By Alan Townsend
The Automated Teller Machine (ATM) has changed the financial lifestyle of millions of people in the United Kingdom with two-thirds of all cash withdrawals now being made at the many tens of thousands of ATMs located throughout the country and this proportion is forecast to rise to 80% over the next five years, for example, as post office branches are closed. Remarkably, the financial institution in-branch ATM estate has remained virtually unchanged over this period
of time with 19,067 installations in 2001 and 19,076 in 2007, while the remote financial institution ATM estate has substantially increased from 11,800 to 15,550 in the same time frame. The real-deal has been with the Independent ATM Deployers, known as IADs in the U.K. or ISOs in the U.S.A., who have increased their U.K. market share almost fivefold in eighty-four months from 5,900 ATMs in 2001 to 29,300 in 2007. This is great news for IADs, financial institutions, retailers with businesses near ATMs and the multi-various ATM industries involved in the ATM lifecycle, bringing as it does more jobs, more prosperity, more retail spending and more convenient access to cash for the public. However, this is an achievement that also carries a responsibility to ensure that those hosting ATMs, those who carry out replenishment/services and the public who use them can do so safely.
SECURITY ASPECTS
Although only a few short-years ago, perhaps surprisingly, the IAD sector had little understanding of the basic security aspects in deploying an ATM. Freestanding or
¡°stand-alone¡± machines were being installed in locations without any consideration for the security of the machine itself, the premises in which they were located or for the safety of those responsible for replenishment and servicing. Moreover, some IAD companies were inappropriately using ATMs fitted with daytime business safes for overnight use with the inevitable consequences that criminals soon learned which models could be easily and quickly forced opened compared to those made for the purpose. Additionally, IAD companies were working in total isolation, in order to protect their market share, without realizing the huge benefits obtainable through sharing security data, experiences and the knowledge of preventative measures available to protect people and assets.
PARTNERSHIP
Unsurprisingly, as the IAD and remote financial institution ATM market share rose, the industry experienced an exponential increase in ATM attacks, rising from 213 attacks in 2002 to 773 in 2005, with equally significant losses in terms of cash, damage to property and in some cases risk to individuals. In order to attempt to rectify this situation a number of organizations decided to work in partnership and collectively gather all the data, procedures and preventative measures available to find solutions to the escalating wave of ATM crime. The principal organizations involved were the ATM Security Working Group, British Bankers¡¯ Association, Building Societies Association, Association for Payment Clearing Services, British Security
Industry Association, LiNK Interchange and ATM Industry Association (www.atmia.com).
Joint Crime Database
One of the first tasks was to create a joint crime database in order to understand and analyze the scale, geography and methodology of the problem. Technically not a difficult
task, but trying to work around the ¡°politics¡± of getting individual ATM deployers to part with this sensitive data was a challenge. Nonetheless, the combined database was achieved and is now used as a first touchstone to consider the advisability of locating an ATM in any particular location and is extensively used by the U.K. police forces when investigating ATM-related crime.
Industry Security Guidelines
The next stage was to develop industry security guidelines that could be used as a reference point by all involved in the ATM installation, replenishment and servicing processes of these machines. There were already guidelines published for ¡°through-the-wall¡± ATMs, but
nothing was available for the ¡°stand-alone¡± and remote ¡°pod¡± or ¡°converted telephone¡± style of machines. These security guidelines were written and published and now form the basis for the security requirements for these types of installations.
Buy-in from Police
Another important job was to obtain buy-in from the U.K. police forces, particularly in those areas adversely affected by ATM crime. Within the U.K. there are fifty-two separate police forces, as well as a number of other forces with specific responsibility for railways, military establishments, royal parks, etc., so no easy task. The group collectively wrote to every force targeting three key areas of police activity -- prevention, intelligence and enforcement, offering a fast-track information service, access to the crime database and, crucially, financial support in relation to rewards and specialist equipment. This approach has successfully led to several police operations against professional gangs targeting ATMs, with support from the industry, leading to the arrest and conviction of numerous prolific criminals.
Ram-raid action (Photo by Alan Townsend)
TYPES OF ATTACKS
In order to tackle specific styles of attacks, individual ATM deployers now employ a range of preventative measures to deter criminals. Broadly speaking the method of attack can be divided into three main areas -- complete-removal of the ATM, brute force in-situ or professionally conducted attacks in-situ.
Complete Removal
The first method will frequently involve the theft of a truck or four-wheel-drive vehicle that is then used to ramraid the premises, demolishing all in its path, and the uplifting of the ATM onto the vehicle to be cut open at some later stage at the criminal¡¯s convenience. Ram-raids are a particular cause of concern to the insurance industry and community at large, as the criminals who commit these crimes have no regard to the extensive structural damage caused to the premises that will often require the business to close for weeks depriving rural communities of basic commodities.
Brute Force In-situ
The second method will involve the forcible entry to the premises or area where the ATM is located and attacking the machine with various tools easily purchased at the local DIY store. These attacks are often aimed at the smaller, less-secure ATMs of the type found in convenience stores, bars and leisure facilities.
Professional Attacks
Finally, the third type of attack is conducted by criminals with a working-knowledge of the security locking mechanisms employed in ATMs. These attacks will frequently involve drilling or oxyacetylene equipment and are known to take as little as three-minutes to get to the cash inside the safe.
PREVENTATIVE MEASURES
To combat all three methods of attack, various preventative measures have been developed and employed including enhanced anchoring systems, upgrading safe specifications, ceramic anti-drill/cut devices, oxyacetylene flame resistant parts/deflectors, individual cassettelocking equipment and much more.
WAS THE EFFORT WORTH IT?
Was the Effort Worth It? Of course! Over the past two years the ATM industry has experienced a sustained-reduction in attacks -- in 2006 attacks were down by 11% compared to 2005, with losses down by 13.5%, in 2007 attacks were further reduced by 16% compared to 2006, with losses down by 17%. It is right to say that the number of attacks has not returned to the 2002 level and, given the dramatic increase in the number of ATMs deployed in the U.K. since that time, it is highly unlikely that this will ever be achieved. However, the all important attack rate per thousand ATMs deployed has reduced significantly from the 2005 level and with a little more effort will undoubtedly return to or surpass the 2002 figure.
HOW ATM INDUSTRY DEALS WITH THE CRIME
More recent developments will help secure further reductions. In December 2007 the U.K. ATM industry reassessed how it dealt with the two main elements of ATM crime, namely fraud and physical attacks. In an effort to totally break down all partnership barriers the ATM Crime Group, previously reporting through the Association for Payment Clearing Services, will in future only deal with fraud issues and report through LiNK Interchange. The ATM Security Working Group, which is supported by the ATM Industry Association and whose membership contains many IADs, will now deal with all issues relating to ATM physical crime and has opened its membership to the financial institution sector of the industry. This strategic realignment and simplification of reporting structures will ensure that everyone involved in the ATM security lifecycle is up-to-speed with the latest attack data, security procedures and preventative solutions working in isolation is no longer an option!
Alan Townsend was responsible for founding the ATM Security Working Group (ATMSWG), which was formed to consider crime and security issues relating to the stand-alone or freestanding type of ATM operated by Independent ATM Deployers (IAD) in the U.K.
For more information, please send your e-mails to swm@infothe.com.
¨Ï2007 www.SecurityWorldMag.com. All rights reserved. |
