ATM and Teller Security


Abstract

This report covers two different aspects of banking security - ATM security and teller security. The section on ATM security will cover a broad range of topics from the physical security of the ATM to protecting the customers who use the ATM. There are 7 sections on ATM security. The 7 topics are: 1) physical security, 2) secrecy, 3) accuracy, 4) availability, 5) authorized transactions, 6) maintenance procedures, and 7) safety when using ATMs. The section on teller security will cover possible scenarios that could take place and the measures in place to protect from them happening. Afterall, the tellers are the ones who have access to all the account information and access to the money. There are 2 sections on teller security, and they are security from the teller and security of the teller.

Introduction

Nowadays people don't even think twice about using ATMs. But how many people actually think about the security risks involved in using them? How many people think about the potentials for fraud and crime that ATMs introduce? The answer is probably not many, since these transactions are so common now. But as the use of ATMs is on the rise, so is the number of crimes involving ATMs.

According to a May 1987 ATM Security Survey conducted by California Bankers Association (Schreiber, 11), there were 176M transactions in 1984 and 372M transactions in 1986. In those 2 years, the number of transactions more than doubled. But it has to be noted that in the survey for 1986, there were 4 more banks that reported data than in 1984. Even so that's still a significant increase in the use of ATMs. During that time, the number of reported ATM crimes rose from 55 in 1984 to 195 in 1986. Comparing the number of reported ATM crimes with the number of transactions that were completed, it really isn't that bad. But a comparison of numbers can be deceiving. What if one ATM crime can net $35,000? According to the article "Security Chiefs Examine ATM Fraud Trends" (Tracey, 32), that's exactly how much money one person was able to steal before he was caught. This person was a former employee of an ATM manufacturer and he had access to a card encoder. He obtained the PINs and account numbers for accounts at a New York City Bank and was able to make counterfeit cards. Because the PINS are encrypted now, it's not possible to do this today. But the fact remains that it doesn't necessarily matter how many crimes are committed involving ATMs. The amount lost by the bank also has to be taken into consideration to fully understand the impact of the crimes.

More recently and even more to the point is another story that was written about in the Reno Gazette-Journal on November 6, 1990. The headline reads "Reno bank job nets $740,000". The criminals in this story involved one insider who worked for Wells Fargo Armored and ATM Repair Service and four other people. The insider was newly hired by Wells Fargo and was part of a team that delivered the $740,000 to the ATM for storage on October 24, 1990. Later that day, the alarm for the ATM was triggered. But when the police came, they didn't see any signs of entry and they left. The alarm was reset by the bank, and the next morning the money was discovered missing. A specific key and combination was needed to gain entry, so the investigation focused on Wells Fargo employees. In the end, the FBI was able to recover little less than half of the money, but there was still $350,000 missing. Since both a specific key and a combination was needed, how did one employee have access to both? What happened to dual access control? Did it fail in this instance? Or was it never in place? Or is dual access control a result of crimes like these?

Because ATMs are a part of our daily lives by allowing us access to cash and other financial information, it's important that we understand the security risks and the measures in place to protect our money. Along the same lines, it's important that we understand the security measures around tellers. Afterall, they are the ones who have access to all the account information in the database and access to a potentially large sum of paper money. They have financial histories at their fingertips. They enter in transactions for the customers. Is there some way fraudulent transactions could be entered? Is there any way that money could be skimmed? What measures are in place to protect us from the tellers who are behind the counters?

Not only do we have to consider security from the tellers, but security of the tellers. Precisely because they do have access to large sums of cash and financial information, what danger does that put them in? What measures are in place to protect the tellers from bank robbers? These are some of the questions that I would like to address in this paper.

ATM Security

There are so many aspects to ATM security. There's the physical security of the machine itself, the 3 aspects of computer security since it is a computer, the security of authorized transactions, and the security of maintenance procedures. These topics as well as the safety of people using ATMS are covered in this section.

Physical Security

If you wanted to break into an ATM, how would you do it? Would you try a blow torch? How about a crow bar? Would you try to break off the handles on the door, or break the combination lock? Or would you try everything just listed? That's exactly what someone had tried to do to an ATM in Norfolk, Virginia. The criminal came in through the ceiling of the ATM enclosure and tried all the methods that were just mentioned above. He was not able to get in and he was caught. On the ATM there were scorch marks from the blow torch, crow bar marks from him trying to pry open the door, the handle of the door was broken off, and the combination lock was destroyed.

