Tag Archive for: ATM security

Protect Your ATM Machine with These 5 ATM Security Tips

by

These 5 ATM security tips will help you protect your one and only business asset: your ATM machine. Aside from the machine itself, which cost you a few thousand dollars, that machine houses hundreds of dollars in cash as well as access to consumer data. 

To protect yourself, your customers, and the banks, follow these 5 security tips. They’re simple and cost much less than the consequences of an attack.

Potential ATM Machine Security Risks

There are two types of risks you face operating an ATM machine: physical attacks and logical attacks.

Physical attacks involve tampering with the machine itself whether it be vandalism or an attempt to break into the safe, uproot the machine, and access the cash inside. 

Logical attacks involve accessing the mainboard and other internal electronics to breach the software or hardware. If successful, logical attackers are able to control the machine or cause it to malfunction therefore giving them access to cash without having to break into the safe.

There are a number of ways fraudsters and scammers can tamper with an ATM machine in order to access users’ card and PIN information. As an ATM owner, check your machine carefully every time you visit it to protect your machine and your customers.

Pinhole Cameras

Pinhole cameras can be inserted into ATM machines in order to record users’ PIN numbers. This is why it’s wise to cover the PIN pad with the other hand when using it because, as the name suggests, the camera is not obviously visible. However, loose parts around the card slot or keypad can indicate the presence of a pinhole camera.

Fake Fronts

Fake fronts are card or cash capture and PIN capture devices. They provide fraudsters with quick access to cash. By attaching an entirely fake front to an ATM machine, fraudsters are able to capture PINs and money.

Skimmers and Shimmers

Skimmers are tools that attach to an ATM’s card slot and secretly capture card details when withdrawals are made. A shimmer is smaller than a skimmer and is used to collect data from a card’s chip. 

An unusually bulky card slot indicates that a skimmer is being used. Misaligned or misprinted stickers are another red flag. These indicate an attempt to cover up where a device has been installed.

Lebanese Loop

A Lebanese loop is a device that traps a card inside the machine. When this happens, the ATM will keep asking for a PIN since it can’t read the card. This leads users to believe that the card has been swallowed by the machine, which sometimes happens. 

However, in the case of a Lebanese loop, once you abandon the machine, the fraudster then has the opportunity to collect your card. Therefore, if you lose your card inside of an ATM machine, call a technician to retrieve it or immediately cancel the card with your bank and get a replacement with a new card number.

Counterfeit PIN Pad

Counterfeit PIN pads will feel loose, thick, or sponge-like. This is because there is a device on top of the legitimate PIN pad that is capturing the PIN while recording it correctly on the ATM to complete the transaction. This way, users remain unsuspecting because the transaction takes place as usual. Numbers are typically transferred instantly via WiFi to the fraudster to use later.

To protect yourself and your customers from these attacks, follow the following 5 ATM security tips:

5 ATM Security Tips

1. Place Carefully

First, place your ATM machine carefully. Not only should you consider the location of the establishment itself, but also the location within the establishment.

Plan ahead for locations with high crime rates like gas stations, convenience stores, pawn shops, etc. Make sure there are security cameras in the area or provide your own. Cameras not only deter criminals, they also provide a real-time feed of your ATM machine and its activity.

Place your ATM in an open, well-lit area. Position the machine to have as many eyes on it as possible, whether it be in a busy aisle or in view of cashiers and other employees.

Finally, limit physical access to the case to prevent logical attacks and tampering. If the machine is against the wall or blocked by shelves or other furniture, it will be difficult for scammers to access points of ingress.

2. Bolt Down the Machine

Bolting down the ATM machine prevents strangers from moving and manipulating it. You will want to get permission from the location owner first as you will have to bolt the machine to the location’s floor, but damage is minimal and residual blemishes can be covered up easily. It will be worth it in the end to prevent any physical attacks.

Your machine should come with 4 pre-drilled holes, one in each corner of the base. Then, with a hammer drill and ½” concrete bits, you will drill about 4” deep. You can also finish with red heads, special concrete anchors (½” x 4.25”) that are hammered through the hole in the base plate and then into the concrete. You can also instruct the ATM installer to bolt the machine down for you.

3. Restrict Access to the ATM Case

Logical attacks require access to the mainboard or other internal electronics, so you will want to secure the top of the case and the seam on the side. If there are gaps, criminals can access cabling between the mainboard and dispenser and gain control of the machine or cause it to malfunction. 

You can either fill the seams or place an internal barrier between the case and the critical electrical components. This creates a second barrier which can deter a criminal even if he or she succeeds in breaching the seam.

Finally, limit the number of people who have access to the ATM. Provide keys to only a few trusted individuals as needed and change them periodically if possible.

