In this blog, get an understanding of the importance of conducting "Security Review of ATMs" for banks. Discover why they are essential, the actionable to strengthen your ATM security, and the role Risk Quotient can play in safeguarding your ATM Ecosystem.

Why is an ATM Ecosystem Security Review Important for a Bank?

Recent ATM Heists and losses incurred by Banks:

Times of India dated 19 July 2023:  An article on Page 3 about ATM fraud in a bank.  Cloned debit cards were used to withdraw money from the Bank’s ATM in Mumbai and Delhi.  

Hindustan Times dated 29 July 2023: An FIR was registered by the Managing Director of a bank that unknown persons used cloned ATM cards of other bank’s account holders to withdraw cash from the bank’s ATMs across the country.  While the other banks  refunded money to their customers, they did not refund the money to the bank from whose ATMs the money was withdrawn. Loss to this  bank which owned the ATMs was in excess of  1 crore rupees.

Times of India dated 13 June 2023:  A payment solutions provider lodged a police complaint over 2.5 crore rupees being fraudulently withdrawn by unknown scamsters from ATMs across the country in just three days.  The modus operandi was simple.  Two or three people used to enter the ATM cabin.   One of them initiated a withdrawal transaction.  When the currency landed in the cash dispensing machine, the second person would either switch off the power supply or pull out the power cable.  As a result, the currency notes would stay behind the dispensation shutter instead of popping out for collection. The second person would pull out the notes from the ATM cash machine dispenser and pocket them. When the power was restored the Electronic Journal (EJ) would show a power interruption code.  This meant the ATM (EJ) did not show any debit transaction.  Thus, the amount withdrawn was reversed to the user’s bank account whereas in reality the money was pocketed by the fraudsters.

What is the need for an ATM Ecosystem Security Review?

Such ATM fraud newspaper reports are common, and you come across an ATM fraud, perhaps once or twice in a month.  ATMs are an attractive target for fraudsters and cyber criminals as they contain cash. Such newspaper reports are enough to cause sleepless nights to the Bank’s management and customers alike. An ATM fraud means customers lose confidence in the Bank. This is particularly true of smaller banks.

The National Crime Records Bureau (NCRB) data shows that the number of incidents of ATM related frauds has decreased from 2019 to 2021.  But can Banks afford to be complacent?  The regulator imposed a penalty on two well-known public sector banks in June 2023 as they had failed to implement end-to-end encryption of communication between the ATM terminal and the ATM Switch, within the prescribed timeline.

The ATM ecosystem comprises ATM Machines, POS terminals, ATM Switch, the Terminal Server, the Core Banking Infrastructure, the Network and other associated infrastructure. Typically, ATMs use Windows operating systems (OS).  If the OS is obsolete, and coupled with absence of hard disk encryption can lead to introduction of malware through portable devices.  Many ATMs have weak firewall protection and are susceptible to network attacks.

Typical ATM frauds

1. Card shimming – A shimmer is different from skimmer. A shimmer is invisible and is a thin board inserted into a card reader with a card carrier that can read data from the magnetic stripe without interfering with the normal operations.

2. Card skimming – A skimmer is a device attached to the card slot and reads all information during a card transaction. A card duplicate can be created which can be used to make payments or withdraw cash.

3. Card trapping – A device is placed in the card reader which prevents the card holder from receiving his card after the transaction is complete.  The card can be used to withdraw cash.

4. Jamming of keyboard – Certain keys essential to complete the transaction are blocked to prevent the transaction from completing.  When the customer leaves, the necessary data is entered to complete the transaction to withdraw cash.

5. Phishing – Social Engineering methods are used to steal pin numbers, card numbers and other sensitive information which can be used to access accounts.

6. SMS fraud – Suspicious messages are received by responding to which card details are sent to fraudsters.

Source https://atmeye.com/blog/what-is-atm-fraud/

Cash being legal tender, its usage in the economy will not diminish.  Banks will need to provide cash dispensing and collecting services through ATMs to keep the wheels of economy rolling. While technology is trying to keep pace with evolving threats, fraudsters and scamsters are also getting smarter. They are forever on the prowl to identify ways and means to defraud customers and banks by exploiting vulnerabilities in the ATM security. 

What do banks need to do ?

Banks will need to put comprehensive security measures in place and perform a review of security at regular intervals.

The security measures that Banks need to implement include both preventive and detective measures.

1. Preventive

   1. ATM Network – adequate protection of the network

   2. ATM Software Check – password controls, USB, BIOS, Whitelisting

   3. Encryption – Encryption for data at rest and data in motion

   4. Decommission – Secure decommission of discarded or obsolete ATMs

   5. Physical Security – Physical security

2. Detective

   1. CCTV Camera and Recording – monitoring through CCTV. 

   2. Functions of the ATM Department – security measures adopted by the Bank.

   3. Operations – measures around cash refill operations.

   4. Documentation and SOPs – documentations and standard operating procedures of ATM processes.

   5. Vendors – Controls over vendors and ATM engineers.

The above is an indicative list and needs to be fine tuned keeping in mind the actual scenario. 

Banks will need to implement not only the controls around ATMs but also implement a comprehensive security review program for ATMs on a periodic basis. 

How can Risk Quotient help?

Risk Quotient has developed a comprehensive program to identify  the risks and exposures in the ATM ecosystem. This program was recently used successfully for a bank with more than 100 ATM’S spread  across multiple states.

Methodology: Risk Quotient will obtain a detailed understanding of the ecosystem.  RQ will develop a customised and comprehensive program for Cybersecurity Review of the ATM Ecosystem based upon:

1. Bank’s policies and procedures

2. RBI Circular - Control measures for ATMs – Timeline for compliance dated June 21, 2018

3. RBI Circular - Cyber Security controls for Third party ATM Switch Application Service Providers dated December 31, 2019

4. RBI Circular - Security Measures for ATMs dated June 14, 2019

5. RBI Circular - Interoperable Card-less Cash Withdrawal (ICCW) at ATMs dated May 19, 2022

6. Any other applicable circular issued by the regulator

7. Applicable frameworks

A detailed report will be issued highlighting the gaps observed, the risks and the recommendations.

This is the first of a two part series on ATM Security.  In the next article, we will throw light on the “Effective Security Program of The ATM Ecosystem - Journey from Operate And Maintain to Monitor And Evaluate”. Follow us for more on this.

To know more about our ATM security services, please get in touch with us.