Safeguarding the Vault: A Deep Dive into ATM Security, Fraud, and Global Reliability

An automated teller machine (ATM) is an automatic electronic telecommunications device that allows customers of financial institutions to carry out financial transactions such as cash withdrawals, deposits, and funds transfers and to check their accounts or obtain account information at any time and without having to interact with any bank staff directly.

ATMs have been called in a variety of other ways, such as automatic teller machines ATMs in the United States (sometimes redundantly as “ATM machine“). In Canada automated banking machine (ABM) is also used, although ATM is also very commonly used in Canada, with many Canadian organizations using ATM rather ATM. In British English, the names cashpoint, cash machine and hole in the wall are also used. ATMs that are not operated by a financial institution are called “white-label” ATMs.

Using an ATM, customers can access their bank deposit or credit accounts in order to make a variety of financial transactions, most notably, cash withdrawals, checking accounts, and ATM withdrawal of cash, as well as transferring credit to and from mobile phones. ATMs can also be used for withdrawing money at the foreign country. If the currency withdrawn from the ATM is not the currency that the bank account is denominated in, the withdrawn money will be converted at the exchange rate of the bank financial institution. Customers are usually identified by presenting a plastic ATM card (or some other acceptable payment card) into the ATM machine and authentication comes by the customer entering a personal identification number (PIN) which matches the PIN in the chip on the card (if the card is so equipped) or in the issuing financial institution’s database.

According to ATM Industry Association (ATMIA), in 2015, there were nearly 3.5 million ATMs in place in the world. However, the use of ATMs is gradually decreasing with the rise in the cashless mode of payment. check our MyCCPay – Login to Pay Credit Card Bill at Www.MyCCPay.Com.

History

The idea of out-out the hours distribution was first put into practice in Japan, the united kingdom, and Sweden.

Early Concepts and Prototypes

  • In 1960, an automated deposit machine (accepting coins, cash and cheques) was invented by Armenian-American inventor Luther Simjian but did not have the cash dispensing features. His US Patent was first filed on 30 June 1960 and was granted on 26th of February, 1963. The roll-out of this machine, called Bankograph, was delayed a couple of years, due in part by the fact that Simjian’s Reflectone Electronics Inc. was acquired by Universal Match Corporation. An experimental Bankograph was installed in New York City in 1961 by the City Bank of New York but it was removed after six months because of the lack of acceptance by the customer.
  • In 1962Adrian Ashfield came up with the idea of a card system to identify a user securely and control and track the dispensing of goods or services. This was granted UK Patent 959,713 in June 1964 and was transferred to Kins Developments Limited.

Invention

In 1966, a Japanese device, called the “Computer Loan Machine,” gave cash as a short-term three-month loan at an annual interest rate of 5% when a credit card was inserted. However, so little was known about the device.

Actor Reg Varney using the world’s first cash machine at Barclays Bank, Enfield north London on 27 June 1967.

A cash machine was installed in Barclays Bank, in Enfield, North London in the United Kingdom, on 27 June 1967. This is generally considered to be the world’s first ATM. This machine was started by the English actor Reg Varney during the launch publicity. This invention is attributed to the team of engineers led by John Shepherd-Barron of printing firm De La Rue who was awarded an OBE in the 2005 New Year Honours. Transactions were triggered by inserting paper cheques issued by a teller or cashier, which were marked with carbon-14, to be readable by machine and for identification, which in a later version were combined with a four-digit personal identification number (PIN). Shepherd-Barron stated:

It hit me that there must be some way I could get my own money, anywhere in the World or the UK. I was struck upon by the idea of a chocolate bar dispenser, but instead of the chocolate, having cash.

Blue Plaque on the Drayton Villa in Enfield Barclays celebrating the World’s First Cash Machine.

The Barclays – De La Rue machine (called De La Rue Automatic Cash System or DACS) beat the Swedish saving banks’ and a company named Metior’s machine (a device called Bankomat) by a mere nine days and British Westminster Bank’s Smith Industries Chubb system (called Chubb MD2) by a month. The online version of the Swedish machine is listed to have been in operation on the 6th May 1968, whilst claiming that they were the first online ATM in the world, beating the similar claims of IBM and Lloyds Bank in 1971, and Oki in 1970. The collaboration of a small start up known as Speytec with Midland Bank developed a fourth machine which was marketed after 1969 in Europe and the US by the Burroughs Corporation. The patent for this device GB1329964 was filed in September 1969 (and granted in 1973) by John David Edwards, Leonard Perkins, John Henry Donald, Peter Lee Chappell, Sean Benjamin Newcombe and Malcom David Roe. Both the DACS and MD2 accepted only one time use tokens or vouchers which were held by the machine and the Speytec worked with a card which had a magnetic station at the back. They implemented some principles such as Carbon-14 and low-coercivity magnetism to make fraudging harder.

Safeguarding the Vault: A Deep Dive into ATM Security, Fraud, and Global Reliability.

