Go to:

April 2019
< Mar May >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

Three-Part Series on Security - Part 1. Changing Risk, Risking Change: Security at the ATM
Tuesday, November 3, 2015 6:25 AM

ATM Security

How a simple question could have kept brute-force theft from becoming disaster.
B. Scott Harroff, Diebold

Note: This post is part of a series dedicated to helping financial institutions better understand how they can protect themselves in a constantly changing security environment.

Under cover of darkness, a large piece of construction equipment approaches your ATM. The ATM is violently ripped out of the ground and lowered into the back of a second vehicle, idling in wait. The second vehicle speeds away, leaving behind only a cloud of dust and a messy hole where a terminal once stood.

This is what “normal” ATM theft looks like, and it’s a relatively common type of attack. In this case, the physical theft would have been bad enough. Unfortunately, after the theft, it was discovered that full cardholder data was sitting on an unencrypted hard drive inside the machine. Now, in addition to cash, thieves won access to funds that would have been otherwise secure.

So how did a relatively common brute-force theft turn into a full-blown disaster?

Lack of awareness.

The customer had moved from one type of network processor (where cardholder data was masked before being sent to the ATM) to a processor that transmitted unmasked information. The processor change would have been a non-event, if one very important question had been asked: “How does this processor secure my consumers’ data?”

Breakdowns in awareness are particularly elevated during times of change—and we know the environment of FI security is one of constant change.

If you’re involved in the process of change at your FI, it’s crucial to understand the technology you’re working with. If you’re changing a process, or technology partner, or solutions provider, no matter how simple it may seem, a standard risk analysis exercise is critical to discovering how the changes could affect your vulnerabilities.

A risk analysis prior to the ugly theft I described above might have meant consequences only as severe as having to replace an ATM and the cash inside. Now there are legal issues, as well as an accelerated project to mitigate similar risks on remaining terminals.

Risk management is not a one-time process. Financial institutions, regardless of size or reach, must keep up to date with the evolving threat landscape.

The best way to stay on top of changes, whether they’re external or self-initiated, is to be vigilant using commonly available sources. Here are a few helpful links:

These resources should be examined on a regular basis, but that isn’t enough. Any time a financial institution faces any change in their physical or information security infrastructure, it’s important that those involved harness the change as an opportunity for a new risk analysis.

Asking questions in times of change may be the best way to make sure that if a bulldozer rips out your ATM, it isn’t also ripping off your consumer’s data, and with it, the hard-earned trust and reputation of your FI.

About Diebold
Diebold, an endorsed business partner of Credit Union Resources, is the leading provider of ATMs in the U.S. and a leading global supplier of self-service systems. In addition to manufacturing state-of-the-art equipment, Diebold addresses credit union needs through comprehensive service solutions surrounding ATM services, security services, deposit automation and branch transformation. To learn more about Diebold, please visit