According to a May 1987 ATM Security Survey conducted by California Bankers Association (Schreiber, 11), there were 176M transactions in 1984 and 372M transactions in 1986. In those 2 years, the number of transactions more than doubled. But it has to be noted that in the survey for 1986, there were 4 more banks that reported data than in 1984. Even so that's still a significant increase in the use of ATMs. During that time, the number of reported ATM crimes rose from 55 in 1984 to 195 in 1986. Comparing the number of reported ATM crimes with the number of transactions that were completed, it really isn't that bad. But a comparison of numbers can be deceiving. What if one ATM crime can net $35,000? According to the article "Security Chiefs Examine ATM Fraud Trends" (Tracey, 32), that's exactly how much money one person was able to steal before he was caught. This person was a former employee of an ATM manufacturer and he had access to a card encoder. He obtained the PINs and account numbers for accounts at a New York City Bank and was able to make counterfeit cards. Because the PINS are encrypted now, it's not possible to do this today. But the fact remains that it doesn't necessarily matter how many crimes are committed involving ATMs. The amount lost by the bank also has to be taken into consideration to fully understand the impact of the crimes.
More recently and even more to the point is another story that was written about in the Reno Gazette-Journal on November 6, 1990. The headline reads "Reno bank job nets $740,000". The criminals in this story involved one insider who worked for Wells Fargo Armored and ATM Repair Service and four other people. The insider was newly hired by Wells Fargo and was part of a team that delivered the $740,000 to the ATM for storage on October 24, 1990. Later that day, the alarm for the ATM was triggered. But when the police came, they didn't see any signs of entry and they left. The alarm was reset by the bank, and the next morning the money was discovered missing. A specific key and combination was needed to gain entry, so the investigation focused on Wells Fargo employees. In the end, the FBI was able to recover little less than half of the money, but there was still $350,000 missing. Since both a specific key and a combination was needed, how did one employee have access to both? What happened to dual access control? Did it fail in this instance? Or was it never in place? Or is dual access control a result of crimes like these?
Because ATMs are a part of our daily lives by allowing us access to cash and other financial information, it's important that we understand the security risks and the measures in place to protect our money. Along the same lines, it's important that we understand the security measures around tellers. Afterall, they are the ones who have access to all the account information in the database and access to a potentially large sum of paper money. They have financial histories at their fingertips. They enter in transactions for the customers. Is there some way fraudulent transactions could be entered? Is there any way that money could be skimmed? What measures are in place to protect us from the tellers who are behind the counters?
Not only do we have to consider security from the tellers, but security of the tellers. Precisely because they do have access to large sums of cash and financial information, what danger does that put them in? What measures are in place to protect the tellers from bank robbers? These are some of the questions that I would like to address in this paper.
So is an ATM absolutely secure from physical attacks? Just like no computer system is completely secure, an ATM is not completely secure. Surprisingly though, some ATMs can be broken into in 15 minutes given the proper tools and the ideal situation. This is indicated by ratings of ATMs as TL-15 or TR-30. The TL indicates the ability to resist break-in by tools. The TR indicates the ability to resist entry using torches. The number that follows these parameters indicate the time that it would take to break into an unalarmed ATM given the proper tools and ideal environment. Since it's only supposed to take 15 minutes to break into an ATM rated as TL-15, why then could the criminal in Norfolk not get to the money in the ATM? Most do not have the proper tools, ideal conditions, or knowledge of the weak areas.
To illustrate the importance of proper tools and knowledge, listen to this story about Travis Scott Loofbourrow. Loofbourrow "used his skills as a mechanical engineer to defeat ATM enclosure alarm systems, door locks, and eventually the ATM vaults themselves" (Schreiber, 7). He had the knowledge to do this. He was a mechanical engineer. Furthermore, he had the tools. He "used a burning bar on ATM vaults initially, and then moved to industrial magnetic drills in later ATM burglaries, and finally began manipulating the lock and combinations on the ATM chests themselves" (Schreiber, 7). Loofbourrow had the know how and the tools to commit the crimes. However, he was caught in 1987, the same year when the crimes were committed. Even though he had the proper tools and the knowledge, that didn't prevent him from getting caught. There were other measures in place.
