hacker mastermind sends out could conceivably sit here and just collect money after money after money until the ATM is empty,” said Charles Henderson, the global managing partner of X-Force Red. “When that street thug walks away with the money from an ATM, they’re gone forever.”

IBM has seen a 500 percent increase in ATM testing demand from banks.

“They’re seeing the attacks in the wild, and they’re trying to get ahead of the criminals,” Henderson said. “The thing about these machines is they’re very often connected to the internet…That’s a very important vulnerability, and one that we exploit in a lot of our ATM testing.”

CNBC asked the Secret Service about the attack IBM demonstrated.

“That’s more of a remote attack which is obviously possible and has occurred,” Naranjo said. “We’ve heard about that happening in Europe.”

The losses financial institutions suffer from their ATMs may be passed on to consumers.

“Banks in some cases have been increasing their foreign ATM fees to recoup some of these losses,” the ATMIA’s Tente said.

Other fees could also be affected.

“So, you know all those fees you pay at the bank…Some of them are made to offset fraud. So, when you’re paying a fee, you’re actually paying for insecure ATMs,” IBM’s Henderson said.