So is an ATM absolutely secure from physical attacks? Just like no computer system is completely secure, an ATM is not completely secure. Surprisingly though, some ATMs can be broken into in 15 minutes given the proper tools and the ideal situation. This is indicated by ratings of ATMs as TL-15 or TR-30. The TL indicates the ability to resist break-in by tools. The TR indicates the ability to resist entry using torches. The number that follows these parameters indicate the time that it would take to break into an unalarmed ATM given the proper tools and ideal environment. Since it's only supposed to take 15 minutes to break into an ATM rated as TL-15, why then could the criminal in Norfolk not get to the money in the ATM? Most do not have the proper tools, ideal conditions, or knowledge of the weak areas.

To illustrate the importance of proper tools and knowledge, listen to this story about Travis Scott Loofbourrow. Loofbourrow "used his skills as a mechanical engineer to defeat ATM enclosure alarm systems, door locks, and eventually the ATM vaults themselves" (Schreiber, 7). He had the knowledge to do this. He was a mechanical engineer. Furthermore, he had the tools. He "used a burning bar on ATM vaults initially, and then moved to industrial magnetic drills in later ATM burglaries, and finally began manipulating the lock and combinations on the ATM chests themselves" (Schreiber, 7). Loofbourrow had the know how and the tools to commit the crimes. However, he was caught in 1987, the same year when the crimes were committed. Even though he had the proper tools and the knowledge, that didn't prevent him from getting caught. There were other measures in place.

As seen from the Loofbourrow story, proper tools and knowledge is not enough. The environment of the ATM plays a major role as well. So physical security not only involves the material construction of the ATM, but it also involves everything that makes it harder for a criminal to do damage without being caught. Keeping the area well lit and free from obstructions are physical security measures as well, since criminals don't want to be caught in the act. There are several documents that dictate ATM security standards - The Bank Protection Act of 1968, the California Legislature Assembly Bill #244 introduced on Jan. 10, 1989 and last amended in Senate, August 15, 1990, and the Federal Reserve Regulation P. These documents discuss everything from the materials that the ATMs are made of to the ATM's surroundings. The Assembly Bill #244 discusses the environment of the ATM, such as the landscaping of the surrounding area and the lighting around the ATM.

By controlling the environment of the ATM, the potential for ATM crimes can be minimized. By regulating the landscaping near the ATM, the number of hiding places for a criminal can be controlled. Big bushes that could hide criminals can be cut down and replaced with little bushes. This minimizes the ability of the criminal to hide, commit a crime, and get away with it. So with this measure alone, the criminal can be deterred. Also, by regulating the lighting around the ATM, the chances that a criminal can be caught is increased due to higher visibility. Furthermore, enhanced lighting produces better pictures for the cameras.

Video cameras used in the ATMS can protect both the consumer and the bank. It can protect the consumer and the bank by recording the criminals on tape, so that they can be caught and prosecuted later. Just the possibility of being caught on tape might be enough to deter criminal acts. How can one dispute a tape that clearly records the crime and the criminal? This shows the importance of good lighting and focusing the camera so that good pictures are taken.

Minimizing ideal conditions not only involves controlling the physical environment of the ATM but also the amount of time that the criminal has to commit the act and get away. Since time is a major factor in committing crimes, there are several simple deterrents. One of these is using time locks and relocking devices. If time locks are used, no criminal is going to wait around for the time to elapse. Similarly, relocking devices add another mechanism that has to be broken through in order to get to the money. Breaking through the relocking device may or may not be possible. But the time that it takes to do so will be taken into consideration and the criminal may deem it too risky to try.

Without ideal conditions, the time that it takes to break into the ATM increases as well as the chances of being caught. Therefore, ideal conditions are a major factor in the ATMs being broken into in 15 minutes by experts - so much so that the upper limits for cash is increased if the ATMs are alarmed. One financial institution increases the limits on the amount of money that it's allowed to contain depending on whether or not the ATM is alarmed and what the rating of the alarm is. For example, an IBM ATM is allowed to hold $100,000 without an alarm, $150,000 with an alarm that has a rating of "A", and $350,000 with an alarm that has a rating of "AA". With an NCR ATM, the amount of money that it's allowed to contain is the same as that for the IBM ATM except that without the alarm, the NCR ATM is allowed to hold $40,000 more, giving it a limit of $140,000 unalarmed.