As seen from the Loofbourrow story, proper tools and knowledge is not enough. The environment of the ATM plays a major role as well. So physical security not only involves the material construction of the ATM, but it also involves everything that makes it harder for a criminal to do damage without being caught. Keeping the area well lit and free from obstructions are physical security measures as well, since criminals don't want to be caught in the act. There are several documents that dictate ATM security standards - The Bank Protection Act of 1968, the California Legislature Assembly Bill #244 introduced on Jan. 10, 1989 and last amended in Senate, August 15, 1990, and the Federal Reserve Regulation P. These documents discuss everything from the materials that the ATMs are made of to the ATM's surroundings. The Assembly Bill #244 discusses the environment of the ATM, such as the landscaping of the surrounding area and the lighting around the ATM.
By controlling the environment of the ATM, the potential for ATM crimes can be minimized. By regulating the landscaping near the ATM, the number of hiding places for a criminal can be controlled. Big bushes that could hide criminals can be cut down and replaced with little bushes. This minimizes the ability of the criminal to hide, commit a crime, and get away with it. So with this measure alone, the criminal can be deterred. Also, by regulating the lighting around the ATM, the chances that a criminal can be caught is increased due to higher visibility. Furthermore, enhanced lighting produces better pictures for the cameras.
Video cameras used in the ATMS can protect both the consumer and the bank. It can protect the consumer and the bank by recording the criminals on tape, so that they can be caught and prosecuted later. Just the possibility of being caught on tape might be enough to deter criminal acts. How can one dispute a tape that clearly records the crime and the criminal? This shows the importance of good lighting and focusing the camera so that good pictures are taken.
Minimizing ideal conditions not only involves controlling the physical environment of the ATM but also the amount of time that the criminal has to commit the act and get away. Since time is a major factor in committing crimes, there are several simple deterrents. One of these is using time locks and relocking devices. If time locks are used, no criminal is going to wait around for the time to elapse. Similarly, relocking devices add another mechanism that has to be broken through in order to get to the money. Breaking through the relocking device may or may not be possible. But the time that it takes to do so will be taken into consideration and the criminal may deem it too risky to try.
Without ideal conditions, the time that it takes to break into the ATM increases as well as the chances of being caught. Therefore, ideal conditions are a major factor in the ATMs being broken into in 15 minutes by experts - so much so that the upper limits for cash is increased if the ATMs are alarmed. One financial institution increases the limits on the amount of money that it's allowed to contain depending on whether or not the ATM is alarmed and what the rating of the alarm is. For example, an IBM ATM is allowed to hold $100,000 without an alarm, $150,000 with an alarm that has a rating of "A", and $350,000 with an alarm that has a rating of "AA". With an NCR ATM, the amount of money that it's allowed to contain is the same as that for the IBM ATM except that without the alarm, the NCR ATM is allowed to hold $40,000 more, giving it a limit of $140,000 unalarmed.
As illustrated, the physical security of the ATM not only entails the strength of the material used to make the ATM, but also any measures that can be used to deter the individual from breaking into it.
Another way to ensure accuracy it to use the video tape from the ATM and the transaction log to create a replay of the transaction. By recording who commits a certain transaction and synchronizing the clocks so that the ATM transaction log matches the time on the video, a detailed replay of events can be made. How can a video tape with a supporting transaction log be disputed? This is another way to ensure accuracy when there are disputes about unauthorized transactions or crimes.
On the ATM card itself there are data stored in 3 tracks on the magnetic strip. On Track 1, the person's name and account is stored. The information on this track is not used for the ATM transaction but for the user interface. When your name shows up on the screen of the ATM, it is because the computer is reading the data on Track 1. On Track 2, the person's account number and expiration date is stored. There is also space for other information on Track 2 which the on-line application uses for processing. On Track 3, user data that can be updated by the ATM during off-line applications is stored. So in general, four pieces of information are available on the magnetic stripe. Those four items are the person's name, the expiration date of the card, the account number, and the encrypted PIN. I think Track 3 contains the encrypted PIN, but I'm not sure.
Since the card contains all the information needed to gain access to the account, how are ATM transactions limited to authorized users? This is done through the use of PINs. When a customer wants to use an ATM, the access control steps of identification, authentication, and authorization are used. The person identifies himself as a customer by inserting the ATM card into the machine. Then the ATM needs to verify that this is an authorized user. The customer has a card, which can sometimes be an access control in itself. But because of the vulnerabilities of the ATM card, merely having the card is not enough. The magnetic strips on the cards can be copied. So to minimize the risk of unauthorized people using the ATM card, both the ATM card and the PIN have to be entered into the ATM. So even if an unauthorized person gains access to the card or copies the data from the magnetic strip on the card, the person can't do any transactions without the PIN. When the ATM asks the customer for the PIN and it's entered incorrectly, it tells the system that the customer is supposed to be an authorized user. However, this is not completely secure. An unauthorized person could have both, but for transaction purposes, the person who has the PIN and the card is an authorized person to the ATM. That's why it's important that the PIN is safeguarded.
Where does the PIN come from? There are 2 methods in generating the PIN. The bank can generate the PIN or the customer can. The bank takes the account number, a key, and an algorithm to generate the PINs. By having an algorithm and a key, paper records of the PINs don't have to be kept - therefore limiting the risk of people finding out the PINs. The PINs can be regenerated given the account number, the algorithm, and the key. Therefore, only the key has to be safeguarded. This is a security measure as well as a risk. It's a security measure in that each individual PIN is not recorded somewhere for unauthorized users to access. Since there isn't a written record matching the PINs with the account numbers, the PINs are much safer. But on the other hand, if the key is not safeguarded and the algorithm is known, then the unauthorized person would have access to all the accounts that he had account numbers for.
ACCOUNT NO. + KEY + ALGORITHM = PIN Method 1: Bank Generated PINIf the bank generated the PINs, there's the problem of distributing them. The PINs and the cards have to be kept physically separate to ensure that no one could gain possession to both. If someone gets both, that person has the ability to make "authorized" transactions, even though he's not an authorized card holder. One way the banks do this is to send the card first through the mail. Then the PINs are sent around 10 days afterwards. Both items are sent in unidentified envelopes, meaning that the banks name is not printed on them. Also, the return address on the envelope for the card and the one containing the PIN are different. This keeps the card and the PIN physically separate if the mail gets returned. Not only does the mail have to keep the PINs and the card physically separate, but the bank also has to make sure that the same people do not have access to both the cards and the PINs. The reason for this is obvious. This limits access to both the card and the PIN to the authorized user.
The second method is if the customer generates the PIN. If only the customer generated PIN allowed access to the account, then logs corresponding to the account numbers and the PINs would have to be kept. This defeats the purpose of having PINs by opening up other security risks. But on the other hand, if the bank generated a PIN and had a correlation between the customer generated PIN and the bank's PIN through a secret offset number, then the procedure would still be secure. Another method that is used with customer generated PINs is to use that PIN as the key for the algorithm. Then the key, the algorithm, and the account number would produce a reference number to permit the transaction. There are advantages to having the customer select the PIN. The first one is that it's better for customer service. The customer can pick a number that he likes and use it as the PIN. Even though this is better for the bank's public relation, it's also a risk in the sense that the customer tends to pick numbers that are significant to him and are easily guessed. These numbers include birth dates and other significant dates. The same risk involved in letting the user pick a password versus a computer generated password are present here. Afterall, the PIN is essentially a password for the ATM. The second advantage is that it limits the bank's liability. If the PIN is customer generated, the bank doesn't have to have a separate key that it's responsible for. In this case, the customer is responsible for the PIN that was chosen and has the responsibility to protect it.
CUSTOMER ==> PIN PIN = KEY KEY + ALGORITHM + ACCOUNT NO. = ACCESS Method 2: Customer Generated PINOther means to safeguard authorized transactions is to have the ATM confiscate the ATM card when the person's account is on the negative side and getting the ATM card back when a customer closes his account. This limits the possibility of the customer trying to withdraw money when the ATM is off-line. If the ATM is off-line, the ATM can't validate the transaction with the bank to ensure that there are funds in the account. This was one of the faults of offline transactions that people capitalized on. According to the article, "Legal Implications of ATMs" (Penn, 43), a man in Australia closed his account at the Savings Bank of South Australia and kept his ATM card. When the ATM was offline, he used the card to withdraw $200. He was convicted of larceny in this case, but it shows the vulnerability of offline transactions. Even though the amount was limited to only let cardholders withdraw $200, that's still a liability. That's why some institutions only allow online transactions to be authorized. If the ATM can't verify transactions real time, then the ATM closes or the transaction doesn't complete, depending on how long the ATM is down. Another method, besides limiting offline transaction withdrawals, is to read and write data on the magnetic strip to keep track of how much money was withdrawn. This prevents a person from going from one offline ATM to another offline ATM and withdrawing the maximum allowed amount from each ATM. But even so, this still incurs a liability.
