ATM Security: Customers and Machines are at Risk

Be Equally Wary of the Skimmer and the Fork Lift ATMs - they're a valuable extension of your financial institution, and they are viewed by customers as an essential part of consumer banking. Always available; always ready to provide a variety of transactions, including cash.

Yet with an estimated 1.5 million ATMs now in place globally at U.S. financial institutions and in other retail settings, the physical security of these machines is an ongoing challenge.

Criminal acts against ATMs -- and their customers -- have always been a top concern for institutions. Additional surveillance cameras, electronic locks and other physical controls have been added at many institutions to make the ATM a secure place for banking transactions.

Over the past few years, though, criminals' use of "skimming" devices has replaced the traditional, physical robbery of ATM customers. Rather than mug a customer, thieves prefer to set up a "skimmer" that captures the magnetic stripe and keypad information from ATM machines, gas pumps and retail and restaurant checkout devices.

"Right now we've seen more ATM skimming cases," says Doug Johnson, senior policy analyst for the American Bankers Association. "It goes back to a sign of the times: You've got easily accessible skimming technology available off the Internet, and [thieves can] download skimmers that fit into the palm of your hand..."

The technology tools included in skimming are sometimes hard to spot. "It's been shown it is pretty easy to slap a skimmer onto an ATM," Johnson notes. Cameras placed inside the ATM itself can catch a criminal placing a skimming device onto an ATM, but it's up to bank personnel and customers to be wary of anomalies.

"Make sure you keep surveillance on your locations, and most importantly make sure your customers are also aware of the issue," Johnson says. "Educating them is a good way to spot things at your locations that look out of the ordinary."

Other ATM Threats
The criminals don't always target the individual customers; instead, they commit armed robbery on the ATMs themselves, using torches, forklifts and even earth-moving vehicles, says Randy Benore, director of product development and planning for physical security at Diebold, a Canton, OH-based manufacturer of physical security technology for financial institutions.

These physical attacks, known as ram-raids or smash & grabs burglary, can be carried out in a number of ways. One of the most common is through physical attacks, which attempt to break into the safe or vault inside the ATM. Other attacks use saws to cut though the ATM's metal case to pull out the vault. Diebold's estimated losses due to these types of attacks in 2006 were $4.5 million in the U.S., and approximately 300 of the attacks (80% of total attacks) involved the entire removal of the ATM.

"We suggest institutions look at the ATM as a small branch," Benore says. He suggests using hardening products to better secure ATMs, add the physical products (both metal and concrete) and then the electronic layer, including electronic door access and cameras.

One disturbing trend Diebold's security experts see is a marked increase in hard physical attacks on ATMs in other countries. How a ram-raid occurs: Criminals steal a vehicle and drive it into an ATM, knock it off its foundation, and then load the ATM into a truck and move to a hideout to break into at their leisure. There is a marked increase of ram-raids in Australia and Thailand. In Sydney alone, in 2006, some 100 ATMs were stolen or destroyed, according to the ATM Industry Association (ATMIA).

"Ram-raids are so prevalent over in those countries, there is a report of at least one attack per week -- sometimes multiple attacks are reported," Benore says. "I anticipate that these attacks will become more prevalent here over time."

There have been many highly-publicized situations where criminals physically remove an ATM from its foundation with construction equipment, including trucks, front end loaders, backhoes or forklifts. These types of raids, not surprisingly, often take place in secluded retail locations, since most retail ATMs weigh less than 400 pounds. However, even drive-through ATMs that weigh in excess of 3,000 pounds and are anchored in a base of concrete have fallen victim to this type of attack.

Lock the ATMs in your institution from both the front and back ends," Benore advises. "Use biometrics for those employees who are loading and unloading the machine to know when and who is accessing the cash vault."

Because criminals sometimes employ a "hot shot" that can melt concrete or steel, Benore suggests adding technology such as heat thermo detectors that detect heat and will trigger an alarm. Also, newer metal alloys are available to harden the ATMs' case, which can prevent a cutting attack.

Tips for ATM Protection
As a result of ATM-related crimes, the ABA has renewed its awareness efforts. Advice for ATM consumers includes:

  • Try to use the same ATM consistently;
  • Always inspect the ATM & make sure it doesn't look different than before. If it does, don't use it - and alert your banking institution;
  • Be aware of people behind you trying to "shoulder surf" to see your PIN number;
  • Be wary of those trying to help you, especially when an ATM "eats" your card. They may be trying to steal your card number and PIN;
  • Do not give your PIN number to anyone over the phone. Thieves often steal cards and then call the victims for their PIN, claiming to be law enforcement or from the issuing bank.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.