As illustrated, the physical security of the ATM not only entails the strength of the material used to make the ATM, but also any measures that can be used to deter the individual from breaking into it.

Computer Security - Secrecy

As with any computer system, one of the measures of security is secrecy of the transactions. The ATM transactions are not encrypted when they are sent across the network. The PINs (Personal Identification Numbers) are encrypted but nothing else. The account number and the transaction data are not. The argument is that with a data stream, unless you know what you are looking for, there isn't a problem with secrecy. The account number would have to be known and searched out in a stream of numbers flowing across the line. But what if you do know the account number and you're out for revenge on someone? I would think this would be possible, but would the trouble of monitoring billions of numbers across a line be worth it? The answer is probably not, considering that there are billions of numbers that would have to be ciphered through. Surely there are other more efficient ways of finding out financial information, like stealing the bank statements that come through the mail (although this is a federal crime) or bribing a teller at a bank for the financial history (this too being a criminal offense). Furthermore, transactions are printed out on ATM receipts. If the customer is not careful to dispose of the receipt properly, the whole transaction is listed there, including the account number. This receipt endangers the secrecy of the transaction, since it's a written copy. But the advantage to the receipt outweighs the disadvantage. Although it may endanger the secrecy of the transaction, it can improve the accuracy of the ATM. It gives written evidence to aid in disputing ATM transactions as well as keeping track of authorized ones.

Computer Security - Accuracy

Another aspect to computer security is accuracy. This can be accuracy of the data regarding the transaction and accuracy of the money that's given out. If there are discrepancies with regard to ATM transactions, forms are filed regarding the problem and then investigated. The ATMs are balanced and the transaction logs for the ATM are looked at to determine exactly what happened and if there was an error. To ensure the accuracy of the money that's given out, the ATM closes if cash gets stuck and the ATM reports an error back to the bank. If the ATM is out of $10s, the ATM will automatically offer options in $20s and vice versa. Furthermore, cash from deposits are not available right away. If it were possible, one could theoretically deposit an empty envelope, tell the ATM that money was deposited, and try to withdraw money from the deposit. For this reason, only money that's available excluding the deposit can be withdrawn.

Another way to ensure accuracy it to use the video tape from the ATM and the transaction log to create a replay of the transaction. By recording who commits a certain transaction and synchronizing the clocks so that the ATM transaction log matches the time on the video, a detailed replay of events can be made. How can a video tape with a supporting transaction log be disputed? This is another way to ensure accuracy when there are disputes about unauthorized transactions or crimes.

Computer Security - Availability

The third aspect to computer security is availability. According to the ATM Coordinator for one financial institution, the availability rate is kept above 96%. This excludes the downtime due to external problems, such as the telephone lines being down or preventative maintenance. It's only the time that the ATM is down due to problems with the ATM itself. To keep the availability rate high, there are monthly reports about problems that ATMs are experiencing. The ATM Coordinator looks through this report monthly and if the ATM is experiencing many problems, she calls the vendor for servicing. Furthermore, the ATM gets serviced every 6 months as preventative maintenance.

Authorized Transactions

One main concern with ATM transactions is to validate that they are authorized. There are several dangers in this respect. How do you limit ATM transactions to valid users? What happens if an unauthorized person gains access to the card? Could the card be copied? Afterall, the card has a magnetic strip that can be duplicated given the right equipment. Is the method to generate PINs secure? Is the method of distributing the cards and the PINs secure enough? These are some of the issues that will be discussed next.

On the ATM card itself there are data stored in 3 tracks on the magnetic strip. On Track 1, the person's name and account is stored. The information on this track is not used for the ATM transaction but for the user interface. When your name shows up on the screen of the ATM, it is because the computer is reading the data on Track 1. On Track 2, the person's account number and expiration date is stored. There is also space for other information on Track 2 which the on-line application uses for processing. On Track 3, user data that can be updated by the ATM during off-line applications is stored. So in general, four pieces of information are available on the magnetic stripe. Those four items are the person's name, the expiration date of the card, the account number, and the encrypted PIN. I think Track 3 contains the encrypted PIN, but I'm not sure.

