Home Slider One Step Ahead: How Financial Institutions Should Prepare for the Next Wave of ATM Threats

One Step Ahead: How Financial Institutions Should Prepare for the Next Wave of ATM Threats

by internationalbanker

By Joe Myers, Executive Vice President, Global Banking, Diebold Nixdorf





It shouldn’t come as a surprise that the automated teller machine (ATM), one of the quickest ways to gain access to cash, remains a prime target for physical and cyber threats. In the United States, the number of fraudulent incidents involving credit cards and ATMs has grown by 60 percent over the past five years. It’s difficult to grasp the full extent of physical and digital crimes because while some of these events are reported, others are not. As technology matures, some of the most sophisticated breaches are much harder to pin down, and statistics show no sign of them slowing down. So, how can financial institutions worldwide ensure that their systems for serving cash to customers are safe?

An increasingly violent physical threat

Physical attacks on ATMs are the ones that often make headlines. From breaches such as torching through machines and grabbing cash cassettes to brute force attacks such as hook and chain, physical attacks are becoming more sophisticated and violent. Europe has experienced a wave of attacks, including explosive devices that pose significant threats to bystanders nearby.

The good news is that the technologies needed to defend against these attacks continue to evolve. However, the most crucial factor may be the type of research banks perform when risk-assessing threats. Having accurate internal data and reporting when suspicious activities or full-blown breaches occur can help scale risk mitigation, giving small and large banks complete pictures of specific areas and techniques to promote better decision-making.

Skimming continues to vex financial institutions.

While bank robberies are an incredibly high-risk and low-reward endeavor, skimming is on the other end of the spectrum. Thieves can often go undetected and gain tens of thousands of dollars without resorting to brute-force tactics. Skimming presents many challenges to brick-and-mortar locations, especially because it can be difficult to know when a skimmer compromised a machine until well after the crime was committed. Electronic Benefits Transfer (EBT) skimming scams are rampant, with criminals stealing tracked data from ATMs and point-of-sale (POS) terminals in low-income areas and monetizing it at their chosen branches. In all, debit-card skimming is growing at an alarming rate, up 368 percent from 2021 to 2022, signaling just how vital it is for financial institutions to address this issue.

The elephant in the room is how financial institutions can harness the correct hardware and software to prevent skimming and whether it can be stopped in the future. Many still use card-based magnetic-stripe (magstripe) technology, created in the 1960s, to authenticate and approve transactions—and people who conduct skimming attacks have perfected the art of creating replicas that look as if they came off the production line. While financial institutions monitor these transaction authorizations on the back end, they ultimately allow them to go through, fully aware that the transaction could be from a duplicated card. The United States has made good progress in embracing EMV (Europay, Mastercard, and Visa) technology that prevents skimming, but it remains a global problem. Until this technology is adopted globally, most card issuers will still be highly vulnerable to skimmers who are increasingly familiar with the kind of security they need to crack.

The race to stay ahead of evolving cyberattacks

 “Jackpotting” is a form of cybersecurity attack that has increasingly plagued financial institutions in recent years. Sometimes called a “cashout” attack, jackpotting is orchestrated by criminals who gain access to an ATM’s components, allowing them to input unauthorized commands that can cause an ATM to empty its cash. These types of attacks are notoriously difficult to prevent, given all the security features that need to be carefully protected—including limiting physical access to ATMs, implementing protection mechanisms for cash modules and setting up alarms and additional countermeasures that can detect these types of attacks. If even one layer of security is regarded as vulnerable, criminals may take it as an opportunity to attack.

Another type of preventable cyberattack is host spoofing, which occurs when the attacker inserts his or her own device into the transaction-authorization process. In this scenario, the device modifies communications between the ATM and the transaction host to change the messages. The attack involves the culprit’s device modifying a denial issued by the bank on a transaction request into a withdrawal authorization. Securing the network communication from the ATM to the transaction host using Transport Layer Security (TLS), an industry networking standard, can deter host-spoofing attacks. TLS encryption is designed to allow messages to be authenticated and restricted to a specific transaction host. It also allows verification of the message’s integrity to detect any modification attempts.

When addressing cybersecurity attacks on a bank’s ATMs, it’s critical to ensure the technology is as current, sophisticated and robust as possible while being supplemented on the back end with higher-quality cameras and longer retention times for videos and logs. Ultimately, the most important course of action is for financial institutions to rigorously stay on top of the latest software updates for their ATMs, which are continually being developed to combat evolving threats.

A path forward for financial institutions

It can be overwhelming for financial institutions seeking to build proactive strategies. One of the first steps they should take is to implement a plan to actively monitor the most relevant threats to their ATM fleets. Threats can vary dramatically from region to region, and what might make the most sense for a high-traffic metropolitan area may not be as relevant for a rural branch in the Midwest. Staying on top of regional threats with real-time data tracking can help financial institutions better predict to what types of attacks their ATMs might be most vulnerable at any given moment.

The reality is that physical and cybersecurity attacks aren’t going anywhere anytime soon. In Europe, financial institutions lost $232 million to criminal attacks in 2022, with the vast majority coming from international skimming incidents. As financial institutions reckon with both traditional and advanced forms of attack, ATM networks will need hardware and software strategies that enhance security-risk mitigation. It is paramount for their business and operational cores to serve both their customers’ financial and physical health. In a recent YouGov survey commissioned by Diebold Nixdorf, 75 percent of respondents indicated that upon learning about a security breach at their bank, they would take an action that would negatively impact the bank, such as telling friends and family about the breach, reducing engagement with the institution or switching banks altogether. It’s clear that customers care about the efforts banks take to safeguard their money.

Communication will be critical in these efforts. The same YouGov survey found that less than 50 percent of respondents felt that their banks sufficiently informed them on how to best protect themselves when using ATMs. Additionally, accurately and actively reporting these security breaches, whether physical or digital, will continue to drive adoptions of the technologies that can outrun scammers. While there may never be a perfect solution that makes the ATM 100 percent invulnerable to physical and cyberattacks, an active and holistic strategy can help financial institutions stay one step ahead of bad actors and put themselves in a better position to adapt to evolving threats.

Related Articles

Leave a Comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.