The idea of a PIN being stored on the card was developed by a group of engineers working at Smiths Group on the Chubb MD2 in 1965 and which has been credited to James Goodfellow (patent GB1197183 filed on 2 May 1966 with Anthony Davies). The gist of this system was that it allowed the verification of the customer with the debited account to be made without the intervention of any human agent. This patent is also the first example in the patent record of a full “currency dispenser system.” This patent was filed on 5th of March 1968 in the US (US 3543904) and granted on 1st of December 1970. It affected the industry on the whole in a significant way. Not only did future entrants into the cash dispenser market such as NCR Corporation and IBM licence Goodfellow’s PIN system, but a number of later patents reference this patent as “Prior Art Device“.

Propagation

Devices designed by British (i.e. Chubb, De La Rue) and Swedish (i.e. Asea Meteor) manufacturers soon spread out.

  • For instance, based on its relationship with Barclays, Bank of Scotland rolled out a DACS in 1968 using the ‘Scotcash‘ brand. Customers were issued with personal code numbers to activate the machines, equivalent of the modern day PIN. They were also provided with vouchers of GBP10. These were fed into the machine and the corresponding amount debited off the customer’s account.
  • A Chubb made ATM went in Sydney, in 1969. It was the first ATM that was installed in Australia. The machine only gave out $25 at a time and the bank card itself would be mailed to the user after the bank had processed the withdrawal.
    • Details of 1969 ATMs being introduced in Sydney, Australia by ABC news. People could only get AUS $25 at a time and the bank card was sent back to the user at some later date. This was a Chubb machine.
  • Asea Metior’s Bancomat is the first ATM installed in Spain on 9 January 1969, in central Madrid by Banesto. This device was a dispenser for 1,000 peseta bills (1 to 5 max) Each user needed to introduce a security personal key using a combination using the ten. In March of the same year an ad containing instructions on how to use the Bancomat was published in the same newspaper.
  • In West Germany, the first ATM was installed in the 50,000 people university city of Tubingen on May 27, 1968 Kreissparkasse Tubingen. It was built by Ostertag AG – aalen-based safe builder in cooperation with AEG-Telefunken. Each of the 1,000 selected users was given a double bit key to open the safe with “Geldausgabe” written on it, a plastic identification card and ten punched cards. One punch card served as a withdrawal slip for a 100 DM bill, with the maximum amount of 400 DM for every day.

Docutel in the United States

A NCR Personas 75-Series, interior, multi-function ATM in the USA.

After seeing first hand the experiences in Europe, in 1968 the ATM, pioneered in the U.S. by a department head at a company called Docutel by the name of Donald Wetzel. Docutel was one of the subsidiaries of the Recognition Equipment Inc. of Dallas, Texas, which was manufacturing optical scanning equipment and had asked Docutel to investigate automated baggage handling and automated gasoline pumps.

On 2 September 1969 the first prototype of ATM was installed in the US by Chemical Bank at its branch in Rockville Centre, New York. The first ATMs were designed to give a fixed quantum of cash when the user inserted a specially coded card. A Chemical Bank advertisement bragged “On Sept. 2 our bank will open at 9:00 and never close again.” Chemical’s ATM, originally called a Docuteller was designed by Donald Wetzel and his firm Docutel. Chemical executives were reluctant at first about the electronic banking change in view of the high cost of the beginning machines. Additionally, executives were worried that customers would object to machines being used to handle their money. In 1995 The Smithsonian National Museum of American History recognised Docutel and Wetzel as inventors of the networked ATM. In order to demonstrate confidence in Docutel, Chemical installed the first four production machines in a marketing test that showed that they operated reliably, customers would use them and even pay them a fee to use them. Based on this, banks all over the nation started experimenting with the installation of ATM machines.

By 1974, Docutel had met 70 percent of the market in the United States; but then, due to the economic recession of the early 1970s and the concentration of the company on just one product line, Docutel was left without its independence and had no choice but to merge itself with the U.S. subsidiary of Olivetti.

In 1973, Wetzel received U.S. Patent # 3,761,682; patent application was filed in October, 1971. However, U.S. patent record shows at least three previous applications from Docutel, all being relevant to the ATM development and in which Wetzel is not named, including US Patent # 3,662,343, U.S. Patent 3651976 and U.S. Patent 3,68,569. These patents were all attributed to Kenneth S Goldstein, MR Karecki, TR Barnes, GR Chastien and John D White.

A Chase Bank ATM in 2008.