Since the card contains all the information needed to gain access to the account, how are ATM transactions limited to authorized users? This is done through the use of PINs. When a customer wants to use an ATM, the access control steps of identification, authentication, and authorization are used. The person identifies himself as a customer by inserting the ATM card into the machine. Then the ATM needs to verify that this is an authorized user. The customer has a card, which can sometimes be an access control in itself. But because of the vulnerabilities of the ATM card, merely having the card is not enough. The magnetic strips on the cards can be copied. So to minimize the risk of unauthorized people using the ATM card, both the ATM card and the PIN have to be entered into the ATM. So even if an unauthorized person gains access to the card or copies the data from the magnetic strip on the card, the person can't do any transactions without the PIN. When the ATM asks the customer for the PIN and it's entered incorrectly, it tells the system that the customer is supposed to be an authorized user. However, this is not completely secure. An unauthorized person could have both, but for transaction purposes, the person who has the PIN and the card is an authorized person to the ATM. That's why it's important that the PIN is safeguarded.

Where does the PIN come from? There are 2 methods in generating the PIN. The bank can generate the PIN or the customer can. The bank takes the account number, a key, and an algorithm to generate the PINs. By having an algorithm and a key, paper records of the PINs don't have to be kept - therefore limiting the risk of people finding out the PINs. The PINs can be regenerated given the account number, the algorithm, and the key. Therefore, only the key has to be safeguarded. This is a security measure as well as a risk. It's a security measure in that each individual PIN is not recorded somewhere for unauthorized users to access. Since there isn't a written record matching the PINs with the account numbers, the PINs are much safer. But on the other hand, if the key is not safeguarded and the algorithm is known, then the unauthorized person would have access to all the accounts that he had account numbers for.


          ACCOUNT NO.    +    KEY    +    ALGORITHM    =    PIN

			Method 1: Bank Generated PIN

If the bank generated the PINs, there's the problem of distributing them. The PINs and the cards have to be kept physically separate to ensure that no one could gain possession to both. If someone gets both, that person has the ability to make "authorized" transactions, even though he's not an authorized card holder. One way the banks do this is to send the card first through the mail. Then the PINs are sent around 10 days afterwards. Both items are sent in unidentified envelopes, meaning that the banks name is not printed on them. Also, the return address on the envelope for the card and the one containing the PIN are different. This keeps the card and the PIN physically separate if the mail gets returned. Not only does the mail have to keep the PINs and the card physically separate, but the bank also has to make sure that the same people do not have access to both the cards and the PINs. The reason for this is obvious. This limits access to both the card and the PIN to the authorized user.

The second method is if the customer generates the PIN. If only the customer generated PIN allowed access to the account, then logs corresponding to the account numbers and the PINs would have to be kept. This defeats the purpose of having PINs by opening up other security risks. But on the other hand, if the bank generated a PIN and had a correlation between the customer generated PIN and the bank's PIN through a secret offset number, then the procedure would still be secure. Another method that is used with customer generated PINs is to use that PIN as the key for the algorithm. Then the key, the algorithm, and the account number would produce a reference number to permit the transaction. There are advantages to having the customer select the PIN. The first one is that it's better for customer service. The customer can pick a number that he likes and use it as the PIN. Even though this is better for the bank's public relation, it's also a risk in the sense that the customer tends to pick numbers that are significant to him and are easily guessed. These numbers include birth dates and other significant dates. The same risk involved in letting the user pick a password versus a computer generated password are present here. Afterall, the PIN is essentially a password for the ATM. The second advantage is that it limits the bank's liability. If the PIN is customer generated, the bank doesn't have to have a separate key that it's responsible for. In this case, the customer is responsible for the PIN that was chosen and has the responsibility to protect it.


