LAS VEGAS-Criminals target ATMs for one simple reason-they contain cash.
But there are a seemingly endless number of methods to try to steal this cash, according to Peter Kulik, VP of product management for Fifth Third Processing Solutions. He told attendees of NAFCU's Technology & Security Conference here ATM security in 2011 can be broadly divided into three areas of focus: physical ATM security, logical security and telecom security.
Physical attacks include card skimming, PIN spying, PIN interception, card trapping, dispenser false fronts, ATM overlays or false ATMs, ram raids and robberies. Logical attacks involve the use of computer software to steal cardholder information and or fraudulently dispense cash. In telecom crimes thieves tap into phone lines either to steal cardholder information or implant malware.
One alarming trend that pertains to all three, he said, is the increasing role of organized crime. Kulik said there are well-capitalized gangs that are highly mobile, technologically proficient, manufacturing literate and unafraid of getting caught.
"There has been a change in the method of attack because the half-life of stolen cards is very short," he said. "There are coordinated groups that obtain PINs and go to multiple ATMs to withdraw cash at the same time."
The theft of cards and/or PINs has become increasingly sophisticated over time, Kulik said. Criminals have become proficient at manufacturing false fronts which fit over portions of ATMs. Once in place, the thieves can capture the cardholders PIN and then keep or counterfeit the card.
The improvement in pinhole camera technology has allowed thieves to place small units very near the keypad, through which they can see people typing in their PIN. Dispenser bill traps divert cash from cardholders making a legitimate withdrawal.
Software Attack On BofA ATMs
In April 2010, an insider at Bank of America installed malicious code that caused ATMs to dispense cash and not record the transactions. Kulik said the loss was estimated to be anywhere from $200,000 to as much as $400,000.
"Malware can be installed remotely or locally," he said. "Criminals can collect cardholder data or they can cause ATMs to dispense cash."
A close relative is telecom security. Kulik said PINs typically are encrypted from end-to-end during transactions, but there is no industry standard for encrypting other cardholder data. The "ultimate" end-to-end encryption would be from the ATM or point of sale to the card issuer, but he said that would require fundamental infrastructure changes.
Best Practices
ATM security starts with the physical location, Kulik said, including secure placement and making sure the machine cannot be easily moved, knocked over or dragged away. Also, a "defensible space" should be painted on the ground around the ATM to prevent fraudsters from getting close enough to spot a person's PIN entry.
"The branch manager should do a physical inspection of ATMs every day," he said. "Examine the machine closely for card trapping devices, skimmers or false fronts."
Credit unions can help themselves by advising their members to follow safety tips, starting with protecting their PINs at all times, reporting captured cards immediately and not accepting help from strangers at the ATM.
"The best way to prevent fraud is by making stolen data worthless," he advised. "But know technology is not a panacea and that an out-of-date security system is only marginally better than no security system at all."
