Posts

ATM Security and Fraud Prevention: How to Secure Your ATM

There was a time when ATM machines were targeted by criminals only for the cash inside. However, modern ATMs house something else that’s just as valuable as the cash: consumer data.

An ATM doesn’t store any customer information. But, it does collect it and transmit consumer data. This presents a challenge for ATM owners, because they now must secure their machines against multiple types of attacks.

The good news is that ATM machine manufacturers have developed technology to protect against modern ATM attacks and fraud. And, it’s relatively simple to secure your ATM machines, if you know what to do.

Solid ATM security protects you, your ATM customers, and the banks.

Obviously, protecting your equipment and cash is a big deal. But, a secure ATM machine also protects your customer credit or debit card information. And, it helps shield the bank against fraudulent charges and reputation damage, since many consumers will blame their bank for security breaches, rather than the independent ATM owner.

There are a lot of benefits to properly securing your ATMs. So, here’s what you need to know to keep your ATMs safe.

ATM attacks

ATM attacks are separated into two broad categories: physical attacks and logical attacks.

Physical attacks are a simple attempt to smash the ATM machine and break open the cash vault. The term “simple” is accurate here, since most criminals try something like ramming a truck into the ATM or the wall that the ATM machine sits against inside a building.

Logical attacks are more sophisticated and rely on electronic devices to breach the software or hardware of the machine. Logical attacks extract cash by taking control of the machine or causing it to malfunction.

Even though they extract money differently, most logical attacks still require some physical breach of the case to gain access to the circuitry. So, defending against logical attacks is still mostly a matter of physically securing your machine.

Let’s talk about how you do that.

ATM security: How to protect your ATM machines

The best way to keep your ATM machines safe is to use a layered approach. If one security measure fails, a second security measure should be there to back it up.

Here’s how to layer your ATM security.

Security Cameras for Your ATM Machine

ATM location

The first security measure should be the ATM location. Often, just the placement of your ATM is enough to deter an attacker.

Clearly, you need to avoid isolated or poorly lit areas. But, also consider other aspects of your ATM location.

  • Gas stations, convenience stores, and pawn shops are great for getting lots of transactions. But, these locations also experience higher crime rates than many establishments. 

    If you put an ATM in one of these businesses, work with the owner to get your ATM placed inside, away from large windows, and against a wall with limited exposed surface area on the outside. Also, make sure that your ATM is covered by security cameras.

  • Place your ATM machines so that physical access to the case is limited. 

    Logical attacks require a breach through a seam in the case or the cash dispenser. If your ATM is in a corner or alcove that limits access to the sides of your machine, it’s much more difficult to establish the necessary breach for a logical attack.

  • Place your ATM where users can be easily observed. 

    It takes much longer to breach an ATM machine than it does to make a standard transaction. So, it’s best if the business staff can see people using the ATM. That way they can intervene if someone seems to be tinkering with your machine.

  • Scout the area before you install your ATM.

    It’s not that you can’t place an ATM in areas with a higher crime risk. But, you need to know what the area is like, so you can take appropriate security measures. Take some time to check out the surrounding neighborhoods before you get your ATM up and running.

Choosing a location might be the easiest part of securing your ATM. It’s not difficult. You just need to consider all the security risks.

Bolt your ATM down

Bolt ATM in Floor

This one is super obvious. And, bolting your machine down is easy.

However, business owners may have some concerns about you drilling into their floor. Getting permission to bolt your ATM machine down can be much trickier than the process of installing the bolts.

The key is to help the business owner understand that bolting the ATM machine down benefits them, too. They certainly don’t want people committing crimes in their establishment. That’s bad publicity. The establishment could lose business from customers who need to get cash for their purchase while the ATM is being replaced or is out of service.

Also explain that the bolts do very little damage to their floor. Typically, you’ll secure your machine with four half-inch bolts. And, you can hammer the bolts into the floor and cover them with epoxy once the ATM is removed. If the floor is tile, you can replace the tile that you drilled through to completely cover the marks.

Bolting down your ATM is all upside for both you and the business owner. You just need to help the business owner understand that.