4. Regularly Update Software

Logical attacks require access to software. The older the software, the easier it is to breach because it will lack modern safeguards. This is why it’s important to keep software updated. Criminals will target machines with software security holes, so establish a schedule to ensure you don’t forget or neglect to update your software with the latest security upgrades.

5. ATM Insurance

If all else fails, hopefully you will have an insurance policy. ATM insurance won’t prevent an attack, but it can protect you after the fact. In the worst case scenario, you will want to be able to recoup any losses. Fortunately, ATM insurance is relatively inexpensive.

If you own your own store or business where your machine is located, see if you can add the ATM machine to your existing business insurance policy. If not, or if your machine is located in a standalone location, shop around for an ATM insurance policy.

Like any other insurance policy, ATM insurance can be customized to meet your specific wants, needs, and budget. You will want a policy that covers your machine and cash. The premium rate is based on the amount of coverage, the company providing it, and your budget—your policy can be customized to cover any potential risks you want to mitigate.

Consider coverage for any of these scenarios:

  • Stolen cash
  • Removal of the machine
  • Repairs or replacement due to physical damage
  • Robbery while cash is loaded or unloaded

General liability coverage can range from about $400-$700 a year. For many people, it’s well worth it for peace of mind.

Protect Yourself and Your Customers with These Security Tips

Preventing attacks—whether physical or logical—protects your ATM machine, yourself, your customers, and the banks that have to deal with fraudulent transactions and replacement cards. Use these 5 ATM security tips to safeguard your machine, but also be on the lookout for any signs of tampering.

Purchasing a camera is the best way to prevent any kind of attack. Not only will it deter criminals, but with your own camera you can also always keep an eye on your machine and make sure no one tampers with or lingers around it.

The better prepared you are, the less likely you are to experience an attack. And remember to always check for signs of tampering.

ATM Security and Fraud Prevention: How to Secure Your ATM

by

There was a time when ATM machines were targeted by criminals only for the cash inside. However, modern ATMs house something else that’s just as valuable as the cash: consumer data.

An ATM doesn’t store any customer information. But, it does collect it and transmit consumer data. This presents a challenge for ATM owners, because they now must secure their machines against multiple types of attacks.

The good news is that ATM machine manufacturers have developed technology to protect against modern ATM attacks and fraud. And, it’s relatively simple to secure your ATM machines, if you know what to do.

Solid ATM security protects you, your ATM customers, and the banks.

Obviously, protecting your equipment and cash is a big deal. But, a secure ATM machine also protects your customer credit or debit card information. And, it helps shield the bank against fraudulent charges and reputation damage, since many consumers will blame their bank for security breaches, rather than the independent ATM owner.

There are a lot of benefits to properly securing your ATMs. So, here’s what you need to know to keep your ATMs safe.

ATM attacks

ATM attacks are separated into two broad categories: physical attacks and logical attacks.

Physical attacks are a simple attempt to smash the ATM machine and break open the cash vault. The term “simple” is accurate here, since most criminals try something like ramming a truck into the ATM or the wall that the ATM machine sits against inside a building.

Logical attacks are more sophisticated and rely on electronic devices to breach the software or hardware of the machine. Logical attacks extract cash by taking control of the machine or causing it to malfunction.

Even though they extract money differently, most logical attacks still require some physical breach of the case to gain access to the circuitry. So, defending against logical attacks is still mostly a matter of physically securing your machine.

Let’s talk about how you do that.

ATM security: How to protect your ATM machines

The best way to keep your ATM machines safe is to use a layered approach. If one security measure fails, a second security measure should be there to back it up.

Here’s how to layer your ATM security.

Security Cameras for Your ATM Machine

ATM location

The first security measure should be the ATM location. Often, just the placement of your ATM is enough to deter an attacker.

Clearly, you need to avoid isolated or poorly lit areas. But, also consider other aspects of your ATM location.

  • Gas stations, convenience stores, and pawn shops are great for getting lots of transactions. But, these locations also experience higher crime rates than many establishments. 

    If you put an ATM in one of these businesses, work with the owner to get your ATM placed inside, away from large windows, and against a wall with limited exposed surface area on the outside. Also, make sure that your ATM is covered by security cameras.

  • Place your ATM machines so that physical access to the case is limited. 

    Logical attacks require a breach through a seam in the case or the cash dispenser. If your ATM is in a corner or alcove that limits access to the sides of your machine, it’s much more difficult to establish the necessary breach for a logical attack.

  • Place your ATM where users can be easily observed. 

    It takes much longer to breach an ATM machine than it does to make a standard transaction. So, it’s best if the business staff can see people using the ATM. That way they can intervene if someone seems to be tinkering with your machine.

  • Scout the area before you install your ATM.

