CONTINUE TO SITE »
or wait 15 seconds

Security

Examining biggest ATM security issues and 4 strategies to prevent them

Physical threats are not the only security concerns for ATMs. Let's take a closer look at some of these security issues and what causes them.

Photo: Adobe Stock

November 19, 2024 by Bradley Cooper — Editor, ATM Marketplace & Food Truck Operator

ATMs are regularly a target for criminal groups looking to make a quick buck by stealing the cash inside. As a result, banks and vendors have to constantly address ATM security and examine potential security issues and improve the overall safety of the devices.

This is not just to protect the devices themselves but also to ensure consumer safety and delivering a safe banking experience.

Here are a few of the major types of ATM security issues as well as tips to prevent them.

ATM Security Issue No 1: Physical attacks

Physical attacks take a number of forms, ranging from traditional hook and chain attacks to explosive attacks and more. In addition, in less secure environments, such as hotel lobbies or gas stations, it is much easier for criminals to break in and steal the ATM.

A quick look through the news section of ATM Marketplace will show story after story of thieves targeting ATMs in a variety of locations and environments, although the vast majority of such thefts take place at night.

Another form of physical attack is jackpotting, drilling into the top box of the ATM to gain access to the software and manipulate it.

Techtarget defines some of the tactics of jackpotting as using, "a portable device to physically connect to the ATM. This 'rogue' device can be a laptop, a smartphone or a tablet PC. They also use malware to target the machine's cash dispenser and force it to dispense cash. Furthermore, attackers will often use deception to limit risk, like dressing as service personnel to avoid scrutiny while selecting easier targets, such as ATMs in isolated locations or unprotected by human security guards."

"The same standard top box key is typically used across all ATMs in the network. Physical keys can be lost or stolen," Clair Shufflebothan, global marketing director at TMD Security, said in an email interview. "The lock on the ATM top box is not secure. It is easy to force open the top box with a screwdriver."

Physical attacks can include more than just the machine, it also extends to service workers. Criminal groups can track when service workers arrive on the scene, or mess with the ATM to lure out a service worker and from there rob them when they open up the ATM.

Individual customers can also be targeted, such as being held up at gunpoint while using the ATM.

ATM Security Issue No 2: Software attacks

Jackpotting of course is one form of an ATM software attack, but other forms also exist including skimming and malware attacks.

Card skimmers and PIN readers are a big issue, especially with older outdated machines.

Northwest Community Credit Union defines skimmers this way: "A skimmer is a card reader that can be disguised to look like part of an ATM. The skimmer attachment collects card numbers and PIN codes, which are then replicated into counterfeit cards. Skimming is the type of fraud that occurs when an ATM is compromised by a skimmer.

"When you slide your card into an ATM that has a skimmer attached, you're unwittingly sliding it through the counterfeit reader, which scans and stores all your information from the magnetic strip as well as capturing your PIN from the keypad. This makes skimmers particularly dangerous compared to other forms of card compromise because the collected card data can be used to make ATM cash withdrawals."

In addition to skimmers, Malware tools are especially useful for criminals looking to exploit ATM software. One such malware tool is the FASTCash malware, which is placed on a payment switch server, an intermediary between the ATM and bank's central systems. This malware changes transaction messaging to say that the system declines withdrawals due to insufficient funds to enable the withdrawal.

In many cases, outdated software is the culprit for these vulnerabilities.

"One area where financial institutions might be leaving the door wide open for criminals is out-of-date ATM software. It sounds simple for an FI to ensure their software stack on the ATM is always up to date, but it's not always happening. And while it's a problem that's not exclusive to the financial industry — around 55 percent of all software is outdated according to Avast — and the banking industry arguably has the most to lose," Adam Crighton, VP of H/W Engineering at NCR Atleos said in an email interview.. "The cost and complexity of managing an aging hardware estate put financial institutions and their customers at risk."

With these in mind, let's take a look at how to combat these ATM security issues.

ATM Security Strategy No: 1 Detection

Detection is key component in ATM security strategy. This can take both external and internal forms. Surveillance cameras and alarms outside of the ATM can be helpful, but they are mainly useful after the fact to track down the assailants.

With interior detection tools, operators can stop criminals while they are in the process of breaking in or inform police once the ATM is stolen.

A few examples of detection tools include:

  • Interior alarms which go off when the machine detects tampering. This can take the form of a bull horn, a strobe alarm or some other feature.
  • Security smoke.
  • GPS tracking for the ATM and cash cassettes.
  • Gas detection.

ATM Security Strategy No 2: Cash neutralization

Another great tool to prevent ATM attacks is to simply make the cash unusable through an Intelligent Cash Neutralization System, which stains the currency with ink.

The systems vary in what they do, as some simply deploy an ink solution, which criminals may attempt to wash off, while others use glue to bond the cash together into a single block, making it impossible for criminals to get the individual notes apart without ripping them to pieces.

ATM Security Strategy No 3: Software updates, checks

International criminal groups are continually developing malware to trick ATMs into dispensing cash, as mentioned above, but others also target the XFS API directly.

To combat against this trend, ATM operators should regularly check their ATM's software security protocols.

Joe Myers, EVP of global banking at Diebold Nixdorf said "Ensure your software is up to date with the latest upgrades and patches and follow the maintenance plan. This is one of the most effective software security practices to thwart common attacks and avoid vulnerabilities associated with old or out-of-date software. This helps secure the software as well as the ATM."

ATM operators can also adopt tools such as Zero Trust security models to cut off potential avenues of attack, such as only allowing changes to the ATM's software and hardware to take place during authorized time periods.

ATM Security Strategy No 4: Delay, delay, delay

Operators and financial institutions will not be able to prevent every attack, but they can make it more difficult for criminals to access the ATMs.

For example, by selecting an ATM without accessible openings in the safe, this can frustrate criminals long enough to give time for law enforcement to arrive on the scene. These safes are more difficult to insert explosives into as well.

Other tools such as physical barriers and gates can delay criminals long enough that they will leave without stealing from the device. Criminals are on a race against time to steal the machines, so any minutes wasted are useful.

Conclusion

ATM security is a multifaceted issue that takes buy-in from all parties involved. It also requires constant vigilance and upgrades. Criminal groups are continually innovating and working together, so too must everyone in the ATM security ecosystem.

About Bradley Cooper

Bradley Cooper is the editor of ATM Marketplace and Food Truck Operator. He was previously the editor of Digital Signage Today. His background is in information technology, advertising, and writing.

Connect with Bradley:

Included In This Story

NCR Atleos

NCR Atleos expands self-service financial access for retailers and financial institutions who leverage our expertise, operational scale, always-on global services and constant innovation to deliver convenient self-service banking.

Request Info
Learn More
Diebold Nixdorf

As a global technology leader and innovative services provider, Diebold Nixdorf delivers the solutions that enable financial institutions to improve efficiencies, protect assets and better serve consumers.

Request Info
Learn More

Related Media

Article
ATM Security: 5 ways to prevent attacks
Blog
How to combat ATM fraud
Article
Protecting ATMs from cyberattacks
Article
Learn the 7 shields of ATM security
Podcast
Combating criminal innovation with ATM software security
Blog
Is biometrics the answer to ATM security issues?

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
Eurasian Bank selects Diebold Nixdorf's self-service software
First National Bank to open 30 branches
Replacing the ATM: Pros and cons of new vs. remanufactured
Romanian man arrested for alleged cash trapping ATM scheme
U.S. Bank resumes crypto custody services


©2025 Networld Media Group, LLC. All rights reserved.
b'S2-NEW'