My recent business trip to San Francisco netted a startling discovery when I spotted a flame-kissed ATM in the city during my morning walk to work. I photographed the ATM and took particular note that the card acceptor was seriously melted and burned by some sort of accelerant-soaked fabric or paper that had been laid against it. The accelerant alone rendered a decent amount of damage.
This incident is an example of increasing threats to ATMs in both the United States and abroad, as criminals attempt to blow up ATMs in a quest for speedy cash.
"We cannot prevent every attack. But we can be savvier and more prepared with our defense battle plans."
I discovered the damaged ATM shortly after I had finished reading BankInfoSecurity's article, Attackers 'Hack' ATM Security with Explosives, which outlined the destruction reported by the European ATM Security Team - 492 explosive attacks have been reported in Europe since the beginning of 2016.
All of these attacks involved solid explosives and/or explosive gases. You simply can't make this stuff up unless you are a professional script writer pitching your next big action adventure drama to a studio.
Explosives are scary, and I am concerned from a security and safety perspective. Situational awareness is key here. Cardholders, vendors and employees could easily be at risk if exposed to an explosive attack, but I take comfort in the fact that the majority of these vandals do their work during non-peak hours, so the risk of harming an employee or customer would be rare.
I recently had the pleasure of speaking with a credit union colleague in North Carolina who immediately shared my concern over the dangerous and dramatic methods that criminals are using today to gain entry into our ATMs. She pointed out that the industry has seen a shift from physical ATM security threats, such as ram raids and card skimming, to more serious criminal destruction from explosives. Her exact comment was: "The days of only worrying about someone wrapping a chain around your ATM and dragging it off are over."
Criminals today are bold, technologically savvy and, in some cases, armed with explosives. I don't think that we will ever see all of our physical risks shift entirely to the threat of accelerants and explosives. But clearly we have to add this to our threat matrix and prepare to at least properly identify the trend as it emerges in the marketplace. Let's not forget other risks:
ATM Ram Raids
These attacks are still incredibly popular in Europe and Australia, but they show up regularly in the U.S. as well. The ATM Industry Association has often pointed out that ram raids are the one the leading threats to ATMs worldwide, second only to card skimming.
Criminals have been quietly testing their ability to physically manipulate and re-program ATMs in Europe, Mexico and the U.S. in recent years. This is how a "jackpotting" attack is waged. Once reprogrammed, ATMs can be controlled by hackers and instructed to spit out cash on-demand or at specific times of day.
Chip Skimming Prototypes
The emergence of periscope skimmers, which are undetectable on the surface, is another concerning trend. These skimmers are installed inside the ATM, usually by accessing the device's enclosure with a universal or stolen key, to capture card numbers after cards are inserted into the ATM's reader. And card-reading "shimmers," which have been found to defeat EMV chip technology designed to prevent skimming, prove criminals are progressively experimenting with technology as a weapon.
In a shimming attack, a shimmer is placed inside the ATM's card reader to intercept communications between the chip card and the chip reader. Information that can be intercepted includes personal account number and expiration date. ATM security experts have pointed out, however, that card information compromised via a shimming attack only pays off for fraudsters if issuing banks fail to appropriately authorize their card transactions. Because EMV chip cards can't be skimmed, if a fraudster tries to duplicate a card with an EMV chip and use it for purchases, the bank should catch it.
My advice to banks is to be observant, educate your employees and, by all means, report unusual instances of extreme ATM damage and attempted robbery to the appropriate authorities in your area. We cannot prevent every attack. But we can be savvier and more prepared with our defense battle plans.