How to Protect Your ATM Fleet from the Most Common ATM Crimes

Back in April, our team attended the ATMIA Canada Conference 2022, which focused on what is next for the industry, current trends in cash use, and ATM security. At one of the sessions, the ATM Security Association (ASA) presented their new Crisis & Crime Management Intelligence System – the industry’s first global-scale ATM crime database and intelligence management system for analysis of crime trends. 

As of mid-April 2022, the system recorded over 10,000 global ATM crime incidents from nearly 2,000 reports. Incidents occurred across all methods of attack in both the fraud and physical security categories. Of these recorded incidents, approximately 70% were fraud attacks and the rest represented physical attacks on ATMs.

Even though digital and contactless payments continue to grow, ATM attack methods continue to evolve. ATM crime in the US alone has increased by 165% in 2022.

Some of the ATM crime events strain credulity. Like the true story of the rapper who robbed an ATM and then released a video about it on YouTube. Or the instance a few years ago where a hundred people withdrew $19M from 1400 ATMs in one city in under 3 hours.

Three of the most common ATM crimes that keep financial institutions and independent ATM operators on their toes are Black Box Attacks, Transaction Reversal Fraud and Man in the Middle Attacks (MiTM).

1. Black Box Attacks

In a black box attack, the criminals connect an unauthorized device to the top part of the ATM. The device sends commands directly to the ATM cash dispenser for later cash-out or jackpotting attacks. ATMs with poor physical barriers or those located at retail stores are more vulnerable to such attacks as criminals can easily access their hardware.

A 2020 European Payment Terminal Crime Report revealed that due to the COVID-19 pandemic, the crime and fraud patterns changed. While some types of ATM fraud attacks across Europe were down, ATM malware and logical attacks against ATMs were up 44% and all the reported attacks were black box attacks. The losses related to this type of crime were up 14% and reached €1.24 million.

Black box attacks can be devastating to independent ATM owners as they have to bear full responsibility for the loss. The owner might not be aware of the attack until the terminal transmits the message that it is out of cash.

2. Transaction Reversal Fraud

Transaction reversal fraud (TRF) involves sophisticated techniques. Criminals get the ATM to dispense cash, but reverse the transaction so the account is not debited. They achieve this by either reversing the host application software logic or by causing a transaction fault such as jamming the dispenser. Bad actors typically use stolen or skimmed cards for this type of fraud.

To detect and block this type of fraud, it’s essential to have a combination of real-time transaction data, custom rules-based alerts, and multi-link correlation. If your system can immediately notify you of the suspicious activity happening at your terminal, you can block the crime in real-time.

3. Man in the Middle (MiTM) attacks on ATMs

While man-in-the-middle attacks are not new, they are hard to detect. Criminals install malware to alter the communication between two parties, for example, the ATM and the bank server. The transaction switch starts to approve fraudulent transactions that are not authorized.

Some fraud detection systems might be blindsided if there is no real-time multi-link analysis, as transactions never go to the back-end to be authorized and the limits on accounts are not enforced.

In the above-mentioned case of the $19M ATM fraud, one of the largest financial institutions in Africa found itself the target of a sophisticated, highly coordinated ATM fraud attack. At the time, the institution lacked end-to-end visibility into its payments applications and the millions of transactions it processed every month. ATM transactions originating from foreign terminals were being approved within the financial institution’s payments environment – without actually making it to the back-end host for authorization. Malware sitting on their payments switch prevented the transactions from reaching the authorization host.

How to reduce your risks and protect your ATM fleets

When selecting a fraud detection and prevention solution for your ATM fleet, it’s essential to ensure you have real-time access to the right data that can help you immediately spot fraud and block it or even shut down ATMs, in seconds. To get that data, the software should be able to capture a wealth of data for every payment transaction, while marrying it with hardware events and errors in real-time.

The solution should be able to detect anomalous transaction activities in milliseconds and automatically send you custom alerts, so that you can either investigate suspect terminals or block attacks. You should also be able to set up instant alerts if cybercriminals physically install malware on an ATM machine.

If you have a real-time ATM monitoring solution, you can configure real-time alerts around unusual foreign usage patterns, high withdrawal velocity, reversals, and response code errors. Continuous monitoring with machine learning and behavioral analytics will also help perform real-time risk scoring with precision and block fraudsters without blocking legitimate transactions.

Need help protecting your ATM fleets from cybercrime and fraud? Get in touch with one of our experts.