The $41 million Kentucky Employees Credit Union in Frankfort, Ky., found out the hard way that ATMs continue to attract criminals. And thefts can go way beyond simple attachment of skimmers.
Skimmers, in fact, are fairly easy to look for.
But how do you safeguard against a stolen backhoe?
Ask the folks at KECU. Last June, a KECU ATM that had been on Reilly Road was ripped from its pad by a backhoe that had been stolen from a construction site. The next day the backhoe and the ATM showed up in a parking lot in Monterey, Ky., about 20 miles away.
The police did not say how much cash had been taken from the ATM (ATMs usually contain $10,000 to $30,000, according to industry experts), although they did put a value of $30,000 on the ATM, and they said the backhoe was worth another $90,000.
Right there is the problem. Criminals are using ever more diverse ways to attempt to separate ATMs from the cash they hold, and that is raising red flags at financial institutions across the country. “Fraudsters migrate to the weakest link and, right now, in many cases that is the ATM,” said Claire Shufflebotham, an executive with NCR.
“Crooks are getting very, very advanced,” said Alan Walsh, an executive with ATM manufacturer Wincor Nixdorf in Austin, Texas. The lure is cash, of course. According to the American Bankers Association, a criminal in a typical ATM heist clears 10 times more money than does a traditional bank robber coming into the lobby.
Sometimes ATM crooks use high levels of intellect. Other times they use brute force. Either way, ATMs are vulnerable.
Most eyes may be on skimmers, but physical assaults on ATMs, usually involving tearing the machine free of whatever secured it, are on the rise, said Mike Urban, director of financial crime risk management at Fiserv, the financial technology company. Such ATM thefts are called “ram raids” in the United Kingdom, where a truck is often used to ram into a small store and the ATM is then put in the truck and driven away to be looted at leisure. But these kinds of thefts do occur in the United States. “There are active gangs doing this, especially in the New York area,” said Urban.
That threat alone has forced ATM manufacturers to attempt to physically toughen the devices, but in many cases what they also do is provide input on where it is safer to install a device and where it is less so. A dimly lighted parking lot, for instance, is a prime temptation for ATM thieves.
Then there are thefts such as the one that occurred in Upper Darby, Pa., a few years ago. A pair of thieves brazenly walked into Delaware County Memorial Hospital, put an ATM owned by Broomall, Pa.-based, $565 million Franklin Mint FCU on a dolly, rolled it out to a truck and drove away. The police, who found the ATM and the truck, both of which had been burned, said the 780-pound ATM had held around $96,000 in cash.
It’s not all physical, however. At the 2010 Black Hat Hackers conference in Las Vegas, security researcher Barnaby Jack demonstrated that a key easily bought on the Internet for $10 would open many Triton brand ATMs and, once opened, the machines were easily infected with malware. That way, a thief can effectively take control of the ATM.
Jones also has demonstrated how to hack into Tranax ATMs and install malware that literally prompts the machine to spit out money.
Security experts indicate that it is fairly easy and inexpensive to upgrade locks on most ATMs and, in many situations, that is a good security move. As for Tranax, after that demonstration, it urged customers to turn off the remote monitoring that Jones had used as his entry into the ATM.
Those techniques for blocking the Black Hat gambits are just the beginning of increasingly sophisticated attempts to secure ATMs. Machine makers have responded with smarter, tougher machines that are intent on thwarting crooks.
Wincor Nixdorf, for example, said that it is equipping more ATMs with cameras to help identify when an ATM has been tampered with, and then it will shut itself off. “We have a technology whereby we have multiple cameras on the ATM. We are able to recognize if the ATM has been tampered with. It can notice changes on the device. It can automatically take the machine out of service,” said Walsh.
That, fundamentally, is the Holy Grail of security. Developing a self-monitoring ATM that is smart enough to shut down when tampered with. When will we get there? According to Walsh, we actually are there, the technology exists and it works. Just about every ATM manufacturer has some kind of advanced self-monitoring technology. The only obstacle is the willingness, or lack thereof, of financial institutions to invest the cash to upgrade.
ATM makers also have debuted cutting-edge technologies that put an end to skimming by, for instance, using biometrics, fingerprints or palm prints, instead of PINs. That technology, too, appears to work, said the experts.
Costs of upgrades are the only barrier to implementation, but there are also costs of delay, said Jack Koziol, a director of InfoSec Institute in Elmwood Park, Ill. “Every breech has its own costs, and they go beyond the money lost. There are reputation issues, too.”
That is not an easy calculus but, suggested the experts, in an environment where more criminal eyes appear to be focused on ATMs, more institutions will have to make exactly the decision to invest in greater ATM security or defer spending and hope to not become a victim.