Security Guide Security Assessment

Blog: The Five Most Common ATM Security Gaps

January 22, 2024  |  B. SCOTT HARROFF

How do you use Google? To find a nice restaurant? To learn something new? Bad guys use it too.

We are living in an era of technological advancement. A wealth of information previously unknown to mankind is always at our fingertips. And those of us in the financial industry must remember that hackers and thieves have access to way more information about devices, software, and internal processes than they’ve ever had before. Even before considering the dark net and what they might be able to pull from hacking a server. A simple Google search can reveal XFS specifications for a particular ATM cash dispenser, for example, along with instructions on how to manipulate XFS into operating the dispenser. If they’re feeling even lazier, would-be hackers can search for apps that conduct test dispenses online and access the actual software itself that interacts with XFS to make the machine dispense cash.

The bottom line is that new opportunities for theft are simply stacked on top of more traditional robbery methods: Today’s criminals can find, purchase and/or download the details they need to plan an attack of any kind, whether their modus operandi is physical, cyber or data related. That means financial institutions must be prepared to fight on every front, which can quickly become incredibly complex. I’ve compiled five of the most common security gaps I see across the financial industry. Do they apply to you?

book your complimentary security assessment

ATM Security Gap #1: A blanket approach to security.

How can a blanket have gaps? Just like every one of your children is different, so too is every ATM in your network. Some are nestled securely inside a bank branch, close by in the vestibule or under the awning of the drive-up area. Some are at far-flung outposts, inside retail locations, or in poorly lit areas without much oversight. Yet we see financial institutions (FIs) treat them all the same, implementing (or neglecting to implement) the same measures on every terminal, regardless of location, age, or usage.

Not only is this inefficient, but it’s also not cost-effective. Rather than spreading your security budget evenly across your network, conduct an analysis to determine which terminals are high-risk, and which are low-risk—then allocate your funds accordingly. This can be a great first step toward prioritizing updates and new software or hardware installations. This leads us to the second major gap …

ATM Security Gap #2: Skipping simple steps that maximize the security precautions you already have.

I can’t tell you the number of FIs I’ve talked to where every single one of their remote ATMs has exactly the same key that was shipped from the factory, they don’t have an alarm on the top hat, and there’s no one monitoring the ATM in real-time to see if it’s running or if it’s down.

There are many things you can do to tweak the settings, passwords, keys, etc., on your terminals to enhance their security. It’s been hammered into all of us that our own personal passwords need to be complex, and we need to change them frequently, yet we see ATMs that have been out in the field for years and they still have a factory-issued password in use. That is the lowest-hanging fruit that an attacker can find.

And here’s the other important takeaway on this topic: we work closely with the FBI, Secret Service, and other government security agencies to monitor emerging threats. We often issue warnings regarding potential threats, and when we issue those warnings, we also outline steps you can take to ensure your network is protected—when your organization receives those warnings, take them seriously. Go over your protocols, check your keys and passwords, do the due diligence beforehand so you’re not going in with the cleanup crew afterward.

ATM Security Gap #3: No documented instant response plan for potential attacks.

I think sometimes the issue of security is so complex, and security or IT teams are so far down in the weeds trying to address every threat under tight budgets and limited capacity, they never get around to putting down on paper exactly what the process should be if there is an attack on the network.

Many banks are relying on someone to protect them— ATM security specialists like our team at Diebold Nixdorf, or their own internal team—but when it comes down to critical details, they’re not sure how to respond in the immediate aftermath of an event. They don’t know how to turn off an account, for example (especially if it happens in the middle of the night), they’re not sure how quickly their support team will acknowledge and address the issue, etc. I encourage every bank to go through the exercise of a mock attack, so they can see how and where the triggers are happening—or not happening—to better understand exactly what they need to do in the case of a security issue.

ATM Security Gap #4: Lack of full commitment to security.

This one can be a tough pill to swallow because every bank wants to believe they’re doing everything in their power to prevent breaches that cost money, reveal consumer data, and erode trust.
But the reality is, we see FIs that hesitate on big decisions like upgrading to EMV—they have a “what’s the worst that could happen?” philosophy that is dangerous at best, and very costly at worst. 

Hackers certainly use and exploit the most advanced tools at their disposal. FIs must respond in kind. While a bank may be reluctant to spend money on a new security solution or a sweeping round of software updates, criminals have no such qualms. They will spend the money to make their money; so FIs simply can’t use budget constraints as an excuse anymore. Likewise, terminals must be kept up to date, with the latest firmware, the latest updates to the OS, signatures in place, whitelisting activated, encryption fully engaged, etc. If you’ve got the greatest security running on your hard drive, but you’re missing a key firmware update, you’re vulnerable.

ATM Security Gap #5: Attack vectors that are difficult to identify and thwart.

Transaction Reversal Fraud is low-tech and hard to spot. Is it any surprise it’s making a comeback? Social engineering is also becoming trickier to address. This can be a challenge for banks as criminals don’t have to find a way around their security. Instead, they take over the identity. The cardless transaction now is just a funnel for them—they don’t have to beat the ATM, they don’t have to beat the networks, they don’t have to beat the processor. They beat the human. And by doing so, they’re bypassing all security measures that were put into place.

The best thing an FI can do to eliminate every single one of these gaps is sit down with a security expert to walk through all the different attack vectors out there and put a plan together that identifies where they are today, where they want to get to, and outline the steps they need to put in place to get from here to there. 

Security Assessments can be a great first step to close the most common gaps, but if you want to find out what other areas you need to include in include in your ATM security strategy, get your copy of our security guide or continue reading the next blog in the series on physical security

Get the Security Guide

Let's Connect

I am interested in

Connect with Sales

  • Connect with Sales
  • Current Customer Support