Further Advances

  • In April 1971 Busicom began to make ATMs based on the first commercial microprocessor (Intel 4004). Busicom was producing these microprocessor-based automated teller machines for a number of buyers with the primary customer being NCR Corporation.
  • Mohamed Atalla invented the first hardware security module (HSM) which he named the “Atalla Box“, a security system which encrypted PIN and ATM messages, and protected offline devices with an un-guessable PIN generating key. In March 1972, Atalla filed for patent 3,938,091 on his PIN verification system which included an encoded card reader and described a system that used encryption techniques to provide telephone link security while entering personal ID information which was transmitted to a remote place for verification.
    • He established Atalla Corporation (now Utimaco Atalla) in 1972, and released the “Atalla Box” to the market commercially in 1973. The product was released as the Identikey. It was a card reader and customer identification system to give a terminal plastic card and PIN capabilities. The Identikey system was comprised of card reader console, two customer PIN pads, intelligent controller and built in electronic interface package. The device was composed of two keypads, one keypad for the customer and one for the teller. It allowed the customer to type in a secret code, which is transformed by the device, with the help of a microprocessor, in another code for the teller. When the customer was purchasing goods in a transaction, the customer’s account number was read by the card reader. This process became an alternative to manual entry, and prevented possible key stroke errors. It enabled users to replace conventional customer verification process like signature verification and test questions and a secure PIN system. The success of the “Atalla Box” was able to bring hardware security modules to widespread use in ATMs. Its PIN verification process was similar to the subsequent IBM 3624. Atalla’s HSM products ensures 250 million card transactions a day as of 2013, and ensure the majority of the world’s ATM transactions as of 2014.
  • The IBM 2984 was a modern ATM and was used at the Lloyds Bank, High Street, Brentwood, Essex, United Kingdom in December 1972. The IBM 2984 was custom designed on request from Lloyds Bank. The 2984 Cash Issuing Terminal was a true ATM that was similar in functioning to today’s machines and called Cashpoint by Lloyds Bank. Cashpoint is still a registered trademark of Lloyds Bank plc in the UK but is often used as a generic trademark to refer to ATMs of all UK banks. These were all online, and they issued a varying amount which was immediately subtracted from the account. A few 2984s were provided for a US bank. A couple of well known historical models of ATMs are Atalla Box, IBM 3614, IBM 3624 and 473x series, Diebold 10xx and TABS 9000 series, NCR 1780 and previous NCR 770 series.
  • The first switching system that enabled sharing of automated teller machines between banks went in production operation on 3 February 1979, in Denver, Colorado, in an effort by Colorado National Bank of Denver and Kranzley and Company of Cherry Hill, New Jersey.
  • In 2012, a new ATM at Royal Bank of Scotland enabled customers to withdraw cash without a card up to a limit of 130GBP by entering a six-digit code that was requested via their smartphones.

Location

The world’s highest ATM at the Khunjerab Pass in Gilgit Baltistan in Pakistan by NBP which is located at the height of 4,693 metres (15,397 ft) above sea level.

Mobile ATM after Hurricane Sandy, in New Jersey.

ATMs can be laid in any place but mostly at or near banks, shopping centers, airports, railway stations, metro stations, grocery stores, gas stations, restaurants and other places. ATMs are also provided on cruise ships and some US Naval ships, where the sailors can get their pay.

  • On-premises and Off-premises:
    • On-premises ATMs are often more sophisticated multi-purpose machines that complement the capabilities of a branch of the bank, and therefore more costly.
    • Off-premises machines are rolled out by financial institutions, where there is a fairly simple need for money, so tend to be cheaper single-function devices.
    • Independent ATM deployers that are not associated with a bank install and service white-label ATMs.
  • In the US, Canada and in some Gulf countries, the banks may have drive-thru lanes to allow access to the ATM using an automobile.
  • In recent time, countries like India, countries in Africa are installing solar photocards in the form of solar-powered ATMs in rural areas.
  • The world’s highest ATM is at Khunjerab Pass of Pakistan. Inducted on an altitude of 4693 metres (15397 ft) by the National Bank of Pakistan, it was studied to operate in the coldest temperature of -40 degree Celsius.

Financial Networks

Most ATMs are linked to Interbank Networks allowing people to withdraw and deposit money from ATMs not belonging to the bank where they hold their accounts or in countries where their accounts are held (for withdrawing cash in local currency). Some of the examples of interbank networks are NYCE, PULSE, PLUS, Cirrus, AFFN, Interac, Interswitch, STAR, LINK, MegaLink and BancNet.

ATMs depend on the authorization of a financial transaction by the card issuer or other authorizing institution on a communications network. This is often done by way of an ISO 8583 messaging system.

Many banks are charging ATM use fees. In some cases, these fees are charged only to the users who are not customers of the bank operating the ATM – in other cases, on all users.

In order to allow for a more diverse range of devices to attach to their networks, some interbank networks have passed rules expanding the definition of an ATM to be a terminal that either as the vault within its footprint, or utilises the vault or cash drawer within the merchant establishment, to allow for the utilisatio of a scrip cash dispenser.

A Diebold 1063ix with a dial-up modem that is visible at the base.

Connectivity

ATMs usually connect directly to their host or ATM Controller on either ADSL or dial up modem over telephone line or directly on a leased line. Leased lines are superior to plain old telephone service (POTS) lines because less time is required for establishing a connection. Less-trafficked machines will typically make use of a dial-up modem over a POTS line, as opposed to using a leased line, as a leased line may be comparatively more expensive to operate compared to a POTS line. That dilemma may be eliminated as high-speed Internet VPN connections proliferate. Common layer-level communication protocols that are used by ATMs to communicate back to the bank are SNA over SDLC, a multidrop protocol over Async, X.25, and TCP/IP over Ethernet.

In addition to methods used for transaction security and secrecy, all communications traffic ranging from the ATM to the Transaction Processor may also be encrypted using methods such as SSL.

Global Use

Number of automated teller machines (ATMs) per 100,000 adults, 2017.

HSBC Express Banking ATM In Shatin Hong Kong.

