Transaction Denied: How to Mitigate ATM Crime Risks
While out on a job fixing some vandalized automatic teller machines (ATMs) in Fargo, North Dakota, earlier this year, a Diebold Nixdorf technician noticed something peculiar. A vehicle appeared to be following him from ATM to ATM.
The technician called his contact at Gateway City Bank—Robert Ross, vice president of office services and security—to raise the alarm on the suspicious vehicle.
Ross worked with the security team to pull up video footage of the vehicle, which matched the description of the car that the person suspected of vandalizing the ATMs had been using. He alerted the police, and the vehicle’s operator drove away before ultimately being arrested in Montana a week later.
Due to the technician’s vigilance, the security team was able to step in to prevent the suspicious activity from escalating into an ongoing crime issue in the United States: criminals targeting ATMs to steal cash without stepping foot inside a bank.
An Introduction to ATMs
The ATM made its debut on 27 June 1967 at a Barclays branch in London, England.
In simple terms, they’re basically computers with dispensers to distribute cash to customers.
ATMs are commonly placed outside at bank branches, either as a drive-through option—popular in the United States—or as an exterior walk-up option. To use the ATM, customers insert a bank card into the ATM’s card reader slot. They are then instructed to enter a PIN code and issue a prompt—such as “withdrawal $100” from their bank account.
The ATM’s mainboard will then send a unique Europay, Mastercard, and Visa (EMV) transaction code, the PIN, and transaction through the modem that connects the ATM to a network associated with the customer’s card to determine if this transaction is approved.
If authorized, the ATM will then dispense cash to the customer—a process that requires the cash dispenser to remove bills from cassettes inside the ATM’s safe individually.
“The dispenser is an ultra-sensitive piece of equipment that determines if each bill is of the right size and thickness to ensure that only one bill is dispensed at a time,” according to National ATM Systems.
The amount of cash in an ATM at any time can vary drastically depending on the size of the machine itself, the number of customers who have deposited into the machine, and the number of individuals who have made withdrawals.
When fully loaded, however, some ATMs can hold as much as $200,000, Ross says, making them a lucrative target for criminals if the machines are not hardened against both logical and physical attacks.
The American Banking Association (ABA) breaks ATM attacks into seven different categories:
Cash trapping. Criminals insert a device into the slot where cash is dispersed, stopping the ATM’s shutter so cash is not transferred to authorized customers upon request. After the customer leaves, the criminals then retrieve the collected money.
Explosive attacks. Criminals use force—including the use of explosives or gas—to open an ATM and access its cash.
Jackpotting. Using physical access to the ATM, criminals download malware onto the device’s hard drive—or attach a separate hard drive with malware on it—to control the ATM’s cash dispense ability.
Shimming. Criminals place a device into the ATM’s card reader that can manipulate or intercept data that passes between customer’s payment cards and the ATM’s chip interface.
Skimming. Criminals place a device on the ATM card reader slot that scans and records data from customer card’s magnetic strip, which can be used to create a copy of the card.
Robberies of ATM service technicians. Criminals target service technicians while working on ATMs to gain access to the cassettes within the device’s safe, and ultimately the cash inside.
Unlimited cash-out operations. Criminals use malware to manipulate the ATM, remove daily transaction limits, and withdraw cash.
In a letter to U.S. lawmakers, the ABA said that “hook and chain” and “ram raid” attacks are methods that criminal groups have used to break into ATMs for years.
“Criminals often use stolen personal and commercial vehicles, including construction equipment, to physically remove ATMs from their base and access the safe,” according to the letter. “Regardless of whether the criminals are successful in accessing the cash, these often result in a loss of service to the community while the ATMs (and the surrounding areas) are repaired or replaced.”
The ABA also said that it had noted an uptick in criminals targeting ATMs as banks and financial institutions deploy “stronger internal and external defenses” to protect from attacks.
This is far from an America-specific problem. In Europe in 2023, for instance, physical attacks on ATMs were up 24 percent (from 3,728 to 4,637 incidents) and resulted in losses of €9 million ($10 million), according to the European Association for Secure Transactions Ltd (EAST).
