How to stop ATM attacks

ATM attacks are becoming increasingly common and the criminals that perpetrate them are becoming bolder, with incidents ranging from explosive attacks to software attacks. As a result, banks are investing more money intro protecting ATMs.

Kristen Williams, assistant VP of administrative services, financial operations department for One Nevada Credit Union, said her union is utilizing a variety of security measures to protect ATMs and third-party service workers.

"Aside from the extensive camera coverage and alarm systems with a duress code built into the alarm key pad, our servicing team is a third-party cash handler that is armed when at the machine for cash swaps and deposit pulls," Williams said in an email with ATM Marketplace.

But there are additional ways banks can prevent physical and digital ATM attacks. To get deeper insight, ATM Marketplace reached out to Simon Powley, head of advisory and consulting at Diebold Nixdorf.

Q. What are the latest trends in physical ATM attacks?

A. Two prominent types of physical ATM attacks include explosive attacks, which have been troubling FIs in Europe and Latin America for years, and hook and chain attacks, currently exceedingly popular among would-be criminals in the U.S.

In an explosive attack, criminals use gas or solid explosives and strong tools to gain access to the ATM safe. This can take time, depending on the terminal. Once the explosive is inserted, the safe is blown open and the criminals collect the cash, making their escape in a getaway vehicle.

In a hook and chain attack, criminals try to rip the ATM open with a hook and chain attached to a (usually stolen) vehicle like a pickup truck. Most often, this attack hits drive-up ATMs. They hook the chain into openings in the safe door after ripping off the beauty door and pull it off with the vehicle. Once the door is opened, they remove the cassettes and flee from the site of the crime.

Q. What about digital?

A. The most common type of data attack in the ATM channel is skimming, but keep in mind that the ATM is not the only point where skimming may occur. It can happen at any point of sale and recently a far more common point of attack is at the gas pump. During a skimming attack, a foreign device is installed on an ATM to capture data from the magnetic stripe of a customer card. While the location of the device can vary, the defining characteristic of a skimming device is the presence of at least one magnetic read head — meaning that as long as bank cards still have a magnetic stripe, they remain vulnerable.

There are also other types of data attacks like shimming and eavesdropping. In all cases attackers attempt to gain data from the card. Like skimming attacks, the most common way of trying to access this data is to tamper with the card reader: collecting data from the magnetic stripe, the EMV chip, or intercepting data that is transferred from the card reader to the PC.

Q. What are some tactics to handle security or strategies to mitigate or prevent attacks in the first place?

A. To protect the physical ATM against attacks, it's critical to secure not only the ATM itself, but also the entire ecosystem around it:

• Utilize sensors that can detect forceful openings of the chassis and shutters to detect the attack as early as possible. In combination with CCTV, sensor detection gives security and law enforcement more time to react.
• Delay the attack with a strengthened chassis and safe. The more time criminals are forced to spend trying to get into the ATM, the more likely they are to abandon the attack. When we designed our new DN Series ATMs, we made security considerations a key priority. That resulted in moving the note path to the top of the safe and positioning it in the middle of the ATM, removing direct access to the safe, so there is no place to hook a chain and no space to insert explosives.
• Neutralize the objective of the attack: the cash within the cassettes. If an attacker does manage to gain access, ink-staining solutions will render the banknotes useless to the criminals

Here are effective methods to mitigate or prevent skimming and other data attacks:

• EMV chip technology: In regions where this technology is already widely used, the number of reported skimming incidents has fortunately gone down. But there are regions where usage is still comparably low — and one of those regions is the U.S. Unsurprisingly, the risk of skimming attacks remains high when an alternative is missing.
• Diebold Nixdorf's ActivEdge card reader counteracts skimming by altering the way an ATM card is inserted and read. Current skimming technology relies on the ability to read an ATM card's entire magnetic strip as it is inserted in a short-edge orientation. ActivEdge requires card users to insert their cards long-edge first making it more difficult for skimmers to capture the card's information.
• Encrypting the communication between the card reader and PC (as well as other components within the ATM for that matter) protects against eavesdropping on USB communications and device substitution attacks, also known as Trusted Device Communication.
• With Internal Space Defense, the design of the card reader is essential to prevent the installation of skimmers and shimmers: by leaving limited physical space within the encrypted read head you can deter the installation of an additional read head.
• A physical barrier — also known as anti-tapping defense — in areas where sensitive information could be exposed can prevent eavesdropping attacks.
• Internal or external skimming recognition uses sensors to recognize both internal and external skimmers and set off an alarm or take the ATM out of operation until the issue can be fixed.
• Intelligent Anti-Phishing defense protects against trapping attacks by holding a trapped card with increased removal force inside the card reader — it can later be released with a software command.
• Jamming technology, used in multi-signal jamming and anti-tapping scrambling, protects against external skimming including more advanced stereo skimming attacks and certain types of eavesdropping.