The ATM Industry Association wants ATM deployers to exercise more caution when discarding decommissioned ATMs.
"With over 2.2 million ATMs already installed worldwide, a figure forecast to increase to 3 million by 2015, this presents the ATM industry with a challenge on a huge scale. What happens to the thousands of machines which become obsolete each year?" the international association asked in "Best Practices for Decommissioning ATMs," a white paper the association recently prepared on the topic.
Not only can the machines contain the same sorts of materials that make disposing of other sorts of electronic items hazardous for the environment, the machines also contain technology that unscrupulous people want to use to learn to defeat existing ATMs, the association added. This security risk presents what might be the most serious ATM security threat left unaddressed, the association argued.
"How does the industry prevent machines from falling into the wrong hands where they could potentially be used for criminal forms of reverse engineering?" it asked.
The association noted recent media reports about organized criminals trying to obtain discarded ATMs from junkyards in the U.S. Criminals seek this information to both improve their efforts to skim card data from unsuspecting consumers through operations that modify ATMs and efforts to simply hack the machines.
"In many ways this problem has been building for some time, but always under the surface or off the radar," said one government security analyst who declined to give his name because his agency did not allow him to speak for the record. "Both as ATMs began to be able to do more and as they became more hooked into the overall financial system, their profile as possible targets has risen."
The ATMIA said there were four circumstances under which it was most important for ATM deployers to guard their machines most carefully: when ATMs are moved from one site to another; when being removed for storage; when being removed for destruction; and when the ATM is being decommissioned but left in place.
The most important things to safeguard about ATMs in these situations are the secure technologies each machine has and any user data that a machine might have stored, the association said.
The latter has become less of a concern as ATM hardware and software manufacturers have gradually eliminated ways user data could wind up stored in an ATM longer than regulations or security practices permit, but the former has become more of a concern after each ATM was mandated to include an encrypting PIN pad to be able to encrypt users' PINs before sending them through the transaction. These EPPs have become a significant target for thieves who would love to be able to hack one and better understand how it worked.
In order to make sure the EPPs and other secure elements of the machine are safe, deployers must "use secure transportation and ensure the ATM is either sanitized or never allowed to be left unattended by staff. Again, it is important to stress the need for secure storage and that the time ATMs are left in storage awaiting disposal is kept to a minimum," the association said.
The association recommends that deployers like credit unions either completely disable an EPP or simply destroy it outright and that the credit unions not do this on their own but instead outsource the task to a certified firm. This is important, the association said, in order to protect the chain of custody that each EPP has. In other words, guarantee that each EPP has been accounted for from the time it was manufactured, through when it was installed in the ATM, through to when it will be finally destroyed. A certified ATM scrap firm will also make sure that environmental regulations are met, the association wrote.
"This secure data disposal process is essential to the proper decommissioning and disposal of ATMs at the end of their lifecycle," the association wrote. "ATM owners wishing to dispose of ATMs should first ensure that the scrapping company has followed the appropriate certification process and inquire as to how it supports green initiatives. A certified scrapping company will be sure to remove and destroy bank branding. It will also segregate plastics, ferrous metal and cables for the purpose of recycling."
It is difficult to know how much of a challenge this represents to credit unions. While there are likely some credit unions with old ATMs stored in various places and perhaps not secured, industry experts believe that number is very small. ATMs represent such a significant investment for most credit unions that they take pains to trade them in or otherwise use the old machines to mitigate the costs of their replacements.
In addition, when viewed on industry terms, the number of ATMs deployed by CUs directly remains extremely small. According to NCUA numbers, credit unions have directly deployed, historically, between 4,000 and 5,000 ATMs, a small percentage of the hundreds of thousands of ATMs financial institutions collectively deploy.
For its part, CO-OP Financial Services, parent to the largest credit union-owned surcharge-free ATM network, said it works to help CUs handle decommissioning their old machines and acquiring new ones.
"The cost of physically disposing of an ATM is expensive for credit unions. We recommend that credit unions hold on to them and use them as a trade-in when they need to purchase a new ATM," said Kimberly Hester, executive vice president for network services for CO-OP. "If there is no trade-in opportunity, we recommend that as part of the negotiating process with a vendor, credit unions build into the agreement that the supplier will take the old ATMs off their hands at no charge. A third option is that some third parties will purchase your old ATMs if they are within three to five years of age, as they can be fairly easily upgraded," she added, before urging CUs to "make sure that the hard drive and PIN pad are destroyed" no matter what approach they use.