What are the biggest ATM security issues?

This is a series looking at ATM security issues.

A quick Google search will reveal a slew of articles about thieves breaking into or stealing ATMs from locations ranging from exterior bank walls to shopping malls. Criminals use tools ranging from trucks to construction equipment to tear ATMs apart and then later access the cash within.

However, physical threats are not the only security concerns for ATMs. Outdated key standards and card skimming are also major issues in the ATM industry.

Let's take a closer look at some of these security issues and what causes them.

Physical attacks

In recent years, physical attacks on ATMs have increased, due to both difficult economic circumstances and access to technology to break into the machines.

"ATMs will always be a high-profile target due to the volume of cash and the fact that they are often unattended. The combination of challenging economic times, along with easy access to technologies, have increased the levels of criminal activity," Adam Crighton, SVP and general manager of digital first self-service banking at NCR Corp., said in an email interview. "Criminals are armed with powerful tools that can be used to attack ATMs, including new 3D printing capabilities that have led to new methods of card skimming. We are seeing more and more activities around pulling ATMs from their mountings, attempting to open the safes or taking the ATM to remote areas."

Crighton also argued that financial institutions are not laying down sufficient mitigation tools to handle these risks, especially in regard to jackpotting, where customers are able to drill into the top box of the ATM to gain access to the interior of the ATM and mess with the software.

Clair Shufflebothan, global marketing director at TMD Security identifies the top box key and lock as being primary areas of weakness for ATMs.

"The same standard top box key is typically used across all ATMs in the network. Physical keys can be lost or stolen," Shufflebothan said in an email interview. "The lock on the ATM top box is not secure. It is easy to force open the top box with a screwdriver."

Skimming/software attacks

On another level, criminals are continually finding ways to take advantage of ATMs through skimming and jack potting software attacks, as mentioned above.

With skimming in particular, a big issue simply comes from some financial institutions still not going fully EMV.

"One of the main attack vectors is associated with using old technology for starting an ATM transaction. The biggest risk in the transaction is the magnetic stripe that exists on most cards. Card skimming is still the most common and costly form of ATM attacks," Crighton said.

On the software level, criminals are also able to take advantage of ATMs that do not have up-to-date software.

"One area where financial institutions might be leaving the door wide open for criminals is out-of-date ATM software. It sounds simple for an FI to ensure their software stack on the ATM is always up to date, but it's not always happening. And while it's a problem that's not exclusive to the financial industry — around 55 percent of all software is outdated according to Avast — and the banking industry arguably has the most to lose," Crighton said. "The cost and complexity of managing an aging hardware estate put financial institutions and their customers at risk."

Lack of traceability

While it may be impossible to create an unhackable ATM, one major issue with security is that there is often no way to trace criminal activity when it happens.

Shufflebothan points out for example that there is often no way to detect if a criminal has opened the top box, and this extends to other areas as well.

"The cash in transit company who replenishes the cash inside the ATM typically use manual schedules and there is no real-timer audit trail. There is no way for the bank, deployer or CIT management to know for certain who was actually at the ATM and at what time," Shufflebothan said.

She also pointed out that it is impossible to trace physical keys, and there is no audit trail on whether a safe door has been closed and locked. And there is often no silent alarm if the CIT team is accosted by criminals.

In addition, the access codes to access the safe are often static and written down, which brings the risk of criminals stealing the information.

Obviously these are all serious issues, which often cause a great loss of cash due to criminal activity. In part two, we will look at the solutions to some of these security issues.