An insider’s guide to thwarting a growing ATM attack vector

In the security field, we’ve all heard some variation of the phrase ‘we build a 10-foot wall, they build an 11-foot ladder.’ But what often gets forgotten is that it’s not always a ‘taller ladder’—it’s a more ‘sophisticated ladder.’ So as the industry focuses on mitigating risks against Black box and malware-based cyber-attacks, criminals have reverted back to more low-tech attack methods to access cash—the latest being Transaction Reversal Fraud (TRF).

How Does TRF work?

In a TRF attack, a fraudster initiates a cash withdrawal at the ATM and manipulates the cash-present sequence to trick the host into thinking the cash was not taken. However, the criminal has gained access to, and removed, the cash, yet the ATM perceives that no cash was dispensed and passes a reversal message, and the host typically does not debit the account.

This type of attack usually does not involve accessing the funds of any legitimate card holders, rather, it attacks the bank’s funds directly. A cash-trapping attack, on the other hand, manipulates a cash withdrawal initiated by an actual card holder, trapping the cash inside the machine until the consumer leaves the terminal.

Although TRF is a global problem, we’ve seen it surge in popularity in Europe over the last couple years as EMV and other anti-skimming defense mechanisms have taken hold. According to EAST, incidents of TRF across 11 countries increased by 147 percent from 2015 to 2016, and another 88 percent from the first half of 2016 to the first half of 2017.

Quick Fixes Can Thwart This Low-Tech Problem: A Closer Look at Processes

Tweaking your network’s host transaction business logic is a smart first defense against TRF. Especially in older terminals that may not have had every configuration and software update applied, many hosts will automatically refund an account when there is an error condition with the cash presentation. We recommend that banks validate their business logic for debiting and crediting accounts when unknown or errored states occur—if an invalid state is detected, then the transaction should not be automatically reversed.

A Closer Look at Your Technology

If your terminals have recycling capabilities, they can use “bank note validators” to detect the return bundle value and respond accordingly. Smarter systems that can detect and correlate the states of multiple components (i.e. the card reader, cash module, cash slot camera, etc.) should focus on error condition processing to increase a system’s ability to detect, prevent and alert invalid or suspicious states. Certain error conditions are more indicative of fraud, and if those particular conditions are detected, the transaction code should not be reversed. Finally, monitoring and alarming are key to detecting potential fraud scenarios. Cash slot cameras, for example, can sense manipulation and respond with an alert.

The right software, monitoring tools and cash module innovations can help you drastically reduce the opportunity for fraudsters to execute TRF attacks on your network. Smart dispensing and recycling solutions, like those employed on many Diebold Nixdorf terminals, are designed to automatically protect against TRF through intelligent deposit technology that is standardized in the machines.

TRF is a low-tech problem, but if thieves have taught us anything over the past 50 years it’s that they’ll use any and every method available to access an ATM. Because where there’s money, there’s crime.

Learn more about Diebold Nixdorf’s comprehensive, multi-layered approach to security at or connect with us to explore how our security experts can help ensure your terminals are protected comprehensively.

This article originally ran in RBR Banking Automation Bulletin.