• Conor Bracken , Fraud Analyst at The ai Corporation (ai)


• 19.10.2021 10:45 am
ATM

As the need to keep cash in our pockets and wallets disappears, banks have had to be creative in the way they continue to offer cashless services. ATM pooling is one such tactic, which sees two or more banks agree to handover the ownership and operation of their ATM fleets to a separate business entity. Pooling ATM resources offers banks a way of providing their customers access to cash, while reducing the operational costs of doing so. It is a concept that has been in use in the Nordics (Finland and Sweden) for some time. With banks in other countries, such as Australia, Japan, and Belgium, making moves towards ATM pooling more recently.  

In recent years, ATMs have been seen by some to lack basic cybersecurity measures and precautions, with outdated operating systems leaving many susceptible to different types of cyberattacks.  Attacks vary, but the most common include:

• Skimming attacks are when a physical device is planted at an ATM to gather card information. There are repercussions for the customer and the bank – impacting customer satisfaction, as well as the bank financially.
• Shimming attacks are seen as an upgraded form of skimming, targets debit and credit cards equipped with EMV chip technology. Shimming devices work in much the same way as traditional card skimmers, where a device is inserted into a card reader to copy its data. A skimming device usually works by taking data from the magnetic stripe as it is inserted into the card reader, copying the data, and either storing it within the device, or transmitting the data, via a Bluetooth relay, to be stored locally.
• Another, less subtle, threat to ATM’s is ‘Jackpotting’ (also known as a ‘black box attack’), which involves direct access to the ATM’s operating system. The fraudster/thief gains access and full control of the ATM and is free to dispense as much cash as possible. Both the setup of a skimming device and jackpotting an ATM can be done in minutes. Europol published information of a recent case of Jackpotting in which two Belarusian men were arrested in Poland on July 17, 2021. A total of €230,000 was stolen from 13 ATMs across seven countries in Europe. A black box device was used to commit these attacks, and the thieves gained access to the ATM by drilling a hole into the ATM, ordering it to dispense as much cash as possible. A specific ATM model was targeted by these criminals for all 13 attacks, it is likely this model was outdated and was particularly susceptible to physical attacks.

In theory, a wider move towards ATM pooling is a step in the right direction for banks. Offering improved security for their customers and boosting the accountability of their machines. It is likely that any new ATMs will be placed in more accessible locations, therefore offering greater convenience and improved security for users. As a result. ATM pooling should increase fraud detection rates and prevent attacks. With improved physical security at many new sites, as well as updated malware protection, also helping to prevent fraudulent activity.  

The main issue with ATM pooling will be ensuring that all partners share best practices and threat intelligence with their partners. Many 3^rd party ATM providers and operators will take over responsibility for fraud prevention at the new ATMs from their partner banks unless they are operating the ATMs as a service. This may be become a challenge because the banking industry is notorious for not sharing fraud information quickly, if at all, with their competitors. So, any new ATM pooling infrastructure will require better collaboration and information sharing between all partners. Providing the 3^rd party ATM provider with the necessary information to help them to prevent and monitor potentially fraudulent activity.

Conversely, any uncertainty around who will be responsible for fraud will cause problems for all parties, so it is advisable that ownership for fraud monitoring is held by the 3^rd party ATM provider. Which will help them to gain a complete picture of the fraud landscape across multiple banks, rather than relying on their partners sharing information in real time, which is likely to lead to significant fraud losses.