    It’s not that you can’t place an ATM in areas with a higher crime risk. But, you need to know what the area is like, so you can take appropriate security measures. Take some time to check out the surrounding neighborhoods before you get your ATM up and running.

Choosing a location might be the easiest part of securing your ATM. It’s not difficult. You just need to consider all the security risks.

Bolt your ATM down

Bolt ATM in Floor

This one is super obvious. And, bolting your machine down is easy.

However, business owners may have some concerns about you drilling into their floor. Getting permission to bolt your ATM machine down can be much trickier than the process of installing the bolts.

The key is to help the business owner understand that bolting the ATM machine down benefits them, too. They certainly don’t want people committing crimes in their establishment. That’s bad publicity. The establishment could lose business from customers who need to get cash for their purchase while the ATM is being replaced or is out of service.

Also explain that the bolts do very little damage to their floor. Typically, you’ll secure your machine with four half-inch bolts. And, you can hammer the bolts into the floor and cover them with epoxy once the ATM is removed. If the floor is tile, you can replace the tile that you drilled through to completely cover the marks.

Bolting down your ATM is all upside for both you and the business owner. You just need to help the business owner understand that.

ATM Enclosure via TPI TexasHarden your ATM case

Logical attacks require access to the mainboard or other internal electronics. Most criminals will breach the top of the case to access the mainboard, or a seam on the side of the case to access cabling between the mainboard and the dispenser.

So, fill the seams if they’re not reinforced already. Or, place an internal barrier between the case and the critical electrical components. That way, even if they’re able to open a small crack in the case, a secondary barrier will help prevent the criminal from accessing anything vital.

Finally, if you use an ATM vaulting service or have an employee who restocks your machines, limit the number of people who have keys, and change the keys periodically, if you can. 

Digital security

Many logical attacks rely on outdated software. There are plenty of technologies that didn’t exist when some older ATM machines were manufactured. Older software often has no safeguards against modern logical attacks. So, criminals will target machines with software security holes.

The simplest way to digitally secure your ATM machines is to keep the software updated. The upcoming Windows 10 update will force an update of many older ATM machines. But, establish a schedule to keep your software current.

ATM insurance

ATM insurance must be your last resort. Even though it will help you recoup any losses from an ATM theft, losing your ATM machine or the cash inside is not ideal.

However, carrying insurance to protect your investment is smart. It’s difficult to make your ATMs impervious to attacks. Your ATM insurance protects you in the unlikely event that all your other security layers fail.

But, if you take the proper steps to secure your ATM machines, you’ll greatly reduce your risk of an ATM attack or ATM fraud. And, your ATMs will safely rake in money without any issues.

ATM Security Update: How To Enable TLS 1.2 Protocol

by

The Announcement

The PCI Security Standards Council has mandated that the use of SSL and Early TLS (i.e. TLS 1.0 or 1.1) protocols be discontinued effective June 30, 2019. All network providers and processors are making preparations to ensure they are compliant by the June 30, 2019 deadline. To prevent any downtime, make sure your ATM terminals have been updated with the latest software and security certificates.

After this date, ALL ATMs using SSL or Early TLS (i.e. TLS 1.0 or 1.1) communications protocol will stop communicating to the Host and fail to process any transactions.

What Does This Mean?

    • Network providers are already handling the TLS 1.2 communications protocol. Therefore, as soon as possible, set the communication protocol on your ATMs to use TLS 1.2 communication protocol.

  • Anytime you visit a direct connect TCP/IP communicating ATM verify that it is set to TLS 1.2.

In order to continue processing transactions …

  • TLS 1.2 Protocol MUST be enabled on your ATM Machine

Do I Need to Enable TLS 1.2?

You NEED to Enable TLS 1.2 if …

  • Your ATM is communicating via Hardwired Internet connection (TCP/IP)

You DO NOT need to Enable TLS 1.2 if …

  • Your ATM uses a phone line or wireless ATM modem. Your machine will not be impacted if it is communicating via a phone line or cellular wireless device box already on TLS 1.2.
    • How do I know if my wireless box is TLS 1.2?
      • The chances of you having a wireless box that is not already on TLS 1.2 are low. If you are having trouble with your wireless ATM device please call ATMDepot.com at 888.959.2269, or your Wireless Provider, with your device’s serial number. Remember, It is best to make the request while at the location where the device is in service. Our wireless department can update your device remotely.

How to Enable TLS 1.2 Protocol

Hyosung

Customer Setup > Select Processor > TCP/IP Type

  1. SLS/TLS = Enable
  2. SLS/TLS Version = Up to TLS v1.2

Genmega/Hantle/Tranax

Customer Setup > Change Processor > SSL Pass Through > SSL > SSL Version = TLS 1.2


If you do not see these options, please check that you have the required software version that supports TLS 1.2 protocol for each manufacturer.