Selection of ATMs, Siam Paragon shopping centre, Bangkok, Thailand.

There are no hard International or Government collated figure of properly summing up the total number of ATMs in use all round the world. Estimates as at 2015 developed by ATMIA put the number of ATMs in use at 3 million units or just 1 ATM for every 3,000 people in the world.

To make the analysis of ATM usage around the world more simple, generally financial institutions have grouped the whole world in seven regions, considering the penetration rates, usage and features deployed. Four are USA, Canada, Europe and Japan with high numbers of ATM per million people. Despite the huge number of ATMs, there is more demand on machines in the Asia/Pacific region as well as in Latin America. Macau may have the highest density of ATM at 254 ATMs per 100,000 adults.

With the adoption of cashless payment solutions in the late 2010s ATM numbers and usage began declining. This occurred first in developed countries during the time ATM number still increased in Asia and Africa. As of 2021, there has been a worldwide decrease in the number of ATMs in use – with the average going down to 39 per 100,000 adults after peaking at 41 per 100,000 adults in 2020.

Hardware

A block diagram of an ATM.

An ATM is normally comprised of the following devices:

  • CPU (to control user interface, transaction devices)
  • Magnetic card/card reader (to recognize the customer)
  • PIN pad for accepting and encrypting personal identification number EPP4 (similar in layout to touch tone or calculator keypad) manufactured as part of a secure enclosure
  • Secure cryptoprocessor which is typically in a secure enclosure
  • Display (used by the customer for the completion of transaction)
  • Function key buttons (usually close to the display) or Touchscreen (used to select the various aspects of the transaction)
  • Record printer (to give the customer a record of transaction)
  • Vault (to store the parts of the machinery allowing a restricted access)
  • Housing (for aesthetics and attach signage to)
  • Sensors and indicators

Due to heavier computing requirements and the declining price of personal computer-like architectures, ATMs have departed custom hardware architectures using microcontrollers or application-specific integrated circuits and adopted the hardware architecture of a personal computer, such as USB connections for peripherals, Ethernet and IP communications, and use personal computer OS.

Business owners would often hire ATM services, which is a good method of leasing the ATMs from their service providers. However, based on the economies of scale, the cost of equipment has been lowered to the point where it is a breach of many business owners to merely pay for ATMs by using a credit card.

New ADA voice and text to speech guidelines, which took effect in 2010 but had to be in place by March 2012, have forced the owners of many ATM machines to either upgrade non-compliant machines or remove them if they are not upgradable, and mated new compliant equipment. This has opened a way for hackers and thieves to get ATM hardware from junkyards from improperly disposed decommissioned machines.

Two Loomis employees refilling an ATM at Downtown Seattle REI.

The Vault

The vault of an ATM is within the footprint of the device itself, and is the container within which things of value are kept. Scrip cash dispensers which print a receipt or scrip instead of the cash do not incorporate a vault.

Mechanisms that are found inside the vault may include:

  • Dispensing mechanism (in order to provide cash or other items of value)
  • Deposit mechanism including a cheque processing mechanism and bulk note acceptor (to allow the customer to make deposits)
  • Security sensors (magnets, thermal, seismomechanic, gas)
  • Locks (to control the access to the contents of the vault)
  • Journaling systems; many- electronic (a sealed flash memory device based on in-house standards) or solid state device (an actual printer) which accrues all records of activity including access timestamps, number of notes dispensed etc. This is considered sensitive data and it is secured in similar fashion to the cash as it is a similar liability.

ATM vaults are provided by manufacturers in a variety of grades. Factors affecting vault grade selection include the cost, weight, regulation requirements, ATM type, operator risk avoidance practices and internal volume requirements. Industry standard vault configurations are: Underwriters Laboratories UL-291 “Business Hours” and Level 1 Safes and RAL TL-30 derivatives and CEN EN 1143-1 – CEN III and CEN IV.

ATM manufacturers recommend there is a vault attached to the floor to prevent theft, although there is one recorded theft done by tunnelling into an ATM flooring.

Software

Although Microsoft ended support for the operating system in 2014, some significant numbers of ATMs as of 2020 still use versions of Windows XP; as seen in this machine here at a branch of the supermarket chain Tesco Express, in Slough, Berkshire.

With the migration to the commodity Personal Computer hardware, standard commercial “off-the-shelf” operating systems and programming environments can be used inside of ATMs. Typical platforms that used to be used in ATM development are RMX or OS/2.

Today, Microsoft Windows is used for a huge majority of ATMs worldwide. In early 2014 95% of ATMs were running Windows XP. A small number of deployments may still be running an older version of the Windows OS such as Windows NT, Windows CE, or Windows 2000, despite the fact that Microsoft only supports Windows 10 and Windows 11.

There is a computer industry security view that general public desktop operating systems have relative greater risks as operating systems for cash dispensing machines than other types of operating systems like (secure) real-time operating systems (RTOS). RISKS Digest has numerous articles regarding ATM operating system vulnerabilities.

