News

ATM security: Safety in numbers

ATM International Director Mike Lee says that the industry can set a shining example by strengthening its security arm throughout the ATM lifecycle. A long-term international commitment to do that could constitute the very best way of remembering September 11, he says.

September 12, 2002

"Security" and "convenience" remain watchwords for the ATM industry as we remember September 11 one year after the devastating terrorist attacks.

Inevitably, this first anniversary brought back painful memories and fears. In the long run, what is more important than this natural, human response is the continuous assessment of the security levels of products and services that underpin society.

That is because there is now an international threat to society from organized crime as well as from terrorist groups, including the new breed of cyber-terrorists. Organized crime represents a universal security risk. The ATM industry is not exempt from that risk.

ATM International Director Mike Lee

The ATM industry is a major part of modern consumer society, with ATM technology helping to create 24/7 consumer societies in countries around the world, particularly in Western societies.

Our industry therefore cannot shirk its responsibility to ensure that the most rigorous security standards and best practices are comprehensively applied. In a post-September 11 world, that is surely part of the Rules of the Game for all businesses, within and beyond the financial services sector, which can be targeted by organized crime.

The problem of trans-national crime and terrorism has become a central focus of U.S. foreign policy in the post-Cold War era, intensified since the destruction of the World Trade Center.

The criminal element

The rise of trans-national organized crime is an unfortunate byproduct of globalization. Technological advances and lower barriers to trade have created a seamless electronic environment. Criminal organizations act as networks, pursuing the same types of joint ventures and strategic alliances as legitimate global businesses. Drug trafficking, links between drug traffickers and terrorists, smuggling of illegal aliens, financial and bank fraud, arms smuggling, potential involvement in the theft and sale of nuclear material, political intimidation and corruption all constitute a poisonous brew -- a mixture potentially as deadly as the threat of destruction faced during the Cold War.

Today, organized crime has all the features of a vast, illegal business. Dirty money is invested or legalized through money laundering. Criminal business interests are both globalized and diversified, with sophisticated technologies and international communication networks. Organized crime is distinguished from legitimate big business by (a) its military structure; (b) its illegal businesses like extortion, blackmail, drug trafficking, and trading in prostitutes, illegal immigrants and weapons (c) its inherent ruthlessness and immorality. 

The high-profile accounting scandals in the recent news play into the hands of organized crime by creating a climate of corruption.

Security experts argue that the best way to fight back is by resisting corruption and by confiscating profits gained from financial crimes. It is believed that a threat of losing such profits may be a more effective deterrent even than a threat of loss of freedom.

It is important for all legitimate industries and all governments to make the evil operations of organized criminal groups as difficult and as risky and as unprofitable as possible to operate. The aim must be to drive these organized criminals out of business.

Working together

Like other industries, the ATM industry must fight off the attentions of organized crime. Our industry can set a shining example by strengthening its security arm throughout the ATM lifecycle.

A long-term international commitment to do that could constitute the very best way of remembering September 11.
 
The best way to shield the ATM industry from the attentions of organized crime is for the whole industry to stand together, with law enforcement assistance, to strengthen any weak or insecure links in the ATM business lifecycle, from the design phase of ATM product development through cash replenishment right down to the customer's habits when using ATMs.

That is why the ATM Industry Association is promoting a recent White Paper for "Security Best Practice throughout the ATM lifecycle," posted on each of its four new-look Web sites, ATMIA North America, ATMIA Europe, ATMIA Australasia and ATMIA Africa. The paper is found under ATM Security within the Industry Issues Web pages.

The paper was prepared by ATMIA member and security consultant Lachlan Gunn. Please read this important White Paper, which is all about identifying and reinforcing weak links in the ATM lifecycle, and pass your comments on to Lachlan.

The potential weaknesses of any business lifecycle arise not only from a failure to implement best practice, but also from lack of communication between companies involved in different phases of the lifecycle -- for example, between those involved in physical security versus those providing solutions for card, electronic, Internet or network security.

Security and convenience

Two things happened to me this week that made me think anew of security and convenience in the ATM industry and how inter-related they are, as we remember September 11.

The first was a demonstration at a ballistic testing range in Kempston, England, of the firepower of such weapons as a Gloch 17 and .44 Magnum firing at reinforced glazing and other materials. I was visiting CSI Security Installations, a British company making ATM pods and other security devices. CSI performs ballistic testing to ensure British and European standards for bullet resistance of security glazing have been met.

Even when wearing a headset covering my ears to muffle the noise, the sound of these firearms being shot from close range was phenomenal. The "kick" of the weapons as they were fired was fierce.

These are the kind of weapons gangs and organized crime groups use. Watching these powerful firearms being fired was a sobering experience which filled me with renewed respect for companies and individuals involved in the struggle to beef up physical and electronic card and network security. This is the frontline of the battle against crime.

The second thing that happened was that I received in the post from my bank, a leading British financial institution, a Gold Card designed for secure Internet, ATM, credit and point-of-sale transactions. Here we move along the security lifecycle from physical security to card security.

