One type of innovation never sleeps in banking: The tireless work of criminals and organizations to invent new ways of overcoming banking systems. Institutions now face many reinvented physical threats to their ATMs and a new form of ATM cyberthreat from ransomware.
Many attacks on ATMs don’t become news headlines, and that’s probably for the best. Beyond any funds stolen, the reputation risk can be far more damaging to relationships with account holders. Yet, staving off the onslaught of criminals who are constantly testing and refining with seemingly unlimited time and budgets can be challenging.
Up-to-date information on what bad actors are up to, how they are attacking ATMs, and what measures help prevent their success provides the best means for your institution to up its defenses. Here are the 2.0 physical threats for ATMs– and an introduction to new cyber threats – that your institution needs to know about this year and the best practices to mitigate risk for each.
ATM Physical Threats 2.0
Financial institutions have seen criminals use hooks and chains, and even explosives, in physical attacks against ATMs.
A “hook and chain” attack is exactly what it sounds like. It begins with the theft of a vehicle, typically a medium-duty truck, which is then used with a heavy chain or cable to remove the safe door forcibly. These attacks are still widely employed across the country, with an average loss per incident estimated at approximately $120,000.
What’s new in safe-cracking? You’ve likely seen the ‘jaws of life’ used by firefighters to save people from car crashes. Crooks are stealing this kind of hydraulically powered public safety equipment to crack open ATMs.
Win the Battle for SMB Deposits with Vertical Thinking
Join Nymbus CEO Jeffery Kendall and Nick Kennedy, author of The Good Entrepreneur, for the strategies your bank needs to win deposits and drive growth in 2025 and beyond.
Read More about Win the Battle for SMB Deposits with Vertical Thinking
Strategies for Winning Loan Opportunities in 2025
This webinar from Vericast is a must-attend for banking marketers looking to stay ahead of the competition and drive loan growth.
Read More about Strategies for Winning Loan Opportunities in 2025
Hook and chain typically targeted older-generation island ATMs/ITMs outside of a building, especially ones installed at sites with room for a medium-duty truck to access. The jaws of life require much less space than hook and chain to execute, allowing criminals to crack safes inside buildings or even to bust CEN-I-rated vaults inside ATMs.
One institution, for example, had no alarms on its building, so bad guys opened the lock, walked inside, and had an hour and a half to work on the safe. The strength to meet these brute-force attacks comes from layers: alarms, lighting, and site design.
The Card Skimming Arms Race
Unfortunately, the banking industry isn’t beyond the card skimming threat. ATMs now have tamper-resistant card readers and deep insert protection kits as options to prevent bad guys from inserting devices that scan cards’ magnetic stripe information. But, yet again, bad guys went into research and development.
We’re seeing ultra-thin skimming devices placed deep inside machines. The devices are now half the thickness of a dime. That’s as thin as 0.5 millimeters. Skimming remains a lucrative way to steal money because it remains far too easy for a criminal to capture and reuse data from cards’ magnetic stripe, especially when they also get the PIN.
Crooks, however, often install a camera and a skimmer to obtain PIN and card information. Institutions can help protect themselves and their customers through adoption of contactless transactions. Eliminating card insertion entirely removes the opportunity for deep-insert skimming. Card data from contactless transactions cannot be reused by criminals.
Yet, if magnetic stripe is allowed as a fallback for EMV transactions, bad guys can still steal card data. In that case, institutions should inspect ATMs often, perhaps daily, as a defensive measure. Remember that it only takes a hole the size of a pinhead in the fascia or an overlay to capture PINs.
A New Cyberthreat to ATMs
In 2023, a ransomware group successfully exfiltrated about five terabytes of financial, client, and work-related data from about ten institutions by gaining access to the institutions’ ATM systems. The group claimed to have taken data from far more institutions.
How did the group access sensitive information through ATMs?
Called “AlphaV” ransomware, bad actors gained access to institutions’ systems through a single compromise. We don’t know exactly how it gained its foothold, but likely, someone clicked on a bad link in an email. It then spread to every connected computer and to other systems until it found access to sensitive information and systems—in this case, institutions’ ATMs and ITMs—which allowed the group to demand a ransom.
To address this risk, institutions must check which of their systems touch other systems and which vendors’ systems—such as remote ATM management services—touch the institution’s systems. There needs to be a “firestop” between these systems. That means the ATM systems are hosted separately by different data centers and are not in the cloud so that the institution knows one does not touch the other in a way that allows ransomware to spread.
Ransomware, however, is also not the only malware threat banks and credit unions face. A timely example is the reinvented “FiXS” malware attack, which begins with criminals gaining physical access to a machine. They open the ‘top box,’ take out the hard drive, and load malware using a second computer. The newly-compromised hard drive allows the criminals to effectively ‘cash out’ the ATM. Institutions can counter this attack through effective encryption of the ATM/ITM hard drive. This prevents the bad actor from using a second computer to load malware, as the encrypted drive cannot be mounted outside the ATM system.
A multi-layered approach to protection is required in today’s environment. DBE offers a service called Encompass Secure, which provides crucial coverage like hard disk encryption, whitelisting, and threat monitoring. Manufacturers do what they can to address known threats when manufacturing a machine and developing the software. Criminals, however, carry on a perpetual cycle of invention. No single line of defense prevents a breach on its own. Technology, alarm systems, proper lighting practices, branch design, and well-trained customers and staff can layer together to create the most robust defense.
Paul Cowley is Vice President of Technical Support and Logistics at DBE, headquartered in Des Moines, Iowa. Since joining the company in 2015, Paul has used his experience from NCR and connections at major core processors to keep DBE customers’ ATM fleets up and running. As a regular speaker for the ATM Industry Association, Paul specializes in ATM security. He participates in the ATMIA/ASA Criminal Activity Forum, ATMIA Physical Security Committee, and ATMIA Fraud and Cybersecurity Committee. Reach out to Paul through DBE’s website with questions.
Dig deeper: