Editor’s note: Automated teller machines, better known as ATMs, are turning 50 on June 27. Computer science professor Pradeep Atrey, from the University at Albany, State University of New York, explains the security features and concerns of modern cash machines.
How does an ATM work?
In the broadest sense, an ATM works by accepting a cash request from a user, verifying the user’s authority to access a particular bank account, ensuring that account has enough money to fulfill the request and dispensing the money – all without the assistance of a bank clerk or teller.
From the very beginning, all the way back to the first ATM placed in use in London in 1967, the user’s identity was the main problem banks needed to solve. Rather than today’s plastic card with a magnetic strip and embedded microchip, the first machine accepted a slip of paper with a mildly radioactive substance – carbon-14 – printed on it in a particular pattern. The machine matched the pattern to a number code entered by the user. If it matched, and if the funds were available, the machine dispensed up to £10 (an amount worth just over US$200 today).
When using modern ATMs, a customer inserts a plastic card into the machine’s reader, which registers either the data encoded on the card’s magnetic strip or its embedded chip. It prompts the customer for a personal identification number, usually called a PIN, often four or six digits long.
If the card and PIN match, then the customer can deposit money, check an account balance or, most commonly, request a cash withdrawal. When the customer specifies an amount of money, the machine uses an internet connection or a phone line to connect to the customer’s bank, verifying the funds are available and dispensing the cash.
What security issues do ATMs have?
Because ATMs contain large amounts of cash, they are attractive targets for criminals. The most brazen thefts have involved physically stealing the ATM as a whole, though muggers have also accosted ATM users, who, unsurprisingly, are likely to be carrying cash.
A more sophisticated theft involves covertly monitoring the device and its users. Thieves can install small cameras in different places on an ATM, sometimes hidden by plastic panels that look like normal parts of the machine. With those, they can capture the card number, its expiration date, the name on the card, and even the three-digit card verification value (CVV) number on the back. That’s more than enough information to use the card to make unauthorized online purchases look legitimate. Fraudsters may also sell the data in online black markets.
By installing fake card slots, or even extra attachments (called “skimmers”) on top of the existing card slot, attackers can read the information on cards’ magnetic strips. That can help them make fake duplicate cards to use in other ATMs.
Hidden cameras also let thieves watch users enter their PINs. A recent study found that a thermal camera can also capture PINs, by identifying which number keys are slightly warmed, because they were pressed by the user. Specifically, the researchers found that PIN detection accuracy could be up to 78 percent when the heat traces on the key pad are captured within 30 seconds of authentication. A similar study reveals that it was possible to find all four digits of the PIN from a distance of 35 centimeters and if the thermal camera was placed at an angle between 30 and 45 degrees. However, it was much harder to identify the correct sequence of the digits.
Can ATMs be hacked?
Tech-savvy criminals have several options for hacking ATMs. The outer casings of ATMs often conceal hidden USB ports, used for software maintenance and update. If an attacker can locate the hidden port, he can insert a portable USB drive with a malicious program installed, taking control of the machine. That essentially allows the attacker to dispense cash without using a card.
A few years ago, a new attack became popular. Called a “black box” attack by police, the theft involves cutting holes in the ATM casing and physically disconnecting cables between the computer and the mechanism that actually dispenses the cash. Plugging another computer into the cash dispenser’s controls lets an attacker order it to release large amounts of cash.
The ATM’s telecommunications connection offers another means of attack. By intercepting communications between the machine and the bank, an attacker can collect useful card and account data. That may also offer a way to remotely install malicious software and take control of the machine itself: for instance, to issue commands to dispense cash.
What security measures are or can be deployed?
ATM-related fraud and theft can’t be completely prevented. Banks are working to develop additional security measures, such as the three-digit CVV on the back of cards. Individuals can also take preventive measures to protect themselves when using ATMs:
If your bank issues them, use a chip-enabled card. They provide improved security by verifying the physical card is genuine, and not a fake duplicate.
It is often safer to use an indoor ATM, rather than one directly on the street, which can be accessed more easily by criminals either before or after your transaction.
Check the ATM to see if it looks like it has been physically altered or damaged, if anything is attached to the built-in card reader (to read the magnetic strip) or if there are any small cameras around the keypad. Avoid using it if anything looks suspicious.
Be careful of your surroundings and the people in the ATM area. A person behind you in line may be trying to catch a glimpse of the PIN you enter on the keypad.
Cover the key pad when entering your PIN so no observer or spy camera can see it.
If you enter the correct PIN but the transaction fails, immediately contact the bank that issued the card to warn them that there might be a problem with the machine or your account.
How can new technology make ATMs more secure?
As the ever-escalating arms race between ATM security professionals and criminals continues, customers will find themselves urged to use increasingly advanced security methods to identify themselves at ATMs. One method is two-factor authentication, which adds an additional layer of security a user must pass before being allowed access to an account.
Often used when logging in to online services like social media and email systems, two-factor authentication has most commonly involved entering not only the PIN but also a numeric code received by text message on the user’s phone and valid for only a short period of time.
This method, no longer considered secure because it is so easy to falsely simulate cellphone numbers, is being phased out in favor of smartphone apps that generate new codes every few seconds – or even physical keys. Without this one-time code, an attacker can’t access the victim’s bank account.
Future methods of user authentication at ATMs are likely to involve biometrics, like fingerprints, which could augment – or even replace – the cards and PINs that have gotten banks and users through the past 50 years of automated banking.
Pradeep Atrey, Associate Professor of Computer Science, University at Albany, State University of New York