The future of ATM transactions: Old school meets new school security

By David Beach | 25 October 2017

In 1967, the first ATM hit the UK’s high streets. 50 years on, David Beach, reporter at bobsguide, attended RBR's ATM & Cyber Security event in London, slightly sceptical as to where ATMs fitted into an oft-predicted cashless society. With the rise of biometrics and Big Data, surely that is the only layer of defence needed?


For all the articles that fintech journalists write predicting the demise of in-branch banking or the soon to be extinct cold, hard cash, we can never quite fully exorcise it. At least, we’re somewhat naively surprised that, in a world offering small payment contactless and a range of wearables, people continue to use cash. Despite cash surviving the many cashless prophecies, it too has seen an innovation from paper to polymer to combat counterfeit.

Where does that leave the future of transactions?

Just as video killed the radio star, much the same has been said for contactless payments and cash. Nominal cash amounts have certainly taken a hit since contactless was first introduced to the UK mainstream by Barclays in 2007, falling behind card payments for the first time for total transactions. Naturally, ‘wave and pay’ is far easier for the trendy urban dweller in a rush to grab a flat white on the way to the office rather than count out the coins. Or, more accurately as Dominic Hirsch, Managing Director of RBR, puts it: “More and more payments will happen on contactless and cards, but there is this segment that will stay relatively flat for the grey economy”. He also conitunues describing how contactless wasn’t necessarily replacing cash, but instead “insert card” situations.

Whilst the fintech sector s willing the public to embrace innovative payment options, it would be naive to assume the majority of society was equally optimistic. Cash still remains the lifeline of the unbanked population - some 1.5 million adults in the UK. It is fairer to suggest that contactless technology will cap the uses of cash but not eradicate it completely. Thus, it is premature to predict the demise of high street ATMs.

How to protect the ATM bridge between effectively offline and online worlds becomes the conundrum.

The ATM, as a physical terminal in a network worth billions, has attracted much interest from criminals; both the highly skilled and the less so. The advent of ATMs presented criminals with a smaller version of a bank safe which was far more accessible and far less risky a target. This inevitably led to a scaling up of hardware; stronger steel casing and more elaborate locking systems. But what good is all of that if the criminal already has the key?

Strengthening the backend: ATM network security

Just as cybersecurity has evolved, so too have cyber criminals adapted to gain a one-up on law enforcement. Where old-fashioned bank robbers would use crowbars to prize open the bank’s safe, sheer force has been the modus operandi for decades. Indeed, according to Carlos Moreira of SIBS, 83% of off-site external ATM breaches resulted from ram raids. The last decade has seen a great reduction in the risk, to the point where the only cost is repairing the damage and restoring the ATM.

Of more concern, with the rise of hacking, is the vulnerable network behind each ATM terminal. 2017 has seen its fair share of malware, with the Wannacry ransomware attack, and ATMs are no different. Whilst ram raiders pose a relatively small financial risk, malware criminals are a different kettle of fish. Criminals exploit the doorways to the entire network and control ATMs remotely using a black box attached internally with a single command: release cash. In 2016, the criminal Cobalt Group infected various ATMs across Europe, including the UK, with jackpotting malware that emptied the entire contents of the ATM on demand into the cash mule’s bag. Here the unpredictable nature of the ‘take’ and dormant infection make catching the criminals in the act all the more difficult.  

In response to the increased commercialisation of malware kits on the black market, ATM network security has scaled up, looking to Big Data analysis to pinpoint ATM attacks. Fabrizio Pinna, of Bradesco bank Brazil, outlined the geographical challenges of real time police response to ATM attacks. Big Data fills this vacuum, providing a holistic overview of the network and reducing the random nature of the attacks. Rafael Revert, of Cyttek, suggests it is an arms race between criminals and law enforcement, and malware attacks will continue with greater degrees of complexity as their threat rises into 2018.

Biometrics the way forward?

“Less than five years ago, even at an ATM security event, people were reluctant about using fingerprint technology”, Dominic Hirsch explains. It is something that advocates of biometric security have had to contend with; the public are a hard lot to convince. “We’re talking about the most personal of people’s data” Alan Goode, CEO of Goode Intelligence, outlined the cultural reticence towards the adoption of biometric authentication. He goes on to separate two important distinctions when it came to biometrics and payments. The first sees biometrics as an added layer of authentication rather than as fraud prevention.

The widespread use of biometric fingerprint authentication may be some time in picking up traction. Neil Thompson, COO of the South African ABSA bank’s retail payments division, spoke candidly about the practical difficulties of rolling out a bank card fitted with a fingerprint sensor. Whilst the test phase only saw a 79% authentication success rate, many of the issues they faced will be fixable and have not deterred their next card update in early 2018.

Were smartphones more widespread in South Africa, ABSA bank might have elected to use them over cards. Alan Goode explains how combining the greatly improved and widespread smartphone technology could be the most secure and cost effective way for banks to use biometric verification, weeks after Apple introduced its new facial recognition technology.

“The smartphone’s data storage capabilities can provide a 180 degree view - this is when the sensor takes a composite image of your finger which is far more complicated to replicate fraudulently”.

He goes on to add how it is possible to gain a subdermal view of the vein network, providing under-the-skin imagery which tests the finger for ‘liveness’. It can also distinguish a cold or wet finger. Gone are the days where sticky tape can lift fingerprints and the statistics certainly back up the fact that biometric authentication drastically reduces spoofing fraud. He also demonstrates how expensive issuing biometric cards would be from the perspective of card management and manufacture, and how CitiBank are trialling a no-button ATM operated by users’ smartphones.

Why if it ain’t broke still applies

It is here that Alan Goode, as well as the majority of speakers, pumps the brakes on using biometrics as a be-all and end-all solution to card security. “It’s all about security in depth. You can’t rely on one single technology. Biometrics will bypass spoofing and scraping but it’s more for convenience”. Returning to the initial conundrum, of protecting the ATM, it may be that the tried and tested ways are the best and biometrics will be a nice and easy replacement for One-time-passcodes, chip & pin and memorable data.

Intelligent banknote Neutralisation systems (IBNS) have been around since the early 80s. After several years in research and development, the technology has come a long way in providing a simple deterrent to criminals. The AI, open architecture computer detects when an attack is underway and releases an explosion of indelible dye, marking the notes within the ATM as stolen. A spokesperson for Smartstain, an intelligent IBNS solution employed in 25% of the multibanco network, explained how, for all physical attack scenarios, 100% of the notes were stained on at least 30% of their surface. This all but eliminates the potential reward for the robbery whilst the marked and traceable money maximise the risk, deterring criminals. This deterrant is not just applicable in ATMs, IBNS can be deployed throughout the physical cash delivery chain and provide protection against Cash-in-Transit (CiT) attacks; not only does this strengthen the most vulnerable link in the cash distribution cycle but it also prevents harm to personnel.

The future - old school security, new school authentication

It would seem that the consensus of the event sees a blend of old school ink staining backed up with quickly evolving Big Data analysis of networks, whilst biometrics provides a consumer-convenient and non spoofable form of payment authentication. For the UK at least, the task becomes normalising biometrics at ATMs with consumers, both allaying any negative connotations with personal data and educating consumers on best practice in fraud protection. However, Dominic Hirsch believes biometric technology and cybersecurity is evolving so quickly you cannot rely on any consumer education keeping up to date. As a line of defence, he anticipates continued growth in network and system security, whilst biometric authentication is more likely to integrate with online or mobile payments rather than ATMs.