Since their invention, people have been trying to get at the cash stored inside ATMs. Over the years, manufacturers and financial institutions (FIs) have developed more and more sophisticated ways to protect their self-service channel... and criminals have answered with new ways to get around them. Some attacks aim to access the card data of users, while others attempt to manipulate the terminal’s inner workings. And others take the most direct route: brute force.
While the number of physical attacks registered by EAST
1 in 2022 has gone down slightly compared to the previous year, the reported losses have increased by 10%. This doesn’t include the damage to FIs’ reputations and the risk an attempted physical attack can pose to innocent bystanders. Whether it’s through an explosion, ramming attack or ripping the ATM out of the ground, criminals who want the cash in an ATM do not seem to care how they access it, as long as they get the cash.
There are three physical attack types and counter measures that are truly effective in reducing the likelihood of a successful attempt:
Explosive attacks, which have been troubling FIs in Europe and Latin America for years
Hook & chain attacks, currently exceedingly popular among would-be criminals in the United States
Cash trapping, a less flashy type of physical attack
Explosive Attacks
In an explosive attack, criminals use gas or solid explosives and strong tools to gain access to the ATM safe. This can take time, depending on the terminal. Once the explosive is inserted, the safe is blown open and the criminals collect the cash, making their escape in a getaway vehicle. The result is the destruction of not only the ATM—which alone can cost between $200,000 to $350,0001 —but also the surrounding area. That collateral damage can add an additional $1 million. Also, explosive attacks can pose a risk to the people in surrounding buildings, and flying debris can be a danger to passersby. While this attack scenario is more common at ATMs that are deployed outside, even terminals within a branch are not safe.
Hook & Chain Attacks
In a hook & chain attack, criminals try to rip the ATM open with a hook and chain attached to a (usually stolen) vehicle like a pickup truck. Most often, this attack hits drive-up ATMs. They hook the chain into openings in the safe door after ripping off the beauty door and pull it off with the vehicle. Once the door is opened, they remove the cassettes and flee from the site of the crime. Usually, this type of attack takes less than two minutes and leads to losses of about $110,000 to $180,0001.
Reactive solutions that have been proposed in the past are so-called safe-opening kits, where the gaps in the safe door are minimized with a retrofit kit, or ATM gates, featuring a large bar that covers the front of the ATM. Both have some drawbacks: The former delays the attack, so additional security measures are still required, and the latter adds cost and complexity to service processes and is often not very visually appealing.
Cash Trapping
During a cash trapping attack, an unauthorized physical manipulation of the ATM is performed. What this looks like varies, but each of these cash traps has the goal of preventing the cash from being presented to the consumer after a legitimate cash-out transaction. Cash traps can be installed internally – meaning it sits within the cash dispensing device - or externally, for example on top of the shutter. The user doesn’t usually notice anything To them it seems like the transaction was unsuccessful due to an issue with the ATM.
Since the trap might be detected if a user alerts the bank and the criminal must stay nearby to remove any caught cash manually, these traps are often installed and removed quickly. This makes finding them harder. While the financial loss is smaller than in the other scenarios, it directly impacts the customers and can lead to a profound loss of trust.
What can be done?
Physical security works best when it’s included in the development process from the start instead of tacked on as an afterthought – that goes for both branches and devices. While there have been some quick fixes to protect the ATM from brutal physical attacks, they are not ideal. To reliably diminish the success rate of physical attacks, a multi-layer approach is essential:
1. Design your branch with security in mind to develop processes that are as secure as possible.
2. Detect attacks by utilizing sensors that can recognize fraudulent devices or manipulations on the ATM – consider equipping your ATMs with additional sensors on the cash exit for example to counter the installation of cash traps.
3. Delay the attack to increase the risk of capture. Consider using a stronger safe or equipping the ATM with additional locks.
4. If worse comes to worse, neutralize the cash within the cassettes by making it unusable.
These are general suggestions to improve the physical security of your fleet and branch network, but security is never one-size-fits-all. Sit down with a DN security expert who can walk you through the attack vectors relevant to your FI and put a plan together that identifies where you are today, where you want to get to, and then the security countermeasures you need to put in place to get you to where you want to be.
Physical Security is an effective first step to improve your fleet’s security, but if you want to find out what other areas you need to include in your ATM security strategy, get your copy of our security guide “Make your Self-Service Channel More Secure."
Download the Guide
1EAST (2023): EUROPEAN PAYMENT TERMINAL CRIME REPORT 2022 Period: January to December.
BANKING