Recommendations

  • Keep Your Software Up-to-Date

    Keep your ATMs updated with the latest software to be compliant. Listed below are the latest software versions:

    Hyosung

    – WinCE 5.0:  V01.01.34
    – WinCE 6.0:  V06.01.34

    Genmega/Hantle/Tranax

    – V05.00.34

  • Confirm EMV Enabled

    While you are updating the software on your terminal, it is important to also check that EMV is Enabled.

    The MasterCard EMV Liability Shift occurred on Friday, October 21, 2016. ATM owners are liable for fraudulent MasterCard transactions if machines are not EMV compliant.

    Hyosung

    Operator Functions > Customer Setup > Optional Function 1 > EMV > Enable

    Genmega/Hantle/Tranax

    Operator Functions > Customer Setup > Option Function > EMV – Enable

How to Enable TLS 1.2 – Infographic

[VIDEO] Explosives Used to Break into Machine during ATM Robbery, Thieves Caught on HD Camera

by

On August 11, 2017, two criminals drove their SUV up to a Gas Station ATM Kiosk with a plan. They planned to execute an ATM robbery by blowing up the ATM with some sort of liquid explosive. It is clear from this video, it’s not the first time they are attempting this. They are wanted by the FBI. The authorities were very excited to see the quality of our security footage.

Authorities_On_Scene

Authorities at the Crime Scene of the ATM Robbery in San Diego, CA

When you start using explosives on an ATM, you attract a lot of attention. You get the local police, sheriffs, SWAT, the Bomb Squad, ATF, and the FBI involved. That’s a lot of manpower hunting you down.

These guys are wanted by the FBI. It’s not just a local crime.  Is a few grand worth having to hide and run for the rest of your life? I don’t think so.

The suspects think they got away with it. However, as time will tell, and with the help of this HD video, and the enhancement tools Federal Law Enforcement agencies have available, they will most likely do time behind bars for this ATM robbery.  Maybe they will save all the money they stole to pay for their lawyer. They will need it.

I’ve been in the ATM business since 1994. Since then, I’ve helped hundreds of Independent ATM Deployers (IAD’s) start, run, and maintain successful ATM businesses. I’ve personally sold or installed hundreds and hundreds of ATM machines. I currently manage thousands of machines and hundreds of thousands of ATM transactions nationwide and I’ve never, ever seen anything like this.

This location has been a customer of ours for over a decade. We’ve never had any issue until we installed a new kiosk.  While this small kiosk does not appear to be bomb proof, the old kiosk building we used previously onsite was. Unfortunately for us the gas station – car wash is undergoing a remodel and needed to demolish the building, so we had to move the ATM to the other side of the parking lot.

In order not to inhibit the authority’s investigation, we won’t go into the details of what the authorities knew in this article.

However, now that we know all the details we can help others.

So, if you plan to install a kiosk and you are one of our customers (or want to be), please contact our office for some additional help.

We learned an expensive lesson, so we hope to use it to educate our customers.

ATM Depot can certainly help you avoid the same fate. We thought we prepared for every security scenario but they proved us wrong on this one. The key is that we learned an awful lot from this and can now assist our customers even better when dealing with outdoor ATMs.

**** UPDATE ****

September 28, 2017

After many calls between the account manager, Jeremy, and the FBI and ATF, on this situation, we learned that the authorities were able to issue a subpoena at the home of Scott Michael Petri. We are not sure how all this went down but we speculate that the FBI was able to leverage the information obtained in the video of the ATM robbery. According to law enforcement, one of the suspects bragged to a confidential informant about the crime. Upon serving a subpoena at the suspects home, the Law enforcement authorities say they found a drill, a gas cylinder, clothing and other incriminating evidence in his home that matched the items in the surveillance video during the crime.

Court documents allege (and video shows) Petri used a cordless drill to make two holes in the ATM machine’s housing. A second unidentified suspect (now in custody) approached the ATM with an open flame (see video, looks like a cigarette) and lit a fuse.  The suspects drove to the other side of the gas station and the ATM exploded. See the entire ATM robbery (edited for time) in the video above.

Suspect_Searching

The suspect (circled) is searching for the cash box after the ATM robbery explosion

The August robbery was the second time this year an explosive device was used on an ATM in San Diego, according to the FBI.

**** UPDATE ****

October 5, 2017

Scott Michael Petri faces a charge of using an explosive to damage property relating to a robbery at the Chevron Station and Pit Stop Car Wash on Miramar Road just south of the 15 Freeway entrance. The suspect was picked up and booked on October 5th and transferred into Federal custody and is being held in the Federal Prison in Downtown San Diego by the ATF. Bail has been set at $250,000.

ATM_Suspect_Arrested

Public arrest records for Scott Michael Petri. One of the suspects in the ATM robbery.