Linux is also getting some reception in the ATM marketplace. An example of this is Banrisul, the biggest bank of the south of Brazil, has replaced the MS-DOS operating systems in its ATMs for Linux. Banco do Brasil is also migrating ATMs on Linux. Indian-based Vortex Engineering is manufacturingATMs which use Linux only. Common application layer transaction protocols include Diebold 91x (911 or 912) and NCR NDC or NDC added to the existing protocol. (This is typically an emulation of older generations of hardware on newer platforms with incremental extensions made over time to address new capabilities) (More often than not companies like NCR constantly improve these protocols issuing newer versions (e.g. NCR’s AANDC v3.x.y where x.y are subversions). Most large ATM manufacturers offer software packages which implement these protocols. Newer protocols such as IFX still have not gained a wide acceptance by transaction processors.

With the introduction of a more standardised software base, financial institutions have been increasingly interested in the ability to pick and choose the application programmes which drive their equipment. WOSA/XFS now called CEN XFS (or simply XFS) offers a common API for accessing and manipulating the various devices of an ATM. J/XFS is Java facilities of a CEN XFS’s API.

While the perceived benefit of XFS is similar to the Java’s “write once, run anywhere” mantra, often different ATM hardware vendors have different interpretation of the XFS standard. The result of these differences in interpretation means that ATM applications usually make use of a middleware to even out the differences between different platforms.

With the onset of Windows operating systems, and XFS on ATMs, the software applications are capable of becoming intelligent. This has led to a new breed of ATM applications what is usually called programmable applications. These types of applications allows for an entirely new host of applications in which the ATM terminal can do more than only communicating with the ATM switch. It is now empowered to connected to other content server and video banking systems.

Notable ATM software functions on XFS platforms are Triton PRISM, Diebold Agilis EmPower, NCR APTRA Edge, Absolute Systems AbsoluteINTERACT, KAL Kalignite Software Platform, Phoenix Interactive VISTAatm, Wincor Nixdorf ProTopas, Euronet EFTS and inter-ATM from Intertech.

With the migration of ATMs to industry standard computing environments, it has raised concern over the integrity of the ATM’s software stack.

Impact on Labor

The number of tellers increased from about 300,000 in the United States in 1970 to about 600,000 in 2010. One reason might have been the introduction of automated teller machines. ATMs enable a branch to have fewer tellers, which is more economical for banks to open more branches and they must employ additional tellers to work in the additional branches. Further automation and online banking, however, may help reverse this increase resulting in a trend toward fewer bank teller positions.

Security

ATM security has many dimensions. ATMs also offer a practical demonstration of a number of security systems and concepts that operate simultaneously and how various security concerns are addressed.

Physical Security

An opened Wincor Nixdorf Procash 2100xe Frontload that was opened with an angle grinder.

Early ATM security was concerned with making the terminals secure against physical attack; they were virtual safes with dispenser mechanisms. A number of attacks resulted and thievings were attempted at stealing entire machines by ram-raiding. Since the late 1990s, criminal organizations in Japan made their ram-raiding feats even better by stealing and using a truck filled with heavy construction equipment to effectively destroy or uproot an entire ATM and any housing in order to steal the cash.

Another attack techniques, plofkraak (a Dutch word) which is to seal everything the ATM has an opening with silicone, and fill the ATM’s vault with combustible gas or to place an explosive inside it, attached or near a machine. This gas or explosive is ignited and the vault opened or distorted due to the force of the resulting explosion and the criminals are able to break in.

ATM bombings started in the Netherlands but when the country removed the number of machines set in the country from 20000 down to 5000 and discouraged the use of cash, the mostly Moroccan-Dutch gangs expert in these attacks moved on to other locations. Such theft has also taken place in the countries of Belgium, France, Denmark, Germany, Australia and the United Kingdom. When installing anti-gas explosion prevention devices and reinforced ATMs were installed, criminals started to use leaf blowers to remove the smoke, and more powerful solid explosives. Despite the fact that German banks were spending more than 300 million Euros on additional security, the Federal Criminal Police Office estimated that even in the country 60% of the attacks on automatic banking terminals (ATM) resulted in success as of 2024.

Several attacks in the UK (at least one of which was successful) have consisted of digging a hidden tunnel underneath the ATM, and coming up through the reinforced base to extract the money.

Modern ATM physical security, according to other modern money handling security, focuses on the denial of use value of the money inside the machine to a thief; with the different types of Intelligent Banknote Neutralisation Systems.

A common way to do this is by simply robbing the staff that is filling the machine with money. To prevent this happening, the timetable for filling them is kept secret, varying and random. The money is often kept in cassettes, in which case the money will dye, in case of incorrect opening.

Standard of Secrecy and Integrity of Transaction

The security of ATM transactions is based largely on the integrity of the secure cryptoprocessor: The ATM more often than not makes use of general commodity components that sometimes are not considered to be “trusted systems“.

Encryption of personal information which is required by law in many jurisdictions, is used to prevent fraud. Sensitive data in ATM transactions are usually encrypted with DES but transaction processors now usually require the use of Triple DES. Remote Key Loading techniques may be used to ensure the secrecy of initialisation of the encryption keys in the ATM. Message Authentication Code (MAC) or Partial MAC also may be used to ensure that messages have not been tampered with while in transit between the ATM and the financial network.