               CUSTOMER  ==>  PIN

               PIN = KEY

               KEY   +   ALGORITHM   +   ACCOUNT NO.   =   ACCESS

			Method 2: Customer Generated PIN

Other means to safeguard authorized transactions is to have the ATM confiscate the ATM card when the person's account is on the negative side and getting the ATM card back when a customer closes his account. This limits the possibility of the customer trying to withdraw money when the ATM is off-line. If the ATM is off-line, the ATM can't validate the transaction with the bank to ensure that there are funds in the account. This was one of the faults of offline transactions that people capitalized on. According to the article, "Legal Implications of ATMs" (Penn, 43), a man in Australia closed his account at the Savings Bank of South Australia and kept his ATM card. When the ATM was offline, he used the card to withdraw $200. He was convicted of larceny in this case, but it shows the vulnerability of offline transactions. Even though the amount was limited to only let cardholders withdraw $200, that's still a liability. That's why some institutions only allow online transactions to be authorized. If the ATM can't verify transactions real time, then the ATM closes or the transaction doesn't complete, depending on how long the ATM is down. Another method, besides limiting offline transaction withdrawals, is to read and write data on the magnetic strip to keep track of how much money was withdrawn. This prevents a person from going from one offline ATM to another offline ATM and withdrawing the maximum allowed amount from each ATM. But even so, this still incurs a liability.

Maintenance Procedures

As is evident from the story in the introduction about the Wells Fargo employee and the $740,000 that was missing, security measures must be in place to protect from insiders. One way to do this is to use dual access control. If the safe has 2 locks, which can be a key and a combination, 2 keys, or 2 combinations, don't let one person have single access. Don't let one person have the means to open both locks. This was the fault of allowing the newly hired Wells Fargo employee have access to the key and the combination. Maybe the procedures didn't give him access to both, but somehow he gained access to both. This shows the importance of keeping each one separate and making sure that there are measures in place to prevent one person from gaining single access.

Dual access control can be very effective if implemented properly. First of all, to commit the crime it takes 2 consenting people. With another person involved, it increases the risk of getting caught. First of all, how do you approach the other person to even construct a plan for a criminal act? That person might turn you in before you can even discuss it. Second, if that person is willing to be a partner in crime, how can you be sure that the other won't squeal when you're caught? You can't, especially if the DA is willing to plea bargain if evidence is given to convict the other person of the crime. Also since there's 2 people involved, it takes more planning and there's more of a possibility that someone will make a mistake and get caught.

Dual access control not only protects the bank from insiders but also protects from outside criminals. The criminal has to get information from 2 different people in order to gain access to the safe. If both people are not present at the time of the robbery, the safe can't be opened. This is both good and bad. It's good in the fact that one person does not have sole control over opening the safe. But on the other hand, it's bad because one key holder's life is dependent upon the other person giving up the key so that the safe can be opened.

Not only does the bank have to protect from insiders, but it also has to protect those who do maintenance on the ATM. Since the ATM has to be replenished with money and maintenanced, security measures have to be in place to protect the service teams from attack. They are especially vulnerable because the ATMs are out in the open. Measures such as using 2 member service teams can be employed or even hiring third party vendors who specialize in ATM servicing. Hiring the right people in the first place is the first step in reducing risks. Education and training of the personnel follow. Precautions such as keeping a low profile when commuting to service the ATM can be taken as well as having distress devices that the personnel can use to signal the police if a situation should arise. These distress devices can be in the form of panic buttons, radios in the ATM vehicle, hand radios, or hidden devices such as pendants that can trigger an alarm. Also the use of codes when entering and exiting the ATM site can signal that everything's OK or if there's a problem.

Safety when using ATMS

In order to ensure that ATM crimes are kept to a minimum, it requires the cooperation of both the bank and the customer. The customer has to exercise some responsibility in safeguarding the PIN and exercising caution when using the ATM. There are basic safety tips that are passed out on standard brochures to customers. These tips include:

     1)   keeping your PIN a secret, which includes not writing it down;
     2)   being aware of your surroundings;
     3)   parking in a well lit area;
     4)   looking around and if something seems suspicious, don't use that ATM;
     5)   not displaying cash.
Banks are required to provide education on the use of ATMs. This is done mainly through the distribution of ATM safety brochures. There have been cases where the bank was liable for ATM crimes. By educating the public and doing all that the bank sees possible to limit ATM crimes, it also reduces their liability.

Teller Security

Another area of potential risk are the tellers. What measures are in place to protect the bank from immoral tellers? Are there any open gaps through which crimes can be committed and not be caught? Since these transactions are all computerized, is there any way that a teller can falsify transactions and get away with it? Afterall, financial records are now just bytes of data in a database. Paper money is hardly used, now that electronic banking is taking over.

