Please enable JavaScript to view the comments powered by Disqus.

We use cookies on our website to give you the best online experience. Please know that if you continue to browse on our site, you agree to this use. You can always block or disable cookies using your browser settings. To find out more, please review our privacy policy.

COVID-19 RESOURCES AND INFORMATION: See the Atlanta Fed's list of publications, information, and resources; listen to our Pandemic Response webinar series.

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Comment Standards:
Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

September 7, 2021

Happy 50th Birthday, ATM

I am an old ATM (automated teller machine) guy, having managed a small network early in my banking career in the 1970s. That was when ATMs first began making their appearance on the walls of banking offices as a way to extend banking convenience to customers. During my years as a management consultant, I was fortunate to have been involved in the formation of several statewide ATM networks that evolved into regional, national, and international debit (ATM and debit POS) networks. Now that the ATM in the United States has passed its 50th birthday, what has it become and what does the future hold for it?

While the ATM has always been primarily a cash dispenser, there were efforts over the early years to introduce new functionality to generate additional revenue. Several banks unsuccessfully attempted to use it to sell postage stamps or transit fare cards. They realized that these types of alternative products required frequent resupply visits, which drove up servicing costs. Another marketing effort included selling advertisements on the back of transaction receipts, but since most receipts ended up in the ATM’s trash can, this, too was short-lived.

The introduction of a Windows operating system with its graphical capability opened a new range of functionality, with on-screen advertising now being played during previous "Please Wait" static instruction screens. Some ATM operators experimented with selling concert and other local event tickets. Such efforts were quickly abandoned when customers wanting quick access to their cash were forced to wait for minutes behind someone deciding on the best seat selection.

A major change in the ATM landscape took place in 1996, when Congress expressly excluded ATMs from being considered branches and eliminated geographical restrictions. Not only did this change create a major expansion of bank-owned, off-premise ATMs, but it also created the opportunity for independent ATM deployers to place ATMs in retail locations. Today, ATMs/cash dispensers owned and operated by nonfinancial institutions represent more than 60 percent of the machines in the United States.

ATMs have played a vital role during the COVID-19 pandemic in maintaining banking services for consumers while banking offices were closed or operating with reduced hours or staffing levels. Many ATMs use imaging for check and cash deposits. Reported usage has increased significantly. With all the successes and failures throughout the ATM’s history, one thing has been consistent for 50 years: the cash dispensers. They are and have always been an excellent tool to handle that functionality 50 years after their introduction. Talk about standing up to the test of time!

So, what is next for the ATM? The Consortium for Next Gen ATMsOff-site link, representing more than 400 companies in 55 countries, has been working for the last five years to develop a globally interoperative software platform for APIs (for application programming interface) for the ATM to support additional functionality such as interactive teller sessions and cardless and contactless transaction support. Our readers have seen previous posts documenting the reduced usage of cash, especially by millennials. The ATM industry is looking to explore new avenues of service and revenue to offset reduced transaction volume.

Are there any additional functions you would like to see at your ATM? We would enjoy hearing your perspective on the ATM’s future.

  

September 7, 2021

Happy 50th Birthday, ATM

I am an old ATM (automated teller machine) guy, having managed a small network early in my banking career in the 1970s. That was when ATMs first began making their appearance on the walls of banking offices as a way to extend banking convenience to customers. During my years as a management consultant, I was fortunate to have been involved in the formation of several statewide ATM networks that evolved into regional, national, and international debit (ATM and debit POS) networks. Now that the ATM in the United States has passed its 50th birthday, what has it become and what does the future hold for it?

While the ATM has always been primarily a cash dispenser, there were efforts over the early years to introduce new functionality to generate additional revenue. Several banks unsuccessfully attempted to use it to sell postage stamps or transit fare cards. They realized that these types of alternative products required frequent resupply visits, which drove up servicing costs. Another marketing effort included selling advertisements on the back of transaction receipts, but since most receipts ended up in the ATM’s trash can, this, too was short-lived.

The introduction of a Windows operating system with its graphical capability opened a new range of functionality, with on-screen advertising now being played during previous "Please Wait" static instruction screens. Some ATM operators experimented with selling concert and other local event tickets. Such efforts were quickly abandoned when customers wanting quick access to their cash were forced to wait for minutes behind someone deciding on the best seat selection.

A major change in the ATM landscape took place in 1996, when Congress expressly excluded ATMs from being considered branches and eliminated geographical restrictions. Not only did this change create a major expansion of bank-owned, off-premise ATMs, but it also created the opportunity for independent ATM deployers to place ATMs in retail locations. Today, ATMs/cash dispensers owned and operated by nonfinancial institutions represent more than 60 percent of the machines in the United States.

ATMs have played a vital role during the COVID-19 pandemic in maintaining banking services for consumers while banking offices were closed or operating with reduced hours or staffing levels. Many ATMs use imaging for check and cash deposits. Reported usage has increased significantly. With all the successes and failures throughout the ATM’s history, one thing has been consistent for 50 years: the cash dispensers. They are and have always been an excellent tool to handle that functionality 50 years after their introduction. Talk about standing up to the test of time!

So, what is next for the ATM? The Consortium for Next Gen ATMsOff-site link, representing more than 400 companies in 55 countries, has been working for the last five years to develop a globally interoperative software platform for APIs (for application programming interface) for the ATM to support additional functionality such as interactive teller sessions and cardless and contactless transaction support. Our readers have seen previous posts documenting the reduced usage of cash, especially by millennials. The ATM industry is looking to explore new avenues of service and revenue to offset reduced transaction volume.