Integrity of Customer Identity

BTMU ATM with Palm Scanner (to the right of the screen).

There have also been a number of instances of fraud involving man-in-the-middle attacks whereby criminals have attached fake keypad/ card reader to existing machines. These have then been used to record PINs and bank cards of customers so that they can gain unauthorised access to their accounts. Various ATM manufacturers have implemented countermeasures to defend against this kinds of threats and protection for the equipment they manufacture.

Alternative methods to verify the identity of cardholder have been tested and deployed in some countries such as finger and palm vein patterns, iris and facial recognition technologies. Cheaper mass produced has been developed and is being installed in machines globally that detect the presence of foreign objects on the from ATMs, current tests have shown 99% detection success for all types of skimming devices.

Device Operation Integrity

ATMs which are exposed to the outside need to be vandal resistant and weather resistant.

Openings on the customer side of ATMs will often be covered by mechanical shutters in order to prevent tampering with the mechanisms when they aren’t in use. Alarm sensors are positioned inside ATMs and their servicing areas to warn their operators of any cases of doors being opened by unauthorised people.

To protect against hackers, ATM’s have an in-built firewall. Once the firewall has been alerted by the malicious attempts to break into the machine remotely, the firewall locks down the machine.

Rules are generally set by the government or ATM operating body that determine what is to occur when integrity systems fail. Depending on the jurisdiction, a bank may or may not be liable when an attempt is made to discharge a customer’s money from an ATM and the money either gets outside of the ATM’s vault, or were exposed in a non-secure fashion, or they are unable to determine the state of the money after a failed transaction. Customers often commented that it is difficult to recover money that was lost in this way, but this is often complicated due to the policies regarding suspicious activities typical of the criminal element.

Customer Security

In some countries, various security cameras and security guards are a very common feature. The New York State Comptroller’s Office has recommended to the New York State Department of Banking that it hold the more thorough safety inspections of ATMs in high crime areas.

Consultants of ATM operators are claiming that the issue of customer security needs to be given more consideration by the banking industry; it has been suggested that efforts are now more focused on the preventive measure of deterrent legislation rather than the problem of continued forced withdrawals.

Dunbar’s armored personnel to keep watch over ATMs that have been installed in a van.

At least to the farthest back as 30 July 1986 have it been announced by consultants of the industry in favor of an emergency PIN system for ATMs, by which means the person in the ATM could send a silent alarm at the same in response to a menacing move. Legislative efforts to require an emergency PIN system have emerged in Illinois, Kansas and Georgia, but none has been able to get through yet. Senate Bill 1355 for reconsideration of the issue of the reverse emergency PIN system was proposed in the Illinois Senate in January 2009. The bill is again backed up by the police and opposed by the banking lobby.

In addition, in 1998, in response to a wave of ATM crime, three towns outside Cleveland, Ohio passed legislation requiring emergency telephone number switches to be installed at all outdoor ATMs in their jurisdiction. In the wake of a homicide in Sharon Hill, Pennsylvania the city council passed an ATM security bill as well.

In China and other areas, there have been a lot of efforts to promote security. On-premises ATMs are often placed in the lobby of the bank which may be open 24 hours per day. These lobbies have extensive coverage with security cameras, a courtesy telephone, to consult with the bank staff, and a security guard is present in the premises. Bank lobbies without a 24-hour guard can also have secure doors that are only opened from outside by swiping the bank card in contact with a scanner mounted on the wall, which gives the bank the chance to correlate which of the bank cards enters the building. Most ATMs will also display some on-screen safety warnings, and may also be equipped with convex mirrors above the display enabling the user to see what is going on behind him or her.

As of 2013, the only claim able to be made about the number of ATM-connected homicides is that they range from 500 to 1,000 per year in the US, and only address the cases of suspected victims who had an ATM card and the card was used by the killer after the known time of his/death.

Jackpotting

The term jackpotting is used when one technique is used by criminals to steal money from an ATM or Automated Teller Machine. From there the thieves earn physical access is accompanied by a small hole drilled in the machine. And through an external drive they disconnect the existing hard drive and connect to it using an industrial endoscope. They then depression an internal button which causes a re-boot of the device so that it now is under the control of the external drive. They can then have the ATM to go through all of its cash.

Encryption

In the last few years, some ATMs also encrypt the hard disk. This means that the actual creation of the software for jackpotting is harder and there is more security for the ATM.

Uses

Two NCR Personas 84 ATMs at a bank in Jersey dispensing two types of pound sterling Bank of England on the left, States of Jersey on the right.

Golden vending machine (ATM) in New York City.

