Creative Solutions for Fortifying ATM Defenses

Faced with continued ATM security theft and threats, community banks and vendors are banding together to share creative strategies and bolster ATM defenses.

Criminals continue to find ever more ways to steal from ATMs, both physically and digitally. But ATM vendors are redesigning their machines and advising community banks on other ways to keep their customers’ money safe.

Scott Anchin, ICBA senior vice president of strategic initiatives and policy, says criminal tactics are more involved and complex than ever. Banks, he continues, are experiencing more subtle and nuanced physical attacks and targeted digital attacks, which means the industry’s defenses have to be “just as smart.”

“For community banks, the challenge is enhancing security while staying mindful of budgetary constraints,” he says. “That’s where policy support and close vendor partnerships, with adequate due diligence, can really make a difference.”

Collaboration between banks and vendors

Sharing intelligence on attack patterns and vulnerabilities is just as important as physical upgrades. As such, strong coordination between banks, law enforcement and policymakers is paramount, Anchin says.

“ATM security is part of a broader conversation about consumer trust and financial access,” he says. “Customers’ sense of safety is so important.”

ATM vendors are finding ways to minimize physical attacks, such as when criminals hook a chain to an ATM’s security enclosure door and pull it off to gain easier access to the money in the machine, says Jason Kerby, business operations manager for banking at Everon in Dallas and Boca Raton, Florida.

“Fleet modernization is important, because newer-generation drive-up ATMs have doors that can withstand [a hook and chain] attack a lot better,” he says.

ATM vendors are adding hardening capabilities around the shutter doors on the machine, which are the holes in the face of the security enclosures where criminals hook the door and take it off, Kerby says. Kerby recommends that vendors add barrier gates in front of drive-up ATMs, too.

Logical attacks

Another kind of attack on ATMs that financial institutions are increasingly experiencing is an “offline logical attack” by malware, Kerby says. During this kind of attack, criminals pull out the drive-up ATM’s computer hard drive, also called a hard disk, and plug that into their own computer. They then inject malware onto the hard disk, put it back into the ATM’s computer and use the malware remotely to drain the ATM of cash.

“That’s really on the rise, and it’s got us concerned,” Kerby says. “We’re sending regular warnings to our customer base, trying to keep them informed and give them avenues to try to combat this.”

The best way to minimize offline and online logical attacks is to encrypt the ATM’s hard disk with endpoint protection software, with certificates only the parent computer can access, Kerby says. That way, criminals using their own computer won’t be able to access the disk’s operating system to inject malware or take any customer data from the disk.

“Physical reinforcements are still critical, but today’s defense is increasingly digital and intelligent.”
—Jodi Neiding, Diebold Nixdorf

Transaction reversal fraud

Transaction reversal fraud is also emerging, Kerby says. This is when criminals request to withdraw money from an ATM and the cash is pre-staged in the presenter, but then the criminals find some way to create a “fault,” like jamming something else into the card reader.

That causes the ATM’s computer to send a message to the host to reverse the charge to the account. However, at the same time, the criminal is forcing open the shutter and pulling the cash out of the machine.

“It’s important to make sure that you update Windows security patches, as well as vendor software updates, because NCR in particular has written a patch to tell the ATM not to pre-stage the cash,” Kerby says.

Another mitigation technique that community banks can use is to change presentation rules with the transaction host to “favor the bank,” he says. That way, as soon as the funds are approved to be dispensed, the account is debited and cannot be reversed for any reason, except if the customer files a dispute.

Take a layered approach to ATM security

Physical

Reinforcing ATM structures
ATM alarms
Video surveillance
Daily fascia inspections

Digital

Skimming protection
Encrypted hard drives
Whitelisting
Secure network communications
Firewalls
Password management
Endpoint protection with encryption
Malware detection

A layered approach to ATM security

To protect ATMs and ITMs, Kerby suggests community banks take a layered approach. “Each layer you put in place helps defend against things that we’ve seen and things that are yet to be invented, because they’re always out there trying to figure out new ways to attack the machines,” Kerby says.

It’s also smart to periodically invest in next-generation ATMs, he adds, as older machines are easier to attack.

ATM crime has grown more sophisticated and now includes high-tech attacks like skimming, shimming, jackpotting, malware and black box tactics, says Jodi Neiding, vice president of Americas banking portfolio for Diebold Nixdorf, a financial and retail technology company in North Canton, Ohio.

“This changing threat landscape demands a more proactive security strategy,” she says.

Diebold Nixdorf also recommends a multilayered approach to meet this challenge, integrating physical security enhancements with software and security protocols. Neiding says, “Physical reinforcements are still critical, but today’s defense is increasingly digital and intelligent.”