New Industry Group Tackles ATM FraudInformation Sharing, Technical Standards Are Primary Goals
ATM manufacturers Diebold Inc. and Wincor Nixdorf AG are laying the groundwork for the formation of a new global industry group focused on thwarting ATM crime.
See Also: Role of Deception in the 'New Normal'
While experts say the time is right for a group like this, it will need industrywide buy-in to be successful.
ATM Crimes on Rise
ATM skimming attack sophistication, and recent global upticks in ATM cash-out schemes, have put a spotlight on ATM-related fraud, the two companies say. Banking institutions, in particular, have struggled to keep up with some of these emerging ATM fraud schemes.
The aim of this group is to establish industrywide technical standards for secure ATM terminals and ATM components and provide a platform for information sharing about attack scenarios and emerging threats, says Joerg Engelhardt, vice president of global product management for Diebold.
Members of the group will be provided with recommendations about how to prevent ATM attacks and mitigate their risk, he adds.
"The primary focus will be on both ATM hardware and software-related threats," he says. "Input regarding broader ATM security focus areas and priorities will be established by the association's membership."
Engelhardt says the new group, which is not yet formally named, is inviting other ATM manufacturers, as well as banking institutions, IT service providers and ATM suppliers, to join.
"Currently, we have documented interest from six ATM manufacturers, several financial institutions and several ATM security providers," Engelhardt says. "Additionally, ATM network providers have expressed interest in participating. Other security associations have also approached us for participation."
But David Tente, North American executive director of the ATM Industry Association, or ATMIA, says he suspects the new group will likely stay focused on ATM security products and solutions. "It is my understanding that this is more of a business/product relationship than it is an industry group," he says.
Both Diebold and Wincor currently sit on ATMIA's security committees, Tente adds.
ATMIA, which has a paid member base, also provides ATM crime information sharing through its Global ATM Security Alliance. But access to the alliance is only offered to paid members.
Whether membership in the soon-to-be-formed ATM security group that Diebold and Wincor are launching will be fee-based has not yet been revealed. The group is still in its formative stages, Engelhardt says.
For now, the focus is on ensuring industry engagement in the group, he says.
"As ATM networks have expanded worldwide; so has the sophistication of global crime," Engelhardt says. "The combination of these factors has led to intensified security concerns at the ATM. Combating this issue requires consistent focus and global defense throughout the ATM-provider chain. It is necessary to form an association focused on this issue to compile information about recognized and potential attack scenarios against ATMs, and share the right information with the right people within the industry to develop actionable plans to combat ATM crime on a global scale."
Al Pascual, practice leader of fraud and security at consultancy Javelin Strategy & Research, says getting the right amount of industry engagement from established ATM players will be key for this new security group's success.
"In order for this group to be truly successful, they will need to work hand-in-hand with financial institutions and other fin-tech providers," Pascual says. "This is a necessity, considering the growing complexity of the threats affecting the ATM channel, which include malware directed at the machines themselves, along with institutions and processors. As an often unattended channel, ATMs are likely to garner continued focus from criminals with feet on the ground, especially as EMV will effectively shut down counterfeit fraud at the POS [point-of-sale] over the next few years in the U.S."
One ATM crime-fighting challenge banks and credit unions face is that their ATM networks are often made up of terminals from multiple manufacturers, says financial fraud expert Shirley Inscoe, an industry analyst at the consultancy Aite. That's made anti-skimming hardware and software upgrades or other retrofitting on existing equipment difficult, she says.
"Even if a bank only bought from one vendor, they often inherited different ATM hardware from another vendor through acquisitions and mergers," Inscoe says. "Trying to set standards is difficult when each vendor is competing and not generally willing to set aside competitive issues to collaborate."
Thus, the formation of this group, which is informally being referred to as the ATM security industry association, will likely be welcomed by bankers, she says.
"It is definitely in the best interests of the industry, overall, for standards to be established, to protect customers and the institutions themselves against these international threats," Inscoe says. "Diebold and Wincor should be applauded for taking this step; hopefully, they will invite other competitors to engage as well. Many of the representatives in this group will probably be multinational financial institutions, although many ATMs are owned by non-FIs who should also be represented. Hopefully, the collaboration that has proven beneficial in so many areas of fighting fraud can be achieved in the ATM space as well."
ATM security expert Chuck Somers, formerly of Diebold, discusses the need for more information sharing about emerging ATM threats and crimes.
ATMs must comply with certain security standards, such as the Payment Card Industry Data Security Standard, and encryption mandates, such as Triple DES - the triple data encryption algorithm. But each manufacturer has historically addressed these mandates in different ways.
What's more, not all ATMs come factory-equipped with anti-skimming technologies and features, such as jitter, an older technology used to prevent skimming, or card readers that can accept chip cards, such as those that comply with the Europay, MasterCard, Visa, EMV, standard.
Jitter technology relies on a stop-start or jitter motion when a card is inserted in the ATM. The irregular motion distorts the magnetic-stripe details on the card, so if a skimming device has been placed on an ATM, the jitter feature, in theory, makes the copied information unusable. Sophisticated skimmers, however, have figured out how to defeat this technology.
"ATM fraud is a worldwide challenge, and with the anticipated expansion of both the ATM market and ATM-related crime, the time has come for those organizations whose business operations depend on ATMs to take concerted action at the global level," Wincor President and CEO Eckard Heidloff said in a recent statement. "They are best placed to establish a 'transmission forum' for secure ATMs, since no one else can respond as quickly or as directly when it comes to implementing the right countermeasures."
Pascual says timing of the group's launch is good because security standardization and threat intelligence in the ATM space are needed now more than ever. "This is the right move at the right time, especially as info-sharing is gaining a serious following in the financial industry and government," he says.