- Chip-Only Transactions. FIs can make policy changes to their cards to only allow chip-based transactions at ATMs. This means that no fallback is allowed, protecting their customers from the counterfeiting that inevitably follows skimming.
- Active-Monitoring. Recently developed sensors placed inside cash machines can detect the presence of skimmers,1 and advanced analytics capabilities focused on ATM activity can help detect, and subsequently halt, a swath of suspicious transactions.
- Enabling Cardless ATM Features. FIs that allow bank customers to withdraw cash through the use of a smartphone app at the cash machine increase the likelihood that those transactions are authentic, assuming strong authentication is in place.
- Bolstering the ATM’s Logical Security. This boils down to protecting ATMs against malware. Patching software. Updating operating systems. These tactics safeguard devices from crimes like jackpotting, involving crooks gaining physical access to ATM innards through tools meant to crack the machine open like a safe. Such measures are also intended to stop criminals from distributing malware, remotely, through a bank’s software distribution mechanismv. To be clear, newer ATMs can have updates deployed, automatically. Older machines – many of which are still deployed across American bankers’ fleets and other financial services companies’ networks – must be visited by an FI’s IT people in -personvi.
- Securing the network. Better security should also extend to the bank’s internal network. By putting stronger controls in place around any systems that control changes to ATM cash out parameters – both at the network and account level – criminals who compromise employees, through phishing, perhaps, won’t be successful in upending the security of ATMs. In short, stronger authentication and internal alerts.
- “Do ATMs running Windows XP pose a security risk? You can bank on it!” (https://hackernoon.com/do-atms-running-windows-xp-pose-a-security-risk-you-can-bank-on-it-1b7817902d61)
- “7 reasons why it’s oh so easy for bad guys to hack an ATM” (https://www.kaspersky.com/blog/atm-jackpotting-explained/11323/)
 https://www.cise.ufl.edu/~traynor/reaper/, accessed August 24, 2018.
[i] https://krebsonsecurity.com/2018/08/indian-bank-hit-in-13-5m-cyberheist-after-fbi-atm-cashout-warning/ accessed August 20, 2018
[ii] Around the same time, Cofense released a report outlining how the Necurs botnet had begun targeting banks with malicious Microsoft Publisher and Adobe files containing a new Remote-Access-Trojan. Or RAT. https://www.darkreading.com/vulnerabilities---threats/necurs-botnet-goes-phishing-for-banks/d/d-id/1332574, accessed August 20, 2018
[iii] https://www.questia.com/magazine/1G1-329310982/a-few-simple-controls-could-have-prevented-45m-bank accessed August 20, 2018
[iv] 2017 Identity Fraud Study, Javelin Strategy & Research
[vi] Earlier this year, crooks took to jackpotting schemes involving American ATMs reliant on unpatched software. At the time, both NCR and the Secret Service told bankers that organized criminal gangs were attacking stand-alone ATMs using a roughly five-year-old strain of malware, according to KrebsOnSecurity.