ATM security without compromise

Today’s ATMs operate more like mini-branches than ever before. This means that financial institutions must ensure their devices are protected against criminals targeting them for purposes of theft, intrusion and compromise.

Establishing effective defense mechanisms, however, is just the first step. Hardened ATM security requires an institution to be aware and vigilant of new criminal schemes every day to protect its cardholders, as well as its brand.

Protecting ATMs from fraud attacks requires a blend of physical and cybersecurity measures. ATM feature functionality and operating designs continue to expand—and so does the battlefield where ATM security managers and ATM-focused criminals meet. Each new ATM feature or system brings a potential new way for criminals to learn and reverse-engineer how those mechanisms work.

Sign up for the free BAI Banking Strategies newsletter and get industry insights delivered to your inbox.

A physical attack on an ATM often includes attacking the device’s surrounding environment in addition to the ATM itself. Some of the ways criminals compromise the physical security of an ATM include card skimmers, crowbar smash-and-grabs and other brute-force attempts to open the machine on-site or remove it to another location to open it. Cyberattacks on ATMs are those that target computer systems, applications, network, and data. These include malware introduction, endoscopic attack (used in “jackpotting” schemes), BIOS manipulation, ransomware installation and wiretapping.

These types of attacks are often the work of sophisticated criminal enterprises that use reconnaissance to gather information about the network, device software and monitor capabilities of the ATM management system prior to launching the attack based on their findings.

Maintaining ATM security vigilance requires regular intelligence gathering and sharing, as well as a clear but flexible strategy for protecting both the fleet and sensitive cardholder data. First and foremost, ATM managers should think about where data resides or is transmitted and ensure its security. In addition, ATM use behaviors are generally similar, making it relatively easy to detect potential fraud using analysis tools.

Physical security checklist

  • Review the ATM’s perimeter for potential vulnerabilities and consider how a criminal might physically compromise a machine. Establish a perimeter security plan before installing a device.
  • Educate in-store and on-site personnel to validate all ATM service personnel, establish a reporting protocol for reporting suspicious behavior and periodically check machines for compromised components.
  • Give cardholders an avenue to report a potentially compromised machine or suspicious activity.
  • Check cameras and other security devices regularly to ensure they are in good working order.
  • Install GPS tracking devices within both the cash and the device itself.

Cybersecurity checklist

  • Harden the ATM by encrypting all hard drives, securing communications with the ATM’s dispenser, and installing the latest patches for the ATM model.
  • Enable multifactor authentication for all ATM software/system/network administrators.
  • Segregate the ATM channel from the environment as much as possible.
  • Undertake periodic vulnerability tests and modify software/hardware configurations as required.

Based on our deep knowledge of ATM security and our experiences with customers around the world, we recommend all financial institutions consider incorporating some or all of these best practices into their ATM security protocols:

  • Share information: Gather and share information freely, which will help make the ATM fleet and the larger market a safer environment for all stakeholders. Participate in security-focused peer and trade groups, as well as monitor warnings and updates from organizations like the Secret Service, the FBI and card networks.
  • Risk analysis: Regularly analyze physical and cyber concerns, and based on the findings, along with intelligence gathered from various sources, appropriately set up the device fleet to defend against them.
  • Physical controls: Defined controls placed on the device’s physical security and monitored along with a consistent, standardized control approach and protocols. Incorporating static controls, or “set-and-forget,” strategies don’t work because criminals innovate.
  • Staff education: Whether it is the staff in-store, in the branch or in the back office, ensure the team maintains an increased awareness because criminals may well be looking to gain access to the ATM fleet, its network, software and cardholder data.

ATM fraud is preventable with vigilance and consistent best practices. It’s not unlike the way new parents are instructed to baby-proof their house: get down on their hands and knees and look at the world from an infant’s point of view. Assessing ATM fraud and security risks should be done in a similar manner.

Jordan Riek is senior vice president, information security, at Cardtronics.