ATMs were originally created to serve as a cash dispenser, and they have become capable of many other functions to do with banks:

  • Paying routine bills, fees, taxes (utilities, phone bills, social security, legal fees, income taxes, etc)
  • PrintingBank Statements or Ordering Bank Statements
  • Updating passbooks
  • Cash advances
  • Cheque Processing Module
  • Making (full or partial) payments on the credit balance on card connected to a particular current account
  • Transferring of money from linked accounts (such as transferring between accounts)
  • Deposit Currency Recognition and Acceptance, and Recycling

In some countries, particularly those that have a fully integrated cross-bank network (e.g.: Multibanco in Portugal) ATMs include many functions that are not directly related to the management of one’s own bank account, such as:

  • Loading of monetary value into stored value cards
  • Adding pre paid / credit cell phone / mobile phone.
  • Purchasing
    • Concert tickets
    • Gold
    • Lottery tickets
    • Movie tickets
    • Postage stamps.
    • Train tickets
    • Shopping Mall Gift Certificates.
  • Donating to charities

Increasingly the Banks are looking to use the ATM as a sales device to deliver pre approved loans and targeted advertising using products such as ITM (the Intelligent Teller Machine) from Aptra Relate from NCR. ATMs can also serve as a means of advertising for other companies.*

A South Korean ATM that has mobile bank port and bar code reader.

However, a number of different ATM technologies are yet to be accepted globally, such as:

  • Videoconferencing to human tellers, referred to as video tellers
  • Biometrics, where the authorization of transactions is on the basis of the scanning of a customer’s fingerprint, iris, face, etc.
  • Cheque/cash Acceptance where the machine accepts and recognises cheques and/or currency without envelopes Expected to grow in importance in the US through Check 21 legislation.
  • Bar code scanning
  • On-demand Printing of “items of value” (e.g. Movie tickets, Traveler’s Cheques etc.)
  • Dispensing other media (such as phone cards)
  • ATM-mobile phones co-ordination
  • Integration with non banking equipment
  • Games and Promotional Features
  • CRM through the ATM

The videoconferencing teller machines are known today as Interactive Teller Machines. Benton Smith writes in the Idaho Business Review, “The software that makes interactive teller machines work was developed by a Salt Lake City-based company called uGenius, which is a producer of video banking software.” NCR, one of the largest companies that produce ATMs, bought uGenius in 2013 and conjuged its own ATM hardware and uGenius video software.

Pharmacy Dispensing Units

Reliability

An ATM that is running Microsoft Windows and crashes because of a peripheral component failure.

Before an ATM will be placed in a public place, it usually has undergone extensive testing with both test money and the backend computer systems that enable it to do transactions. Banking customers also have come to expect high levels of reliability in their ATMs, which provides incentives to ATM providers to minimise machine and network failures. Financial consequences of wrong machine operation also offer high degrees of incentive to minimise malfunctions.

ATMs and the supporting electronic financial networks are generally very reliable, with the industry benchmarks generally producing 98.25% customer availability for ATMs and up to 99.999% for host systems that manage the networks of ATMs. In the worst case, if ATM networks do go out of service, the customers could be left without being able to make transactions until the beginning of its bank’s next time of opening hours.

A NCR Interactive Teller Machine running a uGenius software.

This said however, not all the errors are to the detriment of customers, there have been cases of machines giving out money without debiting the account, or outputting higher value notes as a result of incorrect denomination of banknote being loaded in the money cassettes. The result of receiving too much money may be affected by the agreement between the customer and the bank, in terms of receipt of card holder.

Errors that may take place may be: mechanical (card transport mechanisms; keypad; hard disk failure; envelope deposit mechanisms); software (operating system; device driver; application); communications; or down to operator error.

To help in the reliability, there are some ATM that print each transaction to a roll-paper journal that is kept into the ATM itself, in which allows its users and the related financial institutions to sort things based on the records in the journal in the event of a dispute. In some cases, transactions are posted to an electronic journal to eliminate the cost of providing journal paper to the ATM and more convenient searching of data.

Improper currency check by the money machine can result in customer the chance of receiving fake banknotes from an ATM. While bank personnel are usually better trained at spotting and disbursing counterfeit cash, the resulting ATM money supplies used by banks do not provide for any guarantee of proper banknotes as the Federal Criminal Police Office of Germany has confirmed that there are regularly incidents of false banknotes having been dispensed through ATMs. Some ATMs may be stocked and owned wholly by outside companies which can complicate this problem still further. Bill validation technology can be used by ATM providers to help ensure the authenticity of the cash prior to it stoking the machine; those with cash recycling capabilities include such capabilities in.

In India, whenever a transaction fails with ATM due to network or technical issues and if the amount does not get dispensed in spite of the account being debited then the banks are supposed to return the debited amount to the customer within seven working days from the day of receipt of a complaint. Banks are also liable to pay the late fees in the case of delay made in the repayment of funds post seven days.

Fraud

ATM lineup

Some ATMs might display warning messages to the people so that they need to be careful of possible tampering.

10 Euro notes from a Robbery at an ATM made unusable with red dye.

As with any device that holds objects of value, ATMs and the systems that they rely upon to function are the targets of fraud. Fraud with ATMs and people attempting their use comes in a number of forms.

The very first known use of a fake ATM was put in a shopping mall in Manchester, Connecticut in 1993. By reprogramming the inner workings of a Fujitsu model 7020 ATM a gang of criminals known as the Buckland’s Boys stole information from cards inserted into the machine by customers.

WAVY-TV reported an incident in Virginia Beach in September 2006 in which a hacker, who must have acquired a factory-set administrator password to a filling station’s white-label ATM, made the unit think it was loaded with US$5 bills instead of $20s, allowing himself – as well as many subsequent customers – to walk away with four times the money withdrawn from their accounts. This type of scam was prescribed on the TV series The Real Hustle.