Multi-functional cards are nothing new, but this card claims to have an extra layer of security for e-commerce so that it can function as POS, ATM, credit and e-commerce card. In seeking to reinforce the security of the ATM industry throughout its lifecycle, the security of dominant future payment devices, and multifunctional cards, should not be ignored.

The impact of chip and PIN technology being rolled out in various countries of the European Union and in the UK could be decisive in this field of security. Who knows, it may be a look into the future to imagine chip readers on PCs, allowing secure e-commerce. Then multi-functional smart cards would be used for secure Internet shopping, ATM usage and POS transactions. No doubt the U.S. will be eyeing the results of the switch from magnetic stripe technology to chip and PIN in Europe very closely.

My new Gold Card was marketed as providing a package of shopping benefits which "protect purchases you make on the high street and online." The added protection for online purchases has several aspects: insurance covering any damage during delivery of goods purchased online with the card; a three-digit Card Security Code on the signature strip on the card, in addition to a four-digit PIN for ATM use; and a guarantee against liability for fraud on unauthorized transactions, both online and offline.

Succeeding with security

Products that combine security and convenience in equal measure for customers and clients are sure to win huge market share. ATMs have won the trust of millions of consumers around the world. The success of the ATM as the principal delivery vehicle of cash for consumers lies in its perceived convenience and security. Both buyer benefits are paramount for achieving critical mass in the distribution of products, whether pods for ATMs or new multi-purpose bank cards, in today's uncertain post-September 11 world.

Security has become a highly valued buyer benefit, a pre-condition for doing business in the consumer society. To my mind, security should not just be the remit of security specialists in each company in the industry, but should form part of everyone's job description -- to increase awareness and communication about making products and services and working environments more secure.

A vision of a safer world shared by all -- business leaders, governments and the general public -- would be a satisfying long-term response to last year's terrorist tragedy. For those of us in the ATM industry, the place to start to create that safer world is right here in our own businesses, linking up to peers in the rest of the ATM lifecycle.

A coordinated worldwide initiative is required to ensure that the unwelcome attentions of both organized crime groups and criminal gangs do not undermine that hard-earned and priceless reputation for security.

Sharing knowledge

It is encouraging to see some successes in the UK in the fight against ATM crime, such as the creation of what appears to be the world's first national ATM Crime Directory. The directory is being shared with the U.S. ATM Integrity Task Force, which includes the Secret Service, EFTA and ATMIA. It includes detailed information on crime attacks against ATMs themselves, ATM security systems, individuals using ATMs and card security.

The ATM Integrity Task Force met for the first time in July in Washington, DC, to find ways of stamping out ATM skimming. Kurt Helwig, the EFTA's executive director, indicated that the prime motivating factors for forming the Task Force were the recent fraud attack on New York ATMs and the realization of the need for industry-wide action. This effort dovetails into the post-September 11 emphasis on protection of the nation's vital infrastructure. 

Mike Hudson, EVP of Tidel Engineering, and chair of the Task Force, articulated the preliminary mission statement of the Task Force: "To enlist all segments of the ATM industry to review and recommend proactive policies and procedures to protect the nation's critical ATM infrastructure from criminal activity and fraud." 

It became clear during the Task Force meeting that ATM fraud is no longer carried out by petty criminals, but by more sophisticated international crime rings which have a good understanding of the workings of the payments system. An increasingly popular attack is to modify ATMs to be able to capture card and PIN data. The need for consumer education to better inform the consumer of what to look out for when using an ATM and for cross-industry cooperation was emphasized several times at the meeting.

Ways of preventing ATM ram raids will be shared by the Flying Squad's Crime Prevention Co-ordinator, Alan Townsend, chairman of the ATM Security Working Group in the UK, at ATMIA's autumn conference in Budapest, "Optimising European ATMs 02."

Alan's ATM Security Working Group has produced best practice security guidelines for stand-alone convenience ATMs, a comprehensive safety alert list to be published this autumn. The group includes the eight main independent ATM deployers in the UK, Greater Manchester Police, carriers, financial institutions, the British Bankers Association, Building Societies Association, Association of Convenience Stores, Association of British Insurers and APACS.

There are between 350 and 400 attacks a year on all types of ATMs in the UK, which has a total of just under 38,000 ATMs. Forty-seven percent of these attacks are carried out by ram raiders, and the damage to property can be serious.

"It¹s not a major crime in terms of numbers, but it¹s the type of crime and the impact of it that caused the police the greatest concern," said Alan. "We have recognized that there is a problem that hasn¹t reached its full potential, and we have got together to do something before it does."

ATMIA will continue to offer three annual international ATM security awards and put the names of the holders on its online Honor Roll, all to encourage the pursuit of excellence in the field of security.

Honoring unsung heroes of ATM security seems somehow the right thing to do as the industry in big ATM markets like the USA and the UK draws closer together to fight crime and fraud together, an example for all countries to emulate.

Included In This Story

---

ATM Industry Association (ATMIA)

The ATM Industry Association, founded in 1997, is a global non-profit trade association with over 10,500 members in 65 countries. The membership base covers the full range of this worldwide industry comprising over 2.2 million installed ATMs.

Request Info

Learn More