On the flip side, the bank has a responsibility to protect tellers from criminal acts. Because the tellers do have privilege access to financial records and money, what does the bank do to prevent crimes against the tellers?

Security from the Tellers

Just as dual access protects the ATMs during servicing, dual access to the safes provide security from the tellers. What about the possibility of skimming money off the top? At one financial institution, every teller has his own register for which he is responsible. Each teller counts the money after his shift and balances it with what the transaction log says it should be. The tellers at this one financial institution is allowed to be off by $1. If the teller tried skimming off the top, a pattern would result and the teller could be caught. The branch manager monitors teller activity. Furthermore, there are surprise audits every week by the supervisor, plus surprise audits by the auditing section.

Could a teller cipher money to his account since the financial record is just a bunch of bytes in a database? Even though this is electronic banking and there isn't any paper trail, there's still an electronic audit trail. Each teller has to sign on and off to the terminal using his login and password. Therefore, there is an audit trail that could be monitored. There was one story about a whole branch office that was suspected of criminal activity. There was missing money from accounts and it appeared that every teller at the branch office was involved. It started with one customer coming in and saying that the bank made a mistake and that x amount of dollars was missing from her account. The teller said that she would look into it, and the customer said that when it happened last time, Susie was the one who fixed her account. When the transactions for this account were looked at, there were unauthorized transactions listed using every tellers login. The financial institution never had this happen before. They were amazed that the whole branch was involved. What was going to be done? Would the whole branch be fired? When the problem was looked into further and each teller was questioned, they all had admitted to letting Susie use their login. Susie had made up one excuse after another and asked to use the login of another teller. Each teller allowed her to do so, and therefore the transaction had the other teller's login on the audit trail.

This story brings up 2 points. First it shows the importance of not allowing anyone access to a computer system using your login. Second it shows that audit trails from the logins provide a good mechanism to hold people accountable for their actions, as well as recreating a sequence of events.

Security of the Tellers:

Not only does the bank have to provide for security from the tellers, but it has to provide for security of the tellers. The tellers are the ones in jeopardy when a bank is robbed. They are the ones at risk since they are the ones who have access to the money. So what measures are in place to protect the tellers? There are procedures that are given to the tellers that describe what to do before, during, and after a bank robbery. For example, after a bank robbery, the person with the most contact with the bank robber is to talk to the police and no one is to talk about the events before writing a full detailed account of the robbery. This makes sense because third party stories tend to lose some of the accuracy and detail. Furthermore, if people talk about the events, each person's account might be skewed because of the conversation. This is almost like preserving the crime scene and keeping the stories as pure as possible. Everyone's perception of what happened might be different and if the views are shared, one view may persuade the other to change or confuse his perception.

Conclusion

There are many facets to ATM security. It has such a broad range of topics that there are thick handbooks that covers ATM security from everything to the machine itself and preventing crime to safeguarding the customer using the ATM. I have tried to give an overview and report on topics of interest in this report. I also touched upon teller security. Some of the security measures are as simple as procedures that have to be implemented correctly, such as dual access control, whereas others might be physical devices that have to be bought. However, one thing that is very clear, is that ATM security has evolved over the years and will continue to do so given the advances in technology.

Bibliography

ATM Crime & Fraud in the 1990's: The facts, the options and your security plan. (a seminar book)

Bank Administration Institute Task Force on ATM Crime. ATM Security Handbook. Rolling Meadows, IL: Bank Administration Institute, 1988.

Barber, Phil. "Reno bank job nets $740,000." Reno Gazette-Journal 6 November 1990: 1A.

Interviews of an ATM Coordinator and Head Security at a Financial Institution.

Penn, Graham. "Legal Implications of ATMs." Banking World January 1989:43.

Procedures from a Financial Institution.

Russell, Deborah and Gangemi, G.T. Computer Security Basics. Sebastopol, CA: O'Reilly & Associates, Inc., 1991.

Schreiber, F. Barry. ATM Security in the 1990s. Electronic Funds Transfer Association, 1990.

Tracey, Brian. "Security Chiefs Examine ATM Fraud Trends." Computers in Banking. June 1987: 28+.