Before you can understand how to best protect an ATM from physical attack, you need to be aware of the vulnerable points that are attacked by criminals. ATMs are seen as attractive targets by criminals as they are often in remote locations, containing banknotes that are untraceable and with an easy to claim value.
In concept, an ATM comprises of a ‘personal’ computer, with specialized peripherals, some of which are housed in an integrated safe.
ATM vulnerability varies according to the location – generally, ATMs installed in a bank branch lobby are less likely to be attacked when compared to a Through the Wall ATM at the same branch, even more so when compared to those in retail or drive up locations.
As will be seen criminals are well aware of the various weaknesses in ATM designs, and will exploit this knowledge to gain access to the cash in the vault.
This access can be achieved in a number of ways but the more common physical attacks involve using tools or gas/ solid explosives. The type of tools and the quantity of explosives required depends on the grade of safe.
There is a wide range of vaults from business hours found with the smaller ATMs used by retail merchants to the Bank’s with the top of the CEN range of safes, including those designed to be more secure against explosive attack..
ATMs are designed to deter physical attacks, unfortunately , some are not that well designed, for example the key peripherals such as the note dispenser are linked to the computer using neither armoured cable or with encrypted commands.
All this makes it easier for criminals to take over and instruct the dispenser to be active until all the cassettes are empty of banknotes, an attack known as black box. However, it must be said that most of the latest bank ATMs have very few if any of these weaknesses.
Microsoft have a version of Windows with extensions designed specifically for financial services – ‘XFS’ which is widely used for financial terminals not just ATMs, but all too often it is not at the latest version. A decreasing number of ATMs are still on XP, which is far more vulnerable to attack. There are some models of ATM that run on a Linux or UNIX platform; these are often seen in Brazil.
Windows XFS restricts access to the familiar Windows desktop interface, making it not visible to ATM users who only see the application software that adheres to disabled access regulations.
The ATMs most at risk as those with design security weaknesses coupled with those deployers who do not implement the available software protection, or leave them with manufacturer’s settings.
If criminals are able to gain access to a USB port such as by cutting a hole in the fascia, they can down load malware. There are a range of software protection products that will provide security against these and other cyber-attacks. It is possible to prevent the ATM operating if unauthorized software is found.
There are a variety of other security methods such as Automatic Key Distribution systems, features within XFS V4, or locking down the MS operating system etc.
With a wide range of security measures, it is therefore vitally important that the right level of protection is in place based on the perceived risk and that it is always kept up to date with the latest releases.
Criminals constantly evolve their attack methodologies to exploit known weaknesses in the ATM and their security measures so owners need to ensure that their ATMs are protected and all measures are kept up to date.
The OCP philosophy is that security measures should be implemented in layers so that the various attack methodologies are thwarted; the following are examples of the more common attack types.
ATM skimming is when the card details are captured along with the PIN so that copies can be made and used for fraudulent withdrawals of cash.
Introducing card readers designed to prevent the skimmer being installed are available and the use of EMV deters attack.
In addition, it is important that customers are vigilant and aware of the use of skimmers so that they are able to report to authorities when they see them installed. Also to take all steps to prevent their PIN’s being compromised or cards stolen by scammers loitering by the ATM.
Shimming is an enhanced version of skimming, the data stolen from the chips, or EMV cards, are made into magnetic stripes to make fake versions of the original card and used to withdraw funds as often with these and card skimmers cameras are mounted to record the customer’s PIN.
There is a trend for criminals to gain access to the components in the upper cabinet through the fascia and then use this aperture to mount an attack. This can be prevented using a fascia protection system that detects the drilling and closes down the ATM. OCP provide such security systems.
There are a range of attacks that fall under this category. These include attacks such as:
Evidence from around the world shows that physical attacks are increasing after they decreased during Covid, for example, explosive attacks are one of the fastest growing in a number of countries, in Europe there is a 2% increase in physical attacks...
Intelligent Banknote Neutralisation Systems IBNS, was introduced by Oberthur Cash Protection. This security system operates on the principle that by ensuring that all banknotes either in an ATM cassette or a CiT carry case are stained with an indelible ink thereby greatly reducing their value, criminals will move to other non IBNS protected cash.
In addition to eliminating the rewards of the crime by making the stolen banknotes worthless, it also increases the probability of criminals being caught, as the ink staining contains a unique marker that can link the stained note to a specific ATM or case so assisting law enforcement agencies in securing a criminal conviction.
Evidence from around the world, such as France and Malaysia, has shown that the introduction of IBNS deters attacks.
As more emphasis is placed on migrating counter services to self-service machines either in the bank branch or at remote locations, there is even greater opportunity for criminals to undertake physical attacks.
A layered approach to deter these attacks is important as is working with a partner who can help provide proven and effective deterants – Oberthur Cash Protection, as a world leader in Intelligent Banknote Neutralization systems is an ideal partner to help achieve this.
Paul Nicholls, Head of Sales, Oberthur Cash Protection