Home / Banking Strategies / Winning the ATM security arms race

Winning the ATM security arms race


Innovation not only takes place in product development shops: Criminals innovate, too. And when it comes to security, the arms race never ends. Illicit attempts to access money—whether via online or physical means—have only increased in prevalence.

How do financial institutions successfully combat such threats?

Today, ATMs resemble mini-branches more than ever before, and this new reality channel-wise means financial institutions must protect themselves against criminals who target them for theft, intrusion and compromise. Establishing effective defense mechanisms marks just the first step; the value of hardened ATM security demands that institutions remain vigilant of new criminal schemes every day. In this way, they stand the best chance to protect cardholders as well as the brand.

From jackpotting to skimming, four ATM security trends

Criminal activity with ATMs as the target occurs worldwide, and some trends migrate from country to country. These may be based on successful compromise and intrusion schemes—or security gaps that, closed up in one region, pop up in another that’s less protected. We’ve noted these trends across our global footprint:

1. Network compromise (“man in the middle”). A network feeds data to the financial institution. ATM security managers must ensure its safe passage to the authenticator by using a secure, robust connection to avoid any compromise. Attackers will place their own devices on the network connectivity of an ATM to siphon data and/or approve fraudulent transactions.

2. Skimmers. Since some ATM card issuers continue to accept magstripe transactions, skimmers still pose a major problem. Criminals stick these inconspicuous, removable devices atop a normal card slot to steal data, especially in segments such as gas stations. We’ve also found that warmer seasons tend to have more skimmer activity than colder seasons. News stories on skimmers have alerted consumers to look out for compromised machines.

3. Jackpotting. With this attack, criminals gain physical access and install malware, specialized electronics or both to manipulate and control the ATM. This is more prevalent outside the U.S., where thieves exploit the unique vulnerabilities of in-wall ATMs (a device type not widespread in the U.S.). Jackpotting began to pop up in the U.S. in early 2018.

4. Multi-factor cardholder authentication. Multi-factor comes into effect especially with increased usage of mobile wallets and cardless ATM transactions. This exploits the cardholder’s mobile device to interact with verification codes and permission notifications. Transfers from wallet to wallet also typify this trend.

Best practices, smart intelligence

One of the most important takeaways is to underscore the critical role intelligence gathering and sharing play in creating effective ATM security controls.

Organizations should utilize key internal and external intelligence sources, including frontline personnel and cardholders. For example, a financial institution can gather intelligence when it educates customers to look for suspicious activity and report it. Institutions can also talk to the FBI and link events across the wider market—thereby improving the ability to discover and stop distributed schemes. Collaboration remains key to building a strong, wide moat around your ATM device fleet.

Intelligence gathering also allows organizations to better plan for potential vulnerabilities. As a superior best practice, we encourage the regular use of business continuity and practice scenarios, which allow you to harden reaction and responses when a real event occurs.

Based on our deep insight of ATM security and experiences with customers around the world, we recommend you consider some or all of these best practices for your ATM security protocols:

1. ATM hardening. Don’t assume your ATM’s AV product will protect you; harden your ATM builds with OS whitelisting, keyboard lockdowns, network encryption and other items that prevent even the best attackers from executing fraudulent activity.

2. Physical controls. These are defined controls placed on the device’s physical security and monitored with a consistent, standardized approach and protocols. Incorporating static controls or “set it and forget it” strategies should be a thing of the past. As criminals innovate, organizations must keep up with flexible security controls employed via their risk analysis mechanism. 

3. Staff education. Staff in the store, branch or back office must be taught to maintain increased awareness and knowledge of themselves as criminal targets. Malefactors look relentlessly to gain access to your ATM fleet, its network, software and cardholder data.

Your ATM security arms race checklist

Taking the lead in the ATM security arms race requires a mix of channel management acumen, regular intelligence gathering and sharing, and a clear-but-flexible strategy for protecting your fleet and sensitive cardholder data. Here we’ve outlined the various ways organizations can more consistently defeat criminal activity in their ATM channel.

The summary checklist below will help you review our recommendations with your ATM channel managers, system administrators, site administrators and third-party partners.

Physical security:

» Review the physical device perimeter for potential vulnerabilities. Consider how a criminal might physically compromise a machine.

» Educate in-store and onsite personnel to validate all ATM service personnel, establish a reporting protocol for reporting suspicious behavior and periodically check machines for compromised components.

» Show cardholders how to identify a compromised machine and what to do if they spot something suspicious.

» Check cameras and other security devices regularly to ensure they remain in good working order.

» Install GPS tracking devices within cash and in the device.

» Establish a perimeter security plan before installing a device.

Logical security:

» Enable multi-factor authentication for all ATM software/system/network administrators; review audit logs regularly.

» Utilize a stand-alone computer or server for the ATM channel that isn’t connected to the organization’s email system.

» Encrypt all hard drives connected to your ATM devices or channel.

» Analyze encryption use for secure communications.

» Undertake periodic vulnerability tests and modify software/hardware configurations as required.

» If enabling digital access, review its impact on communication and data transport protocols.

Just because the ATM security arms race seems endless doesn’t mean you can’t put an end to the most dangerous attacks, at least for now. What’s more, nothing says victory quite like when the criminal who innovates is out of luck. Then you can give him his own ATM—as in “a total meltdown.”

Dan Antilley is the chief information security officer at Cardtronics.

Want more BAI Banking StrategiesSign up for our free newsletter!