The evolving security landscape of ATMs

Safety and security are the hallmarks of our banking industry. Financial institutions (FIs) must continually and  significantly invest in security to ensure they protect their assets, reputation and maintain customers’ trust. As their branches and delivery channels evolve, security processes and protocols must also evolve. As customers begin to select these channels for a wide range of services, FIs must consider what security investments they’ll need to make.  

Of these channels, the ATM is complex when it comes to security. ATMs have a physical and a logical component that require tight alignment with security measures yet must simultaneously be flexible enough to reduce friction in the customer experience. In addition, many ATMs are available outside normal business hours and even outside the branch, making access by bad actors easier and less risky. Locking this channel down safely is costly and challenging.

ATM security threats emerge quickly  

As the leading worldwide provider of ATMs and ATM management services, we continuously monitor ATM threat trends around the world.  What we see is a world in which technologies and threats are evolving constantly. Criminals have responded to new banking services and security systems by developing more coordinated and sophisticated attacks. They attack software services to inject malware into processing systems and use 3D printing to create skimming devices. Miniaturization technology helps them place tiny cameras to capture a customer’s Personal Identification Number (PIN) input.  

Data from the FBI suggests thefts from ATMs surged by 149% between 2019 and 2020 with a further 10% rise in 2021. Data from FICO meanwhile, found that ATM skimming increased by more than 100% in 2022. Crime is rising at a frenetic rate, but NCR Atleos’ position as a leading ATM manufacturer and now as the leading ATM operator makes us better placed than most to understand these trends first-hand with insights that help us respond rapidly to emerging criminal activities through our dedicated ATM security teams.    

FIs that manage their own ATM networks must be prepared to monitor and react to these threats quickly, or risk losing customer trust. That means a FI must allocate management and front-line staff to its ATM channel including specialized technicians and software engineers. In addition, regular intrusion testing, software upgrades, and investments in encryption technologies are additional expenses that can’t be avoided.  

Compromised ATMs are hard to hide

When it comes to ATMs, one of the more visible security problems FIs deal with is physical attacks. These are very public displays of security issues because to strong-arm an ATM, significant brute force needs to be exerted. No FI wants customers to see police tape around an empty concrete pad or a breached branch wall where the ATM once stood. This kind of attack involves high recovery costs as FIs must secure the physical environment and replace it with another expensive device. Criminals will also tend to repeat attacks as long as the same vulnerabilities persist. FIs will therefore need to up their game quickly to avoid being targeted again.  

Physical threats can be countered with stronger security measures at the site. Bollards or security perimeters, for example, can hinder vehicle access, making smash and grab raids more difficult. Improved video surveillance, alarms, ink staining and good lighting can also deter raids while GPS tracking systems help to trace the thieves.  

However, criminals are also using more subtle and less direct approaches by enlisting and exploiting current or former employees. These people have inside knowledge of a bank’s systems and can guide attackers past even the best defenses. Such attacks are often digital in nature and present an especially complex problem for institutions to solve.

One of the most common logical attacks involves phishing in which criminals try to trick employees into handing over their personal details. According to a report by CNBC, 2022 saw a 61% increase in phishing attacks over the previous year.  

Criminals have also been shifting their attacks to mobile devices and personal communication channels to directly target individuals more effectively. These attacks try to persuade people to download malware onto their systems which can then be used to exploit ATM vulnerabilities.  

With ATMs having more sophisticated technology and interconnected services, electronic breaches can potentially be the gateway to a serious system-wide cyber-attack.

To protect themselves from this type of sophisticated criminal activity, FIs need to keep up-to-date on malware trends, network weaknesses, internal security protocols, and emerging threat vectors. Most of all, they have to develop a proactive and sophisticated response that matches the growing complexity of attacks.   In response to this NCR Atleos has published an extensive set of best practice recommendations to reduce the FIs risk from Logical Attacks.  

Creating a security perimeter around your entire ATM environment

The key to a successful cyber-attack strategy is to be comprehensive, proactive, and continually responsive to emerging attack vectors. Attack vectors are any means by which a criminal gains access to a physical ATM, computer, or network server to deliver a malevolent outcome. In a recently published ​​white paper , we define a highly effective multi-layer security approach used to create a 360° border around critical ATM infrastructure, both physical and logical.  

Such an environment is the most effective way to protect FIs from ATM-focused criminal activity. It consists of two main layers:

1. The ATM Operating System layer that contains components such as device monitoring, software management, and network and dispenser communications; and
2. The Back Office layer, comprising customer security reporting, staff training and monitoring, and security validation testing.

There are no optional security investments  

To maintain a secure ATM environment and to protect itself from the reputational and financial risk of ATM fraud attacks, a financial institution cannot pick and choose which security processes it will invest in. All are important. Which is why, in today’s complex operating environment, an ATM as a Service (ATMaaS) option bears serious consideration. With this type of service, the cost and operational complexity of establishing and maintaining a secure ATM environment becomes the burden of the service provider. The cost becomes an operating expense rather than capital expenditure, and the ATM program benefits from the experience of a specialist organization focused on ATM security and ATM operations. This frees the FI to deploy resources into more profitable lines of business and protects it from lowering customers’ lifetime value through attrition due to loss of trust.

We recommend any FI considering outsourcing their ATM management keep these three key questions in mind when assessing potential vendor partners:

1. What is the opportunity cost for my institution to maintain a continually upgraded security perimeter around my entire ATM environment and maintain staff able to track and respond to ongoing attack vectors? Can I keep my fleet up 24x7?

2. Does my institution have access to the data streams and analysis software used by security experts to identify vulnerabilities, threat trends, and identify potential bad actors compromising my ATM network?  

3. Are we able to provide a safe and secure experience for our customers? Are we introducing security-related frictions that put us in a non-competitive position against other FIs?  

A robust security eco-system is the best protection  

All customers expect an ATM service that is fast, safe and convenient.  FIs that can’t deliver are at a competitive disadvantage. However, the complex mix of business priorities as well as operating and network environments that make up modern retail banking can result in under-investing in channels like ATMs where there are high operating costs and less revenue opportunity.    

That’s why ATMaaS solutions have a key role to play in a bank’s retail operating environment. The best solutions have developed a security eco-system that leverages many years of experience operating and maintaining ATM fleets and networks all over the world. The provider of these solutions becomes a FI’s investment partner in ATM security, instilling confidence in the institution’s ability to offer an ATM channel that is always on and always protected.