ATM behaviour can change during what is called “stand-in” time where the bank’s cash dispensing network cannot access databases containing information about which accounts have which balances (possibly for the purpose of some database maintenance). In order to provide customers with access to cash, customers can be given the opportunity to withdraw cash up to a certain level which may be less than their regular daily withdrawal level, but may still exceed the amount of available money in their accounts which may lead to fraudulent practices if the customer withdraw more money than they had in their account on purpose.

Card Fraud

In an attempt to prevent the possibility for criminals to shoulder surf the customer’s personal identification number (PIN) from, some banks draw areas of privacy on the floor.

For a low-tech type of fraud, the most convenient is to just steal a customer’s card with the corresponding PIN. A later variation of this is to capture the card within the card reader of the ATM, using an apparatus that is commonly known as a Lebanese loop. When the customer becomes frustrated by not receiving the card back and walks away from the machine, the criminal is able to take the card and withdraw the money from the customer’s account using the card and the PIN.

This sort of fraud has been prevalent throughout the world. Although this has been somewhat replaced in terms of volume by skimming incidents, a re-emergence of card trapping has been noticed in places like Europe, where the use of EMV chip and PIN cards has increased in circulation.

Another kind of fraud that is simple in nature is word by word to have the customer’s bank issue a new card and its PIN and steal them through their mail.

There are several different methods of operating an ATM. By contrast, a newer and high tech method of operating, which is sometimes called card skimming or card cloneing, is the installation of a magnetic card reader over the real ATM’s card slot and the use of a wireless surveillance camera or a modified digital camera or false PIN keypad to watch the user’s PIN. Card data is then cloned and copied into a duplicate card and the criminal attempts a standard cash withdrawal. The ease of access to inexpensive commodity wireless cameras, keypads, card readers and card writers has made it a relatively easy form of fraud, with comparatively low levels of risk to the fraudsters.

In an attempt to stop these practices, countermeasures against such card cloning practices have been developed by the banking industry, in particular by the use of smart cards which cannot easily be copied or spoofed by unauthenticated devices, and by attempting to make the outside of their ATMs tamper evident. Older chip card security systems are: French Carte Bleue Visa Cash Mondex Blue of American Express EMV “96 or EMV 3.11. The currently most actively developed form of smart card security currently being used in industries is called EMV 2000 or EMV 4.x.

EMV is broadly used in the UK (Chip and PIN) and other areas of Europe, but when it is not available in a particular area, ATMs have to regress to using the magnetic stripe, which is easy to copy, to carry out the transaction. This is a behaviour that can be exploited. However the fall back option has now been removed on the ATMs of some UK Banks which means if the chip fails to be read, that the transaction will be declined.

Card cloning and skimming can be detected by the implementation of the magnetic card reader’s heads and firmware that can read a signature embedded in all magnetic stripes during the card production process. This signature, known as a “MagnePrint” or “BluPrint” can be used in conjunction with common two-factor authentication schemes used in ATM, debit/retail point-of-sale and prepaid card applications.

The concept and various ways of copying the contents of an ATM card’s magnetic stripe onto a duplicate card to gain access to other people’s financial information was well known in the hacking communities by the late 1990.

In 1996, Andrew Stone, a computer security consultant in the UK, Hampshire, was convicted of stealing more than hundred thousands of pounds by pointing high definition video cameras to ATMs from a considerable distance and recording the card numbers, expiry dates etc. from the embossed detail on the ATM cards together with video footage of the PIN numbers being entered. After circulation copies of the videotapes allowing him to obtain a complete list of information he was able to create clone cards which enabled him not only to withdraw the full daily limit for each account, but also to avoid the withdrawal limits by using a number of cloned cards. It was proven in court that using this method he was able to withdraw as much as PS10,000 per hour. Stone was sentenced to the five years and six months in prison.

Related Devices

  • talking ATM is a type of ATM that provides audible instructions so that people who cannot read a screen can independently use the machine, therefore effectively eliminating the need for assistance from an external, potentially malevolent source. All audible information is delivered privately through a standard headphone jack on the face of the machine. Alternatively, some banks such as the Nordea and Swedbank use a built-in external speaker which may be invoked by pressing the talk button on the keypad. Information is delivered to the customer either through pre-recorded sound files or via text-to-speech speech synthesis.
  • postal interactive kiosk may share many components of an ATM (including a vault), but it only dispenses items related to postage.
  • scrip cash dispenser or cashless ATM may have many components in common with an ATM, but it lacks the ability to dispense physical cash and consequently requires no vault. Instead, the customer requests a withdrawal transaction from the machine, which prints a receipt or scrip. The customer then takes this receipt to a nearby sales clerk, who then exchanges it for cash from the till.
  • teller assist unit (TAU) is distinct in that it is designed to be operated solely by trained personnel and not by the general public, does integrate directly into interbank networks, and usually is controlled by a computer that is not directly integrated into the overall construction of the unit.
  • Web ATM is an online interface for ATM card banking that uses a smart card reader. All the usual ATM functions are available, except for withdrawing cash. Most banks in Taiwan provide these online services.