Guarding against ever-present ATM threats

Willie Sutton never actually uttered that famous line about robbing banks, “because that’s where the money was.” But had he still been around now, as the 50th anniversary of the ATM was marked, he might have said something about cash machines being even handier places to obtain money—no meddlesome bystanders, no employees ready to trigger a warning device, no security guards. Just cash in a box.

“ATMs represent a low-risk environment for criminals compared to robbing a bank, where you get a 25-year sentence—at least, in their mind it’s a less-risky environment,” says Tim Grabacki, director-product management, at Cummins Allison in an interview.

In December 2016 the ATM Industry Association reported that the percentage of survey respondents reporting a general increase in ATM crime fell to 42%, versus 51% in the 2015 survey. The survey found all kinds of crime involving cash machines still a concern, from ATM skimming, where data on users’ cards are stolen via hidden readers to card data malware and remote network compromises.

Cybercrime is the chief worry today, but physical ATM crime continues in multiple forms, from the already mentioned skimming and card trapping, where devices are used to grab users’ actual cards, to ultra-violent anti-machine violence.

Unscheduled withdrawals and worse

It’s no laughing matter, really, but when one encounters a headline such as this, from an Federal Bureau of Investigation bulletin of a bit over a year ago—“FBI, Albuquerque Police Search For Man Who Stole ATM,” one realizes that even in this age of major cyber attacks, physical financial crime still occurs.

In this case a criminal stole a rental truck to get the muscle to attempt to make an extreme withdrawal—an entire ATM ripped out of a wall of a local bank. The perpetrator didn’t have any success, however. While he obtained the cash machine, he was unable to extract any cash.

Of course, the ATM’s functionality has expanded beyond cash dispensing in recent years, but cash remains a key function. The Federal Reserve’s payments study, released in late 2016, found that cash withdrawals held virtually level at ATMs in 2015 compared to 2012, but that the average withdrawal has risen slightly, to $122 versus $118. In fact, the ATM Industry Association is promoting “Withdraw Cash Wednesday,” specifically the one prior to Black Friday, to highlight the potential use of cash for holiday shopping.

In the most recent biennial Accenture/ATM Industry Association ATM Benchmarking Study, issued a year ago, the makeup of the top 15 security measures illustrates how much money goes into types of physical protection for ATMs in various configurations. From the top down, the leaders were: building alarms; anti-cash-trapping physical prevention measures; anti-skimming jamming measures; remote monitoring for unusual ATM device behavior; anti-ram bollards; anti-skimming detectors; anti-card trapping detectors; closed circuit TV coverage; ATM mirrors to reveal “shoulder surfing”; PIN pad shields; anti-ram raid anchorage plinths; alarms on ATM fascia and cabinets; enhanced physical security for cash shutters; enhanced building and perimeter security; and enhanced ATM locking systems for the cabinet.

“There will always be physical attacks on ATMs, from the lowbrow smash-and-grab situations where they’ve physically stolen the whole ATM to the use of skimmers and other hardware that gets inserted into ATMs to compromise them,” says Grabacki.

“Stopping ATM crime can be like trying to stop water with your hands. It’s going to leak out somewhere else,” he adds.

ATM compromise rates

Skimming used to be more prevalent in metro areas, says Grabacki, but the crime has become more widespread. Grabacki explains that the ATM industry has been in a period of transition. From 2014 to 2015 the number of ATMs compromised by criminals rocketed by 546%.

“The primary factor contributing to the increase was the rush to exploit the vulnerabilities in U.S. magnetic stripe technology prior to adoption of the EMV chip technology in the U.S.,” says Grabacki. “A lot of cards issued in Europe were actually used to commit fraud here in the U.S.” The U.S. was one of the last developed markets to adopt the EMV standard.

In March, FICO reported an increase of 70% in all forms of physically compromised payment cards at U.S. ATMs and point of sale terminals in 2016. About 60% of that increase came at nonbank ATMs, while the rest were at bank ATMs or merchant point of sale devices.

“It’s really just criminals finding targets of opportunity,” says Grabacki. “On the cyber side, physical location makes no difference whatsoever.” Grabacki says he believes the rate of increase will further slow as U.S. EMV implementation moves along.

“That is consistent with what happened in Europe and Canada,” he explains.

ATM cybercrime

As the physical forms of ATM crime encounter more resistance, cybercrime becomes still more attractive.

“There has been some very sophisticated malware written,” Grabacki explains. “The biggest challenge for criminals is to figure out how to plant the malware in the bank’s environment. They need to get it onto the ATM network or onto an ATM itself.”

The weak point of choice, says Grabacki, is employees, with most attempts involving some variation on phishing. Fraudulent emails with bad links will expose the employee’s computer to malware.

“They’ll click on a link and the link won’t have anything to do with what’s actually happening on their computer,” explains Grabacki. “There are also websites that mimic legitimate websites, and other attempts to redirect web traffic to an illegitimate site with a suspect link that may differ by just one letter from the valid URL.”

The problem is that “anybody can be duped into getting the firmware downloaded,” says Grabacki. “The criminals are working in a very sophisticated environment.” Grabacki says many of the tools that they use come from the so-called “dark web,” sites on the internet where criminals buy, sell, and trade nasty software and purloined lists, among other electronic assets. Indeed, ATM security professionals refer to such tools as “CaaS”—Crimeware-as-a-Service.

Phishing attacks were up 20% in the first quarter of 2017 versus the fourth quarter of 2016, according to Phishlabs’ latest quarterly Phishing Trends And Intelligence Report. (The report noted that the attacks dipped uncharacteristically low in the fourth quarter, and noted that the first quarter 2017 figure was about 8% higher than 2016’s first quarter.) Financial institutions were among the top five phished industries, with those five accounting for 88% of attacks. So bank employees are plainly in the cross-hairs.

 “One of the advantages, where an ATM is concerned, is that they are typically in an isolated environment,” says Grabacki. “They’re not part of the general corporate network so they are in a more protected environment than, say, somebody’s desktop PC. They are usually on their own network segment.”

“Wetware” solution: Educate, educate, educate

It typically takes sophisticated malware to find its way to a bank’s ATMs, but that does not excuse lack of preparation.

The first line, actually, is education, Grabacki says. This follows from the board and CEO down to any employee who goes near hardware. Directors and top executives need to buy into the spending necessary to inform and train staff.

Staff must learn how to avoid succumbing to phishing attacks and risks in unsolicited emails to practicing good corporate computer security in order to avoid infection of the bank system via flashdrives and other hardware. “Bring Your Own Device” risks and related policies must be considered.

It can also be helpful to encourage employees to inspect the bank’s own ATMs whenever they use them, in order to have eyes—and hands, giving readers a yank to be sure they are legitimate—on the machines. Some banks present advisories about skimming, for example, right on idle ATM screens, to provide customer education.

Grabacki says it is important to work closely with the bank’s ATM vendor as well, to stay up to date. And building the bank’s security plan around its own ATM environment is important—security must be specific in advance, and also in the response phase should an event occur.

And then, there’s vigilance.

“ATM security issues are always evolving,” says Grabacki. “Criminals exploit one vulnerability. That gets addressed, and then they move to exploit another vulnerability. So it’s never one thing that banks are doing or not doing. People are aware of the environment and they’re out there actively defending ATMs across the board.”