ATM Enclosure via TPI TexasHarden your ATM case

Logical attacks require access to the mainboard or other internal electronics. Most criminals will breach the top of the case to access the mainboard, or a seam on the side of the case to access cabling between the mainboard and the dispenser.

So, fill the seams if they’re not reinforced already. Or, place an internal barrier between the case and the critical electrical components. That way, even if they’re able to open a small crack in the case, a secondary barrier will help prevent the criminal from accessing anything vital.

Finally, if you use an ATM vaulting service or have an employee who restocks your machines, limit the number of people who have keys, and change the keys periodically, if you can. 

Digital security

Many logical attacks rely on outdated software. There are plenty of technologies that didn’t exist when some older ATM machines were manufactured. Older software often has no safeguards against modern logical attacks. So, criminals will target machines with software security holes.

The simplest way to digitally secure your ATM machines is to keep the software updated. The upcoming Windows 10 update will force an update of many older ATM machines. But, establish a schedule to keep your software current.

ATM insurance

ATM insurance must be your last resort. Even though it will help you recoup any losses from an ATM theft, losing your ATM machine or the cash inside is not ideal.

However, carrying insurance to protect your investment is smart. It’s difficult to make your ATMs impervious to attacks. Your ATM insurance protects you in the unlikely event that all your other security layers fail.

But, if you take the proper steps to secure your ATM machines, you’ll greatly reduce your risk of an ATM attack or ATM fraud. And, your ATMs will safely rake in money without any issues.

ATM Security Update: How To Enable TLS 1.2 Protocol

The Announcement

The PCI Security Standards Council has mandated that the use of SSL and Early TLS (i.e. TLS 1.0 or 1.1) protocols be discontinued effective June 30, 2019. All network providers and processors are making preparations to ensure they are compliant by the June 30, 2019 deadline. To prevent any downtime, make sure your ATM terminals have been updated with the latest software and security certificates.

After this date, ALL ATMs using SSL or Early TLS (i.e. TLS 1.0 or 1.1) communications protocol will stop communicating to the Host and fail to process any transactions.

What Does This Mean?

    • Network providers are already handling the TLS 1.2 communications protocol. Therefore, as soon as possible, set the communication protocol on your ATMs to use TLS 1.2 communication protocol.

  • Anytime you visit a direct connect TCP/IP communicating ATM verify that it is set to TLS 1.2.

In order to continue processing transactions …

  • TLS 1.2 Protocol MUST be enabled on your ATM Machine

Do I Need to Enable TLS 1.2?

You NEED to Enable TLS 1.2 if …

  • Your ATM is communicating via Hardwired Internet connection (TCP/IP)

You DO NOT need to Enable TLS 1.2 if …

  • Your ATM uses a phone line or wireless modem. Your machine will not be impacted if it is communicating via a phone line or cellular wireless device box already on TLS 1.2.
    • How do I know if my wireless box is TLS 1.2?
      • The chances of you having a wireless box that is not already on TLS 1.2 are low. If you are having trouble with your wireless device please call ATMDepot.com at 888.959.2269, or your Wireless Provider, with your device’s serial number. Remember, It is best to make the request while at the location where the device is in service. Our wireless department can update your device remotely.

How to Enable TLS 1.2 Protocol

Hyosung

Customer Setup > Select Processor > TCP/IP Type

  1. SLS/TLS = Enable
  2. SLS/TLS Version = Up to TLS v1.2

Genmega/Hantle/Tranax

Customer Setup > Change Processor > SSL Pass Through > SSL > SSL Version = TLS 1.2


If you do not see these options, please check that you have the required software version that supports TLS 1.2 protocol for each manufacturer.

Recommendations

  • Keep Your Software Up-to-Date

    Keep your ATMs updated with the latest software to be compliant. Listed below are the latest software versions:

    Hyosung

    – WinCE 5.0:  V01.01.34
    – WinCE 6.0:  V06.01.34

    Genmega/Hantle/Tranax

    – V05.00.34

  • Confirm EMV Enabled

    While you are updating the software on your terminal, it is important to also check that EMV is Enabled.

    The MasterCard EMV Liability Shift occurred on Friday, October 21, 2016. ATM owners are liable for fraudulent MasterCard transactions if machines are not EMV compliant.

