Why physical ATM security is no longer an option

By Owen Wild, Security Marketing Director

In the digital era, financial institutions are faced with a greater range of threats than ever before as criminals target previously unknown vulnerabilities.

Banks are involved in a constant battle to protect ATMs from thieves, with logical attacks – those that use malware to trick an ATM into dispensing cash – on the rise in recent months. Whether guarding against logical attacks or brute force attacks by criminals, it’s clear that the physical security of ATMs should be a priority for the financial services sector.

Black box attacks – where a physical device it connected to an ATM to install malware – are becoming increasingly common. In fact, in the first half of 2017, there were 114 black box attacks reported in Europe, according to the European ATM Security Team (EAST). This represents a massive 307 percent increase from the same period in 2016.

For attacks of this nature, criminals need to gain access to the dispenser cable inside the ATM in order to connect it to an external USB device. A comprehensive and layered approach is needed to guard against such attacks. This includes logical defences that prevent criminals from carrying out further actions even if they manage to connect a device. However, boosting the physical security of the ATM to make it more difficult for criminals to gain initial access is also key.

Physical attacks using brute force also represent a major challenge for banks. In the first half of 2017, there were almost 1,700 reported cases across the 11 countries covered by EAST, representing a year-on-year increase of six percent.

Physical threats include explosive gas attacks, the use of cutting tools to gain access to the ATM, and ram raid attacks that aim to steal the entire ATM. To defend against these attacks, banks must employ a combination of careful placement, stronger safes and deterrents designed to prevent criminals from attempting an attack.

For example, cash degradation options, including ink staining and glue, can make cash unusable if the safe is breached. What’s more, gas detection and neutralisation methods can detect the presence of gas used in an explosive attack. These can also be used to trigger alarms, smoke, sirens and other notifications to alert banks and authorities that an attack is taking place.

A layered approach to security is essential and NCR’s Fraud and Security solutions can help by assisting with authentication, securing transactions and protecting ATMs, as well as POS endpoints. Consumer trust in their financial institution is only as strong as the security they provide. A comprehensive security strategy helps a financial institution protect its customers across all interaction points and maintain their trust,as well as supporting the financial institution’s reputation and protection against financial loss.

In the past, financial institutions have relied on insurance to cover losses rather than making ATM security protection a priority. However, security can no longer be optional. The growing diversity of attacks means that deploying sufficient security protection is a major challenge – the risk and type of attack varies greatly depending on a number of factors including the placement of the machine, and the model of ATM being used. But while skimming attacks still make up the majority of ATM losses, the number of physical attacks is on the rise. That’s why banks can no longer ignore physical ATM security.

Related Articles