The ABCs Of ATM Fraud

ATM Fraud Liability EMV Chip Cards

Remember the old adage about why bank robbers rob banks — cuz it’s where the money is? That’s precisely why cyberthieves are now targeting ATMS — that’s where the cash is. In the latest PYMNTS Topic TBD, George Zirkel, SVP and head of global payments strategy at TNS, tells Karen Webster how banks can keep ATMs from being vulnerable to the growing threat of cyberattacks.

Remember those skimmers? The ones at the ATMs in the back of the convenience stores that covertly took down your account numbers and PINs? The sketchy-looking wires and mirrors that tipped you off to possible financial shenanigans? You don’t really have to worry about those anymore.

Because when it comes to ATMs, ATM operators have a lot more to worry about.

News earlier this month that compromises at ATMs (read: fraud) were at the highest levels in 2015 than had been seen in years (according to FICO) brings back some concerns over how strong security is, or isn’t, at the point of cash dispensing. And in the most recent episode of PYMNTS Topic TBD, George Zirkel, senior vice president and head of global payments strategy at TNS, shared his thoughts on what’s driving that nefarious traffic.

First off, why now?

Addressing the vulnerabilities and the fact that we are hearing so much about ATMs now, Zirkel noted that a number of reasons have converged to make ATMS “top of mind.”

“Fraud is moving almost as you would squeeze a balloon. As you close the vulnerability at one area,” such as at the physical point of sale, eliminated largely through EMV cards, that acceleration of chip card adoption in the U.S. has accelerated movement toward what he called the “weaker links.”

“So fraudsters,” continued Zirkel, “do what they do, and they try to identify the easiest path to money.” Thus, ATMs have come to the forefront, offering what he said is a “high ROI if the fraudster is successful in reaching that ATM … unfortunately, that is where crime goes.”

To combat such fraud, Zirkel noted there is a lot of “blocking and tackling” that must happen across the payments ecosystem, but it is difficult to defend financial institutions consistently, since they’re getting bigger and bigger and ATMs are getting more widespread around the country and around the globe.

“For a fraudster, they just need to find a mechanism by which to breach an ATM once and pay for that once,” but for a firm that operates the ATM (and it’s never, really, singly), it needs to combat that fraudster’s mechanism “hundreds, if not thousands, of times. So, money is an issue,” he said, “but by and large, these threats are largely preventable” if key practices are embraced.

Best practices include keeping operating systems up to date, conducting inspections of the ATM portfolio and understanding which ATMs may be at relatively higher risk, said Zirkel. Among those ATMs, said the executive, branch ATMs are at lower risk, while freestanding ones are at higher risk. “Common update procedures would go a long way to harden the system and prevent fraud,” he said.

For the thieves themselves, there are a number of avenues to pursue and that are being pursued. One is an actual physical attack against the machine, in an effort to pry out the cash. And the attacks can be dramatic. For example, causing an explosion at the ATM to get access to the cash inside or using brute force to dislodge an ATM from its physical location to steal an entire device.

Those types of physical attacks can be averted, at least in part, if firms are careful about where they place their ATMs, Zirkel told Webster, with a focus on making sure they are in highly trafficked areas where suspicious activity can be noticed.

There are also, of course, attacks that are quieter but no less damaging that take place via software and malware that has been used in Eastern Europe and Taiwan.

Malicious code is inserted into the operating system itself or the network with which the ATMs are being managed. That malware tricks the ATM into believing that it is dealing with a trusted processor and then dispenses cash. The third vector that is increasing in terms of ATM attacks, said Zirkel, comes through skimming, “which has certainly gotten more sophisticated” and has moved beyond hardware placed externally on machines.

Miniaturization, he continued, has allowed skimmers to become “internal versus external … and are entirely unnoticeable to the bank or the ATM provider or the consumer.”

Zirkel said that his firm, TNS, operates as a network provider securing connections between banks, processors, data centers and ATMs. He offered that it’s important to make those networks as segmented as possible in order to protect thieves from gaining access to devices across the network.

ATMs, in essence, can run on a subnetwork that is not available to the rest of the network, but such practices are not as widespread as they might be or should be. But when ATM fraud becomes such a pain point that financial firms must take heed and action, “you’ll see a swing toward ‘hardening’ the network and going back to make sure this segmentation works correctly.”

Against the backdrop of expanded connectivity between devices globally (such as the Internet of Things), said Zirkel, it becomes increasingly important to make sure that you’ve “got your architecture, your hardware and your network topology really worked out. Everything is becoming a connected device. Many of them are becoming payment-aware, and for that, they are carrying some very sensitive information.”

The eventual goal, he said, even “as we can do a far better job of protecting ATM networks across the globe,” is to make it too expensive for fraudsters to hack and thieve, so that they go somewhere else to seek their gains.