Notorious outlaw, Willie Sutton, was once asked why he robbed banks. As the legend goes, he had a simple answer: “That’s where the money is.”
The banking industry became an early adopter of video surveillance technology as soon as it was practical for business. Due to the philosophy espoused by Sutton (and who would know better than a bank robber?) the move to upgrade security certainly makes a lot of sense.
For banks insured by the Federal Deposit Insurance Corporation (FDIC), it is a requirement. And some states, including New York, have detailed regulations governing how and where locations must be monitored by video.
While some bank robberies do still occur, reality is typically no match for the spectacular scenes found in heist movies. It simply isn’t as lucrative or easy as it was in the days of Butch Cassidy and the Sundance Kid. With fewer actual bank branches being built, most enterprising criminals are realizing that digital defenses are easier to breach.
ATMs, however, are one type of physical location that is still being hit hard. Whether by brute-force assaults on the actual machine, technology tools that seek to steal data or good old-fashioned social engineering tricks, culprits are still continuing to go where the money is.
The following reports represent just some of the ATM fraud incidents and scares that have made news of late. There seems to be no sign of attacks slowing down any time soon, so it remains vital for operators and security officials to stay on high alert.
The FBI stunned security experts this summer when it was learned to have issued a warning to banks that an “unlimited ATM cash-out” is being plotted across the world. The note to financial institutions, which was obtained and reported by security expert Brian Krebs, stated that criminals may soon mount a coordinated withdrawal from a massive number of machines using illegally obtained card information.
By then, it was too late to stop the thieves from getting the banking info necessary to commit the crime. But banks were warned to be on watch and told that this could become more commonplace going forward.
“Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities,” stated the FBI’s alert, according to Krebs. “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”
For consumers, protecting yourself from such a large-scale, coordinated attack is naturally difficult. But if you have been a victim in the past or have reason to believe the your card data may be compromised, it would be wise to request a new card be issued. Or, at the least, change your security PIN and digital access passwords.
Shimming: The New Illicit Card-Reading Technique
A few years ago, “skimming” (a crime that involved modifying physical ATMs) was all the rage. Criminals would attach a false card-reading device within the slot where the card is placed. During a transaction, a small piece of technology was stealing the information contained within the card’s magnetic strip, allowing it to be cloned and used elsewhere in the future. Users would then withdraw their money and card, completely unaware of what had just occurred.
When issuers moved to chip-based cards, the effectiveness of this method decreased substantially. But now a similar, new variation—called “shimming“—has begun to pop up. Because these homemade readers are smaller than their predecessors, they can be installed beyond ATMs. These devices have even found in “point of sale” payment terminals within stores.
Fortunately, they remain quite rare, and a cloned chip card should not work with any merchant that has followed proper modern payment protocols, a group that includes the bulk of retailers in the United States.
Still, there have been U.S. victims of this easy-to-install and hard-to-detect scheme. One thief reportedly managed to steal some $25,000 from a federal credit union near Los Angeles this year, and international locations may be even more vulnerable.
Financial executives and security officials have tried to dismiss the shimming concern as overhyped. But operators cannot afford to ignore this type of threat. It still is possible to execute, and everyone should be aware of the risk.
Social Engineering Schemes
ATM crime is far from solely a U.S. problem. Throughout the developing world, many people have only recently joined the formal banking sector and received debit and credit cards. Cash machines in these areas remain a hotbed for theft.
Recently in Colombia, for example, online videos went viral online showing how an old trick (that has been used by con artists) can still catch people off guard. The method involves two perpetrators, one of whom casually looks on as an unaware banking client types their PIN code. Next, an accomplice distracts the ATM user to make them look away from the machine. Generally, this is done by acting as a “good samaritan”—making the victim think they have dropped something. The PIN watcher quickly takes the opportunity to grab the card from the slot in the ATM. The nefarious duo then sneak away, with both the plastic and the security code to withdraw funds.
At this point, it becomes a race against time. Their goal is to hit another cash machine and extract as much as possible before the person cancels the card. And given the often-slow response times by local banks or the need for a tourist to make an international phone call—perhaps with only limited mobile data on their phone while on vacation—it can be an effective way to dupe someone out of as much cash as their bank will allow the assailants to withdraw.
ATM Security: Staying Ahead of the Crooks
Society is rapidly moving more and more to digital payments. But for now, physical cash and cards are still the norm. And as long as they are, crooks will be on the prowl to devise new ways to defraud people out of their hard-earned income.
This is why all banks and ATM operators must have proper security strategies in place. These should include physical protections, video monitoring and other best-practice deterrents. Many of today’s most successful organizations have gone beyond the use of traditional camera systems. They recognize that a comprehensive video surveillance technology should also include secure, end-to-end, encrypted hybrid cloud system architecture with an intelligent, centralized, remote-access software platform.
Criminals will always be working to find a way around even the strongest safeguards. But staying out in front and utilizing modern technology in this ongoing battle will help ensure that clients can access their money without becoming the next victim.
For a real-world look at how one of Pennsylvania’s top financial institutions is using hybrid cloud security technology to fight ATM fraud and other threats, check out the Susquehanna Community Bank customer story.