“The rise in ATM physical attacks is mainly driven by an increase in non-specific attacks, primarily vandalism,” said EAST Executive Director Lachlan Gunn. “Vandalism attacks are often evidence of criminal research and development for other attack types.”
In the United States in 2022, the most recent year data is available for, the FBI collected data on 138 instances of crime involving a financial institution’s ATM—slightly down from the 254 instances reported in 2021. Not all ATM crime, however, is a felony in the United States and may not be reported to the Bureau.
If the ATM belongs “to a bank that is federally insured or a credit union that is federally insured, the FBI does keep statistics on it and does work those [cases] in field offices that work bank robberies,” says Adam M. Hoogland, unit chief, Violent Crime Unit, FBI Criminal Investigative Division.
But assaults on ATMs and rising levels of violent attacks are a criminal tactic that has banking security practitioners concerned. In March 2024, for instance, U.S. authorities charged a New Jersey man with using an explosive to damage a Chase Bank ATM in Prospect Park.
Nicolas Torres, 41, allegedly created an explosive using materials from fireworks purchased in Pennsylvania. Authorities narrowed their investigation in on Torres after reviewing video surveillance from the bank and comparing it with cell phone location data.
Upping ATM Security
There are measures that security practitioners can take to make their ATMs more secure. Anchoring the machines in place can make it more difficult for a criminal to physically remove them. Enhancing lighting for exterior ATM solutions, such as bank branch drive-throughs and walk-ups, can also deter unwanted criminal activity. Having a high-quality, noticeable video surveillance system can both deter criminal actors and provide footage to the authorities.
But it also helps for the ATMs to have robust security features themselves. Diebold Nixdorf is one of the largest manufacturers of ATMs in the world, and security is an integral part of its business, says Jodi Neiding, vice president of Americas, Banking Portfolio, Diebold Nixdorf.
Its engineering team uses a security-by-design methodology when creating new products, as well as conducting penetration testing and providing life cycle management for devices that typically remain in operation for seven to 10 years, Neiding explains.
To protect its ATMs from physical attacks, Diebold Nixdorf uses a “detect, delay, neutralize philosophy,” she adds. Its products are designed to include a variety of options that provide monitoring and alerts, sent to a designated entity, should an individual attempt to assault or move the machine.
Its latest designs—the DN Series—are marketed as Diebold Nixdorf’s most secure. One of its enhanced features eliminates direct access to the ATM’s safe, which is called secure safe and note transport. This means that the DN series ATMs are more resilient to physical attacks leveraging hooks, as well as explosives—a tactic Neiding says has become popular in Europe and Latin America for breaking into ATMs.
“We’re seeing higher ram rates of criminals trying to push the ATM off, so we have different layers of high security space to have a higher resistance time,” Neiding says. “You want to delay the attack as long as possible. The longer it takes to breach, the more likely criminals will give up on it.”
Additionally, Diebold Nixdorf offers premium security features that customers can add on. There are hardware reinforcement options, as well as reinforced steel plating for the ATMs and higher lock options.
“And, ultimately if a bad guy gets access to the safe, we want to neutralize or render it useless, so there’s ink staining solutions for the cash,” Neiding adds.
In Western Europe, Neiding shares that Diebold Nixdorf was tracking an uptick in criminals using explosives to steal ATM cassettes and cash. Clients began adopting an ink staining solution, which uses monitoring to sense if the ATM’s safe has been breached to then release the dye onto the cash inside.
“In our ATMs, we have bill validators that recognize it’s a stained note and won’t accept it,” Neiding explains. “If they go into a store or a bank, they won’t accept the cash either. What we saw was a big decline in these types of attacks, and even sometimes there’s a sticker saying there’s an inking solution on that ATM.”
Neiding adds that Diebold Nixdorf is tracking attacks on ATM field technicians and has flagged certain geographies where when a service technician goes out, they will be accompanied by security officers or law enforcement. Field technicians are also allowed to request security meet them at a job site—even if that location is not in a flagged area.
