According to data held by the research company Retail Banking Research on crime associated with ATMs, in the first half of 2010 banks experienced losses of 144 million euros, which was 8 percent less than for the same period in 2009. Theft of information from cards grew during the same period by 24 percent, and that type of offence accounted for 86 percent.

As information technology improves, so do not only security systems, but, unfortunately, also the skill of criminals. In these days of competitiveness, every attack on an ATM necessitates an interruption in the functioning of the ATM, with the clients waiting for the malfunction to be rectified. This reduces clients’ confidence in the bank and affects the bank’s results.  

The only way to combat crimes of this sort is to attack them on many fronts: with the installation of protective systems, ATM user information campaigns and adherence to the recommendations and standards of international organisations. It is worth attending conferences of ATMIA, a specialised ATM industry association, where the latest developments are discussed in detail. In addition, both users of ATMs and ATM service providers should follow the constant flow of news on this issue.  

Experienced specialists from BS/2 Company, who have spent quite a few years supplying self-serve equipment and creating software solutions for them, have identified these types of criminal attacks:

1. Unlawful acts with PIN codes;
2. Crimes associated with bank cards;
3. Crimes that take place on the basis of the client’s own fault, or more precisely, because of his irresponsibility;
4. Crimes involving the use of blackmail or coercion;
5. Burglary (grabbing the whole ATM or part of it, most often – the safe).

Most often the crimes are associated with theft of PIN codes. Predators can find out a PIN code by simply standing behind a client and looking over their shoulder (this is called shoulder surfing) or by using binoculars. Without a doubt, ATM clients need to be very careful – having a look around, covering the keypad with the other hand when pressing the PIN code and making sure that the keypad looks normal. These actions need to become habitual, like looking to the left and right before crossing a road and only crossing when you are sure that there is no danger.

The most popular type of crime with credit cards is skimming – scanning of the magnetic strip, or theft of credit card details.  This is mostly done by attaching difficult-to-see gadgets to the self-serve equipment, such as a camera, a scanning device, or a sound recording device. Experts from EAST (European ATM Security Team) have emphasised that in 2010 there were incidents recorded where criminals managed to alter devices that were meant to help combat data theft to the extent that the devices then helped the criminals to copy credit card details. There have even been cases recorded where the criminals were clever enough to install a phony ATM. Such crimes are particularly common in Eastern Europe.

What methods of protection are available? First of all, you should use only ATMs of your own bank that are known to you and have already been tested. (Bank websites usually have lists of all their ATMs, with addresses). If you want to withdraw cash, choose a well lit place, where there are many people. When doing the operation, make sure that the ATM looks normal and does not have any extra devices on it.

Experts advise banks to use devices that help fight against data copying, as well as the video monitoring solution ATMeye^.iQ. This equipment reacts to the presence of ‘foreign’ attachments, reporting them to a central operations monitoring room and/or blocks the operation of the ATM. 

On the basis of the latest statistical data, criminal groups engaged in data copying are still operating in Romania, Bulgaria, Moldova, Montenegro, Serbia, Slovakia and other Eastern European countries. EAST reports that last year 96 card data thieves were arrested in six EU countries.

The list of criminal offences relating to bank cards should also include instances where the ATM is rigged to ‘swallow’ the card or the card is made to stick to the reader (trapping, swapping), the denomination of banknotes or the authorisation slip is changed (jamming) and personal details are obtained through sending out letters or getting people to fill out suspicious surveys (phishing).

The way to prevent these criminal acts is by using the ATMeye^.iQ solution, which captures the configuration of the ATM’s control panel; if there is any change to its physical parameters (which is what happens when someone tampers with the control panel and adds a device), its indicators react accordingly to various events and reset the original parameters.

There are less common instances of specific cyber-attacks, when card information is captured through the system’s communication channels. To do this the criminals need to hack into the system or somehow get hold of information (frequently this is done through the collaboration of a bank employee). This is where the professionalism of the security service (external security) is essential, along with the use of ISO 27000, PCI DSS certification (internal security). BS/2 Company already has 5 years of experience in consulting and preparing companies to achieve certification in the above-mentioned standard. You can find about consultations from any BS/2 representatives, who are established in various locations throughout the world.

The Wincor Nixdorf Company has solutions such as Intrusion Protection and Access Protection for blocking intruders’ software.

However, even the most advanced protection system will not be of much use if the bearer of the card is acting carelessly with personal data, e.g. if he keeps the PIN code in the same wallet together with the card, lets other individuals use the card, does not request monetary transaction receipts at the point of transaction, does not block the code after an incident of theft and openly transmits the PIN code by e-mail or SMS messaging.

There are also some instances of forced withdrawаl crimes, where the card or its data are stolen from the owner using a weapon or brute force. At present such crimes have mainly taken place in less developed countries.

Recently in Lithuania there have been news reports of theft of whole ATM machines. This type of crime is also popular in other Eastern European countries. The criminals blow up the installation with the intention of stealing the cash or the safe, and they break into the ATM using special tools, or else they take the ATM away with them.

Internal and external video monitoring cameras play an important role here: their importance can be compared to the ‘black box’ used in aviation. Also important are the various meters and sensors (electricity and gas consumption, physical activity). Suitable authorisation of access is essential, and the cash cassettes need to include capsules containing special ink to stain the banknotes in case of robbery, etc. If any of the instruments reacts, a danger signal is transmitted to the central system and appropriate precautions are taken. It is worth noting the new regulations on exchange of and compensation for banknotes no longer suitable for circulation issued in 2009 by the Central Bank of Lithuania, which provide that ink-stained banknotes may only be exchanged by banks and companies that use these safety precautions in their operations. Previously all natural persons and legal entities were able to use this possibility, but that did not guarantee the profitability of this safety mechanism, since banknotes that were no longer suitable for circulation were still able to get back into circulation. 

ATMeye^.iQ solution is also recommended for the prevention of such attacks, especially in conjunction with video monitoring cameras and sensors, which creates the possibility of getting early awareness of illegal activity taking place in the vicinity of the ATM or within it and taking preventive action.

The duty of banks and companies that provide security solutions to them is ensure the protection of the bank’s installations and the data of the clients that use them. Effective counter-action has to be many-facetted: consisting not just of software and hardware solutions, but also consumer education and information.

On the subject of smart video surveillance and monitoring, an exceptional video monitoring product is ATMeye^.iQ, which was created by Lithuanian BS/2 Company and has been licensed about 40,000 times world-wide. It belongs to the .iQ family of products, which are designed for management and monitoring of business processes.

ATMeye^.iQ, which can be managed from just one decision-making centre, is designed to record the actions of clients, bank staff and potential criminals and to make it possible to react appropriately to suspicious and unplanned operations. The system is designed to recognise ATM users by their faces, to automatically detect card reading mechanisms and to be controlled remotely by tablet computer. It is worth noting that ATMeye^.iQ is totally compatible with Wincor Nixdorf’s monitoring solution ProView Video Surveillance and it can be used alone or in conjunction with ProView 4.0.

As well as video security systems, banks use special banknote-staining ink, cypher codes and other systems that you can learn more about here.

New publications about protecting user data, bank cards and self-service equipment can be found on the website www.bs2.eu.