Attacks against ATMs may be classified as either ATM physical attacks or ATM fraud.
ATM Physical Attacks:
ATM physical attacks are normally perpetrated with the intention of gaining access to the cash or other valuable media within the ATM safe or ATM security enclosure. Some of the most common methods include Ram Raid, Explosive Attack (gas and non-gas) and Cutting (e.g. rotary saw, blow torch, thermal lance, diamond drill). The success of ATM physical attacks is often measured by what percentage of the cash is stolen and the speed by which the attack is completed.
There are many different categories of ATM fraud. In general ATM fraud can include any deliberate ‘criminal’ technique which involves the use of an ATM to obtain something of value to the perpetrator. The most common types of ATM fraud include Card Theft (e.g. Lebanese Loop) , PIN Compromise (e.g. Shoulder Surfing), Card Skimming, Cash Trapping, Transaction Reversal and Deposit Fraud.
ATM Fraud in more detail:
Card theft is where the perpetrator physically obtains the consumer’s card at or in the vicinity of an ATM. The most common method of card theft is Card Trapping. The most popular method of trapping a card at the ATM is known as Lebanese Loop. A Lebanese Loop is designed to be entered within the card entry slot of the ATM card reader in such a way as it does not prevent the consumer from entering their card, but it does prevent the ATM card reader from ejecting or returning the card to the consumer. The perpetrator can subsequently remove the trapped card once the consumer has departed from the ATM with the belief that the ATM has captured or swallowed their card. Another variant of card trapping is known as the Algerian V trap. Other methods of card theft include card swapping where the consumer’s card is exchanged for a card of similar appearance. This distraction method is often executed at the time that the consumer’s card is being returned or ejected to the consumer following a transaction at the ATM.
PIN compromise methods range from the very technically sophisticated to the relatively easy technique known as shoulder surfing. Shoulder surfing involves the perpetrator standing close enough to the consumer to observe the numbers entered on the key pad. A more sophisticated method of observation or surveillance involves the use of a miniature camera which can either transmit the image of the PIN being entered or store the recording within the device. With the increase in the number of mobile phones with video capture capabilities, such phones are adapted to compromise PINs. Keyboard overlays are devices which are designed to look very like the genuine ATM key pad and are fixed on top of the genuine key pad. The Keyboard Overlay will record the numbers entered on the key pad but also permit the genuine keyboard to accept the PIN being entered. Similarly to the use of cameras, the keyboard overlay may transmit the information to a remote receiver or store the information locally. Sophisticated ATM Infrastructure Hacking, Architecture Hacking, Network Hacking, Social Engineering, Phishing and various other methods are also used to compromise PIN codes.
Card skimming involves making a copy of the information encoded on the magnetic stripe of the card. There are various different types of skimming device designed to be used in different environments, from hand held devices through door access skimmers to miniature card entry slot skimmers. Hand held skimming devices are more commonly associated with card skimming in restaurants and other retail establishments. When used in the ATM environment the perpetrator will either use distraction techniques to temporarily obtain and copy the consumer’s card or sometimes pick the pocket of the consumer. Some ATMs are installed in a controlled environment whereby the consumer is required to swipe a card at the door of the ATM location to gain access. Skimming devices may be attached to or used as a replacement for a genuine door access device.ATM card entry slot skimmers have various shapes and sizes and also vary in sophistication. When installed correctly they allow normal operation of the ATM in that the consumer’s card is entered and returned correctly, however the magnetic stripe is copied by the skimming device. One of the most effective ATM skimming devices is known as the Sofia skimmer. The skills of the perpetrators in modifying the packaging of skimming devices makes them very difficult for the untrained observer to detect.
Cash trapping is the term used to describe attacks where the consumer’s cash is trapped and prevented from being presented or delivered to the consumer. The variety of trapping devices is significant, ranging from those which require insertion within the ATM’s cash dispenser through false fronts to well engineered electro-mechanical devices which simulate the removal of the cash by the consumer.
Transaction reversal techniques involve highly skilled manipulation of the ATM during a transaction with the result that the host computer believes that the consumer did not receive their cash and thus re-credits or reverses the transaction. Other variants of transaction reversal involve either collusion with someone within the ATM network or detailed knowledge of the rules governing transaction processing.
Deposit fraud covers a variety of criminal techniques from making false deposits, trapping deposits through skilful manipulation of the deposit accepting device. False Deposit fraud includes exploiting processing rules to draw on funds before they have been verified and officially cleared for crediting to an account. Similar to cash trapping, Deposit Trapping allows the perpetrator to obtain the valuable media prior to it being secured within the deposit terminals safe or security enclosure. Highly skilled perpetrators of deposit fraud may use techniques by which the deposit terminal believes it has received and successfully validated a deposit when in fact it has not.
The above article was written by Douglas Russell, DFR Risk Management Ltd.