    Hyosung

    Operator Functions > Customer Setup > Optional Function 1 > EMV > Enable

    Genmega/Hantle/Tranax

    Operator Functions > Customer Setup > Option Function > EMV – Enable

How to Enable TLS 1.2 – Infographic

[VIDEO] Explosives Used to Break into Machine during ATM Robbery, Thieves Caught on HD Camera

On August 11, 2017, two criminals drove their SUV up to a Gas Station ATM Kiosk with a plan. They planned to execute an ATM robbery by blowing up the ATM with some sort of liquid explosive. It is clear from this video, it’s not the first time they are attempting this. They are wanted by the FBI. The authorities were very excited to see the quality of our security footage.

Authorities_On_Scene

Authorities at the Crime Scene of the ATM Robbery in San Diego, CA

When you start using explosives on an ATM, you attract a lot of attention. You get the local police, sheriffs, SWAT, the Bomb Squad, ATF, and the FBI involved. That’s a lot of manpower hunting you down.

These guys are wanted by the FBI. It’s not just a local crime.  Is a few grand worth having to hide and run for the rest of your life? I don’t think so.

The suspects think they got away with it. However, as time will tell, and with the help of this HD video, and the enhancement tools Federal Law Enforcement agencies have available, they will most likely do time behind bars for this ATM robbery.  Maybe they will save all the money they stole to pay for their lawyer. They will need it.

I’ve been in the ATM business since 1994. Since then, I’ve helped hundreds of Independent ATM Deployers (IAD’s) start, run, and maintain successful ATM businesses. I’ve personally sold or installed hundreds and hundreds of ATM machines. I currently manage thousands of machines and hundreds of thousands of ATM transactions nationwide and I’ve never, ever seen anything like this.

This location has been a customer of ours for over a decade. We’ve never had any issue until we installed a new kiosk.  While this small kiosk does not appear to be bomb proof, the old kiosk building we used previously onsite was. Unfortunately for us the gas station – car wash is undergoing a remodel and needed to demolish the building, so we had to move the ATM to the other side of the parking lot.

In order not to inhibit the authority’s investigation, we won’t go into the details of what the authorities knew in this article.

However, now that we know all the details we can help others.

So, if you plan to install a kiosk and you are one of our customers (or want to be), please contact our office for some additional help.

We learned an expensive lesson, so we hope to use it to educate our customers.

ATM Depot can certainly help you avoid the same fate. We thought we prepared for every security scenario but they proved us wrong on this one. The key is that we learned an awful lot from this and can now assist our customers even better when dealing with outdoor ATMs.

**** UPDATE ****

September 28, 2017

After many calls between the account manager, Jeremy, and the FBI and ATF, on this situation, we learned that the authorities were able to issue a subpoena at the home of Scott Michael Petri. We are not sure how all this went down but we speculate that the FBI was able to leverage the information obtained in the video of the ATM robbery. According to law enforcement, one of the suspects bragged to a confidential informant about the crime. Upon serving a subpoena at the suspects home, the Law enforcement authorities say they found a drill, a gas cylinder, clothing and other incriminating evidence in his home that matched the items in the surveillance video during the crime.

Court documents allege (and video shows) Petri used a cordless drill to make two holes in the ATM machine’s housing. A second unidentified suspect (now in custody) approached the ATM with an open flame (see video, looks like a cigarette) and lit a fuse.  The suspects drove to the other side of the gas station and the ATM exploded. See the entire ATM robbery (edited for time) in the video above.

Suspect_Searching

The suspect (circled) is searching for the cash box after the ATM robbery explosion

The August robbery was the second time this year an explosive device was used on an ATM in San Diego, according to the FBI.

**** UPDATE ****

October 5, 2017

Scott Michael Petri faces a charge of using an explosive to damage property relating to a robbery at the Chevron Station and Pit Stop Car Wash on Miramar Road just south of the 15 Freeway entrance. The suspect was picked up and booked on October 5th and transferred into Federal custody and is being held in the Federal Prison in Downtown San Diego by the ATF. Bail has been set at $250,000.

ATM_Suspect_Arrested

Public arrest records for Scott Michael Petri. One of the suspects in the ATM robbery.