No cyber attack on local ATMs, say police


SHAH ALAM: Cyber criminals are only able to remotely attack outdated and vulnerable cash machines, according to police.

Selangor Commercial Crime Investigation Department chief ACP Mohd Sakri Arifin, in response to a report by Reuters today, said it was a bank’s responsibility to ensure its ATMs were up to date, and equipped with the ability to detect as well as prevent hacking activities.

He also said there had been no reports of such an attack in Malaysia recently, repudiating a report today that overseas hackers had attacked ATMs in Malaysia.

“There are only certain types of ATMs that are vulnerable to this kind of attack,” Sakri told a press conference at the Selangor police headquarters here today.

He said such cases of hacking were last detected two years ago, and involved banks that also operated overseas.

“In one case, a Latino group called Albatross had hacked several ATM machines in Australia and Europe first before attacking Malaysia.

“When we checked, the same type of machines had been impacted in all those cases. So these banks should take precautionary measures, and either replace or purchase new machines without these vulnerabilities.”

The group of hackers had later been arrested overseas, and according to Sakri, no other similar incident had taken place in the country since.

This is contrary to a Reuters report, which quoted Russian cyber security firm Group IB as saying that Malaysia was among 14 countries that had experienced such attacks this year.

According to the report, the cyber criminals had used malicious software to force ATMs to spit out cash.

ATM makers Diebold Nixdorf and NCR Corp said they were aware of the attacks and were working with customers to mitigate the threat.

“No, we have not received any report of such attacks since the Albatross was taken down,” said Sakri.

Group IB claimed that it had detected victims in Malaysia, Armenia, Belarus, Bulgaria, Estonia, Georgia, Kyrgyzstan, Moldova, the Netherlands, Poland, Romania, Russia, Spain and the United Kingdom.

Group IB said the attacks across Europe were made by a criminal group called Cobalt, named after the security tool, Cobalt Strike used to hack into bank computers and infect emails to take control of ATMs.

Hackers have moved from stealing payment card and online banking information to more lucrative hacks on bank networks, which gains them access not only to ATM machines, but also to electronic payment networks, said the Reuters report.

Last February, Bangladesh’s central bank servers which controlled access to the SWIFT messaging system were compromised, resulting in the loss of more than US$81 million (RM357.7 million), one of the biggest digital heists on record.