Dual access control can be very effective if implemented properly. First of all, to commit the crime it takes 2 consenting people. With another person involved, it increases the risk of getting caught. First of all, how do you approach the other person to even construct a plan for a criminal act? That person might turn you in before you can even discuss it. Second, if that person is willing to be a partner in crime, how can you be sure that the other won't squeal when you're caught? You can't, especially if the DA is willing to plea bargain if evidence is given to convict the other person of the crime. Also since there's 2 people involved, it takes more planning and there's more of a possibility that someone will make a mistake and get caught.
Dual access control not only protects the bank from insiders but also protects from outside criminals. The criminal has to get information from 2 different people in order to gain access to the safe. If both people are not present at the time of the robbery, the safe can't be opened. This is both good and bad. It's good in the fact that one person does not have sole control over opening the safe. But on the other hand, it's bad because one key holder's life is dependent upon the other person giving up the key so that the safe can be opened.
Not only does the bank have to protect from insiders, but it also has to protect those who do maintenance on the ATM. Since the ATM has to be replenished with money and maintenanced, security measures have to be in place to protect the service teams from attack. They are especially vulnerable because the ATMs are out in the open. Measures such as using 2 member service teams can be employed or even hiring third party vendors who specialize in ATM servicing. Hiring the right people in the first place is the first step in reducing risks. Education and training of the personnel follow. Precautions such as keeping a low profile when commuting to service the ATM can be taken as well as having distress devices that the personnel can use to signal the police if a situation should arise. These distress devices can be in the form of panic buttons, radios in the ATM vehicle, hand radios, or hidden devices such as pendants that can trigger an alarm. Also the use of codes when entering and exiting the ATM site can signal that everything's OK or if there's a problem.
1) keeping your PIN a secret, which includes not writing it down; 2) being aware of your surroundings; 3) parking in a well lit area; 4) looking around and if something seems suspicious, don't use that ATM; 5) not displaying cash.Banks are required to provide education on the use of ATMs. This is done mainly through the distribution of ATM safety brochures. There have been cases where the bank was liable for ATM crimes. By educating the public and doing all that the bank sees possible to limit ATM crimes, it also reduces their liability.
On the flip side, the bank has a responsibility to protect tellers from criminal acts. Because the tellers do have privilege access to financial records and money, what does the bank do to prevent crimes against the tellers?
Could a teller cipher money to his account since the financial record is just a bunch of bytes in a database? Even though this is electronic banking and there isn't any paper trail, there's still an electronic audit trail. Each teller has to sign on and off to the terminal using his login and password. Therefore, there is an audit trail that could be monitored. There was one story about a whole branch office that was suspected of criminal activity. There was missing money from accounts and it appeared that every teller at the branch office was involved. It started with one customer coming in and saying that the bank made a mistake and that x amount of dollars was missing from her account. The teller said that she would look into it, and the customer said that when it happened last time, Susie was the one who fixed her account. When the transactions for this account were looked at, there were unauthorized transactions listed using every tellers login. The financial institution never had this happen before. They were amazed that the whole branch was involved. What was going to be done? Would the whole branch be fired? When the problem was looked into further and each teller was questioned, they all had admitted to letting Susie use their login. Susie had made up one excuse after another and asked to use the login of another teller. Each teller allowed her to do so, and therefore the transaction had the other teller's login on the audit trail.
This story brings up 2 points. First it shows the importance of not allowing anyone access to a computer system using your login. Second it shows that audit trails from the logins provide a good mechanism to hold people accountable for their actions, as well as recreating a sequence of events.
Bank Administration Institute Task Force on ATM Crime. ATM Security Handbook. Rolling Meadows, IL: Bank Administration Institute, 1988.
Barber, Phil. "Reno bank job nets $740,000." Reno Gazette-Journal 6 November 1990: 1A.
Interviews of an ATM Coordinator and Head Security at a Financial Institution.
Penn, Graham. "Legal Implications of ATMs." Banking World January 1989:43.
Procedures from a Financial Institution.
Russell, Deborah and Gangemi, G.T. Computer Security Basics. Sebastopol, CA: O'Reilly & Associates, Inc., 1991.
Schreiber, F. Barry. ATM Security in the 1990s. Electronic Funds Transfer Association, 1990.
Tracey, Brian. "Security Chiefs Examine ATM Fraud Trends." Computers in Banking. June 1987: 28+.