At Gate City Bank, for instance, it is now the protocol for a security officer to meet ATM service technicians and escort them throughout their work, Ross says.
The manufacturer is taking a similar approach to mitigating logical attacks by implementing a standard feature called Trusted Device Communications, which encrypts the communication that is running on the ATM’s system processor core. It’s also utilizing what it calls security relevant models and dispensers, so Diebold Nixdorf can track and ensure that only DN modules and components are inserted into the ATM. If it detects that a foreign entity is inside the ATM, Diebold Nixdorf can take the ATM out of operation.
Neiding says they also work with customers to educate them about potential logical threats to their ATMs so they can ensure their software is updated to prevent attacks.
“Many times, it’s not the latest or most secure setting,” she says. “We help those customers make those changes, and we do send many security alerts to our customers.”
Gate City Bank, for instance, uses Diebold Nixdorf ATMs and Ross says secure network connection and encryption are priorities for preventing logical attacks.
Transport Layer Security (TLS) 1.2 “is the goal because then you have secure encryption from your data center to your ATMs, so somebody couldn’t unplug the network jack, plug into your ATM, and make it think that they’re the network,” Ross explains. “You have to have that encrypted.”
Encrypting the hard drive means that if a criminal attempted to replace the ATM’s hard drive with their own, it would be inoperable. Ross also adds that it’s a good idea to have image-specific certificates “so that even if somebody tries to wipe your current hard drive and re-flash it with a new image, it catches it.”
Additionally, Diebold Nixdorf provides a security portal that shares information based on feedback from customers about security incidents. Diebold also participates in information sharing with the authorities, such as the FBI, about criminal networks that might be targeting ATMs or new attack methods that manufacturers and clients should be aware of.
“We’ve become much more collaborative from an industry standpoint, and you’re seeing our customers even sharing attack information, as well as recommendations and actions take to protect their fleet,” Neiding adds.
“The myth was [criminals] were only going to attack the big guys,” she continues. “The reality is, criminals are opportunistic. Small credit unions, regional banks, large national banks—they’re all getting attacked. We’re sharing information to make sure that doesn’t happen.”
New Standards
Adding some of these security features to ATMs can quickly become expensive, and not every financial institution will have the means to afford them and then monitor the solutions to ensure they are effective, Ross adds.
This means that security practitioners will need to do risk mitigation to figure out “what you’re comfortable with, and then do you have a plan for if something does happen that you’re able to be notified as soon as possible,” Ross says.
To help security practitioners with this process, the ASIS International Banking and Finance Steering Committee has initiated creating standards for ATM security. Mary Gates, president at security consultancy GMR 410, is heading the effort, which came about after members of the committee began discussing the uptick in attacks on ATMs.
“With the increase of crime happening at ATMs, the threat of violence that can happen to our customers, as well as the threat of violence to people who are servicing ATMs, it becomes incumbent on operators from a duty of care perspective to look at developing those standards,” Gates says.
There are seven members on the committee working on this effort, including three representatives from financial institutions. All committee members have some financial institution experience and been involved in ATM protection and corporate security management.
“Our intent, once we receive approval and start working on the standard, is to have consultation with the manufacturers to get their buy-in and support from a technical aspect, and also reach out to other stakeholders to get their support,” Gates says. “To get their buy-in, as well as any information to help ensure we create a truly robust document that will really help guide and inform the membership.”
While the standard process is underway, Gates recommends that banking security practitioners have conversations with their ATM teams to proactively conduct risk assessments. They can use these assessments to evaluate the environment their ATMs are operating in, the risks to the devices, and the threats they might face, as well as create a process to continuously assess risks and threats.
Second, she suggests assessing the lighting program in place at the bank.
“Lighting is one of the easiest things you can do from a safety and security standpoint,” Gates adds. “Having a well and properly lit location is a deterrent to criminal activity. And it fosters the ability to accurately help your cameras in the event that something does happen. It brings eyes from the street to your location.”
As of Security Management’s press time, the committee had submitted its proposal request to the ASIS Professional Standards Board for consideration.
Megan Gates is senior editor at Security Management. Connect with her at [email protected] or on LinkedIn.