10 Tips to Improve ATM Security

Customer Education Rates High in Layered Approach
10 Tips to Improve ATM Security
Last weekend, two TD Canada Bank customers discovered skimming devices on ATMs at separate branches in Calgary, Alberta. Both skimmers were affixed to the ATMs' fascia.

TD Financial Group spokeswoman Jacqueline Burns could not confirm if the ATMs were through-the-wall or lobby terminals, but she did say both were located at bank branches. The discovery highlights the critical role customer and employee education play in the fight against fraud. "We have been working really hard to educate our customers and employees," Burns says.

Mike Gervaif, an investigator with the Calgary Police Service's Economic Crime Unit, focusing on POS and ATM skimming crimes, says consumer education has been a focus for financial institutions and law enforcement. "Skimming is prolific across Canada. The TD Bank incident is not isolated," Gervaif says. "But our PR efforts and getting the word out to consumers is making a difference."

The Human Element

Canada's move to the Europay, MasterCard, Visa, or EMV standard , expected to be completed by 2015, should curb the escalation in skimming, Gervaif says. EMV, a standard already in use throughout most of Western Europe, calls for replacing magnetic stripes with radio-frequency chips on debit and credit cards.

U.S. banking institutions and merchants also are taking hits from increases in skimming. While the United States has announced no plans to move to EMV or chip-and-PIN technology, more investments are being made in security solutions and approaches.

Multilayered security methods are the most effective, says Wes Wilhelm, a senior analyst at Aite Group LLC, where he covers fraud management, payments and retail banking technology and operations. "I think most institutions are considering all ATM security concerns, but the key is how many layers and how well those layers work together."

The critical role the human component plays cannot be overlooked, he adds. As the TD Canada Bank example proves, consumer and employee education have to be part of ATM security best practices. "Service technicians and third parties who come out the ATM to replenish cash should be inspecting the reader for skimming devices," he says. "Employees also should conduct random checks."

Top 5 ATM Security Tips

Wilhelm's tips for improving ATM security include:

  1. Scheduled and random physical checks of ATMs by branch staff and technicians;
  2. A detection system that senses and sends an alert -- and/or takes the ATM offline -- when anything is attached to the card reader, keypad or fascia;
  3. Jitter technology, which uses a start-stop motion when a card is inserted;
  4. The use of software/behavioral analytics that recognize anomalous or out-of-character behavior for the cardholder or a terminal . "I call it 'collision' analytics -- when two things occur at once that don't make sense," Wilhelm says, such as a card being used at an ATM that the cardholder never or rarely visits, or withdrawal amounts and transaction times that are not consistent with the cardholder's patterns;
  5. Reliance on a jamming mechanism, which detects, via an electromagnetic field, when a skimmer is placed on an ATM and "jams" or disables the skimmer.

Wilhelm also recommends greater protection of ATM vestibules. As the security on ATMs increases, so too should the security for access readers on ATM vestibules. "They can skim card data from the access reader and then get the PIN with a camera at the ATM," he says. Banks and credit unions should also regularly check vestibule log files, to track who's accessing the ATM and when.

Skimming: Yesterday's News?

Nicholas Percoco, the senior vice president and head of SpiderLabs for Chicago-based Trustwave, an information security company, says skimming is no longer an ATM's greatest security threat -- rather, physical injection of malware is. SpiderLabs focuses on forensics, ethical hacking and security testing on ATM and other financial systems.

While Percoco says banks and credit unions cannot turn security efforts away from skimming, they should not ignore the ever-growing threat of malicious software invasions. "Criminals physically attack the ATM software and then obtain the data," he says. Basically, fraudsters physically approach the ATM and infect it with malware saved to a USB thumb drive. A similar vulnerability, most prevalent in the retail/off-premises market, was highlighted at the Black Hat security conference last month.

Percoco says enclosures that house ATM PCs are often easy to break into. Default stock locks provided by manufacturers may have unique access keys; regardless, the standard locks are rarely robust enough to prevent a skilled criminal from gaining access.

"Once open, it's basically a PC," Percoco says. "You open the ATM and insert the malware. If the system is not locked down, it will auto-run and execute that software over the entire network."

5 Additional Tips

  1. Make locks to ATM enclosures secure, and test locks before buying the fleet. If the locks are weak, have the manufacturer replace or upgrade them;
  2. Regularly download patches and software updates for Windows-based ATMs. "In a perfect world, they should push down patches once per week," Percoco says. "In reality, what we find is that some have not had patches downloaded in two years."
  3. Ensure that networks are secure, so if one ATM is hacked, fraudsters can't infect the entire ATM network -- or worse, the entire corporate network.
  4. Monitor systems for software changes that have not been approved or recorded. "Have controls in place that detect when the system itself has been manipulated or changed. Banks monitor their online systems closely; they should do the same thing for their ATM networks;
  5. Deploy layered security that protects the system and the ATM physically.

"ATMs are, by their nature, vulnerable," Percoco says. "They are often unattended, they have money, and criminals have figured out how to get in."

About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Around the Network