Most customers interface with their financial institutions using automated teller machines (ATMs), which have security issues. However, there are solutions available to combat all current security threats, and the cost of protection is coming down.
The ATM industry is therefore in a position to minimise losses, while ensuring consumers continue to get the vital cash they need to lead their daily lives. It is important for the ATM industry to constantly innovate to meet new security challenges. So what innovations are we going to see in the next five years?
Contactless technology
Contactless technology will be a great help against ATM skimming, in which criminals steal personal information at ATM machines. Contactless is already being used in some European countries, and the number is increasing. Not having to insert a card into the ATM removes the opportunity to trap cards and also gets around the problem of “foreign” devices installed to read cards. So contactless technology, which some saw as the end of cash, can help make ATMs and cash more secure.
Not having to insert a card into the ATM removes the opportunity to trap cards
Biometrics are certain to be used increasingly to bolster ATM security. Finger, palm, vein, iris and facial recognition all have potential in this respect. Any of these may in the future be used with or without cards, PINs and one-time codes. Speed of operation in relation to biometrics could ultimately govern their use at ATMs. There may also be privacy issues that need to be addressed.
The ATM vestibule environment must add security with proper security and surveillance equipment. ATM vestibules, or lobbies, are installed for many good reasons. For one, more convenient, 24/7 locations equals better customer retention for a bank, offering comfort and convenience. 24/7 access to ATMs, night drops, coin counters, online banking kiosks, and other self-service solutions are very much in demand. Second, ATM vestibules protect customers from inclement weather and provide a more comfortable banking environment (however, vagrancy can be an issue; therefore ATM vestibules should require card access). Security and surveillance solutions can’t just be for show.
ATMs and crime
A new crime wave is hitting automated teller machines (ATMs); the common banking appliances are being rigged to spit out their entire cash supplies into a criminal’s waiting hands.
The crime is called “ATM jackpotting” and has targeted banking machines located in grocery shops, pharmacies and other locations in Taiwan, Europe, Latin America and the United States. Rough estimates place the total amount of global losses at up to $60 million.
The protection of ATMs
ATMs in supermarkets and pharmacies tend to be targeted because they may not be as well-protected, and store personnel likely would not know who is authorised to work on the ATM. In contrast, anyone approaching an ATM at a bank location would be more likely to be challenged.
ATM jackpotting originated back in 2010 when Barnaby Jack, a New Zealand hacker and computer expert, demonstrated how he could exploit two ATMs and make them dispense cash on the stage at the Black Hat computer security conference in Las Vegas. Since then, malware has been created and made available on the “Dark Web” that can instruct an ATM to dispense all its cash on demand.
ATM jackpotting
ATM jackpotting is a combination of a physical crime and a cyberattack. Typically, a criminal with a fake ID enters a grocery shop or pharmacy posing as an ATM technician, then uses a crowbar to open the top of the ATM – the “top hat” – to gain access to the personal computer that operates the machine.
Once he or she has access to the PC, they remove the hard drive, disable any anti-virus software, install a malware program, replace the hard drive and then reboot the computer. The whole operation takes about 30 seconds. The malware then enables the thief to remotely control the ATM and direct it to dispense all its cash on command.
If a legitimate customer approaches the machine in the meantime, it can operate as usual until activated otherwise by the malware.