Are there any additional functions you would like to see at your ATM? We would enjoy hearing your perspective on the ATM’s future.

  

December 16, 2019

ATM Cash-Out Attacks Return

I first wrote about ATM cash-outs back in 2013 when these attacks were escalating. But the frequency of the attacks quickly declined when card issuers and their processors and networks hardened their defenses. So why am I writing about it again? There were some major attacks in mid-2018. A bank in India, for example, lost approximately US$13 million from more than 12,000 fraudulent transactions at ATMs located in Canada, India, and Hong Kong. The United States has seen isolated attacks in recent years, but law enforcement is concerned that these attacks will grow because perpetrators stand to obtain a large amount of money. It's critical that financial institutions and other transaction processors remain vigilant, so I'd like to bring some attention back to this especially costly crime.

These attacks require careful planning and a synchronized effort, but the payoff for the criminals can make it worth all the work. First, the criminal gains remote access to an issuer's card management system and transaction controls. Next, the criminal uses a money mule network to open new accounts with a chip card or distributes debit or prepaid cards with cloned magnetic stripes and compromised PINs to the money mules spread across the globe. In a carefully synchronized operation, the money mules begin making withdrawals at numerous ATMs. With access to the card management system, the criminal keeps resetting balances and transaction counters to get around amount and transaction limits, and withdrawals continue to be authorized. The mules continue to make withdrawals until the cash supply in the ATM is exhausted. This is how such attacks can result in a loss to issuers in the millions of dollars worldwide in just a couple of hours. Most networks have now implemented transaction monitoring capabilities that can detect abnormal transaction traffic both at the account and the financial institution levels. If the networks identify abnormalities, they contact the issuer or processor to examine the transactions more closely. Some networks, if they can't contact the financial institution or processor, are authorized to block the activity right away to prevent additional transactions until the situation can be evaluated. Some criminals have responded by increasing the number of targeted accounts so the activity is spread across more accounts and the detection thresholds are not crossed as quickly.

Here are some steps that issuers and processors can take to defend against cash-out attacks:

  • Follow standard cybersecurity protocols related to password strength and management of system access controls to prevent compromise of system access credentials.
  • Evaluate adding further layers of authentication/approval for remote changes to card management data fields such as account balances and transaction counters.
  • Discuss with processors and networks any additional monitoring capabilities they may have to mitigate such attacks.

As the ATM celebrates its golden anniversary, cash-out attacks remind us of the constant efforts by criminals to defraud financial institutions and other stakeholders in the payments industry. Cash-out attacks are not new, but they can still result in huge losses, so the industry needs to remain vigilant and continue to look for ways to defeat them.

February 26, 2018

Explosive News Regarding ATMs

You've probably seen at least one video of a criminal attaching a chain from a truck an ATM to try to pull the ATM out of its mounts. Or maybe you've seen one of someone using a sledgehammer to try to smash an ATM open. Although these types of attacks are destructive, they do not rise to the level of the explosive attacks that have been taking place in Europe, Australia, and South America—and, just recently, in the United States. First reported about 10 years ago in Europe, their frequency has increased dramatically over the last several years.

I learned a bit about these and other ATM dangers at a conference I recently attended in Las Vegas on emerging functionality for ATMs and cash dispensers. One of the most interesting sessions was a presentation on ATM crimes that a U.S. Secret Service agent gave. The agent talked about the two major categories of ATM terminal crimes: logical and physical attacks. Criminals carry out logical attacks using software, skimming devices, or cameras. With software, they aim to gain access to the ATM software or operating system so they can intercept data transmissions or issue commands to dispense currency. With skimming or shimming devices and cameras, they can capture card and PIN data. A recent logical attack "jackpotted" an ATM—that was the first time in the United States that a criminal forced an ATM to dispense all its currency.

Criminals trying to blow up ATMs in Europe have predominately used gas. They pump a combustible gas like oxyacetylene, used in welding, into the ATM enclosure through a drilled hole, currency slot, or other entry point, and then detonate it. This 2015 Bloomberg Businessweek article describes explosive attacks in England in great detail.

Unfortunately, reports indicate that solid explosives such as dynamite, explosive gel, and C4 are becoming more common in Europe and South America. In Brazil, dynamite is the predominant explosive, in part because a large supply of dynamite was stolen from a mining operation. As expected, these attacks are highly destructive, not only to the ATM but also to the surrounding building, which you can see in the photo below (this ATM attack recently took place in Atlanta). Normally these attacks are carried out at ATMs in isolated locations at off-hours. Fortunately, I have not heard of any loss of life or injuries to innocent people from these attacks.

From tweet
Source: WSB-TV

Because the frequency of these attacks is growing, ATM manufacturers and other third parties have developed countermeasures either to detect and thwart the attacks or to reduce the monetary value of a successful attack. For gas attacks, detection sensors installed in the ATM may do several things: trigger an audible—and monitored—alarm, release a gas-suppression system to prevent detonation, open a cover to prevent the gas pressure from building to a level that will detonate, or trigger a currency-staining mechanism that would put an ink stain on the currency in the machine, neutralizing its ability to be used. Additionally, penetration mats may be installed inside the ATM fascia that could detect drilling. Regrettably, attacks with solid explosives are more difficult to mitigate, but the industry has responded with harder enclosures and currency-inking neutralization systems.

We can hope that such attacks will not grow in frequency the United States, but security folks will probably tell us that we are being a bit Pollyannaish. Best be prepared.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed