ATM Security Management: Know Your Options

Protecting ATMs was never easy. Now it’s downright hard.

Since the inception of the self-service banking channel, ATMs have been at constant risk of attack. While we used to worry mostly about physical attacks intended to penetrate ATM safes, attacks have become more advanced—and subtler—in recent years.

Now, criminals do not even require physical access to an ATM safe to manipulate an ATM’s logical system into dispensing cash—they can use cyberattack methods to steal data from bank networks and cash out ATMs later, or they take advantage of transaction process flaws to repeatedly “cancel” transactions while actually withdrawing large sums of cash. Defenses against all these threats exist, but ensuring countermeasures are installed, up-to-date and monitored is increasingly a challenge.

In general, as risks have evolved at the self-service channel, managing its security has become more complex and more important. Beyond new threat vectors emerging, there are more interconnected channels to lock down (including the communications between them) as well as varying defensive considerations required for self-service fleets comprised of multiple generations of ATMs from multiple manufacturers.

There is constant pressure not only to avoid monetary or reputation loss, but also to comply with changing regulatory requirements and industry standards in the process. That doesn’t mean everyone is ready though.

We all see the problem, but resources to manage self-service security are scarce. Self-service security must be a priority, but it requires specialist capabilities and a strategic approach to risk management.

Financial institutions often don’t have the specialists in-house with both intimate knowledge of the self-service channel and advanced security training. Even if banks wanted to hire these people, it’s tough to find them—demand for security specialists across industries is creating considerable competition for talented professionals.

Attacks aren’t letting up, so what’s to be done? Proactive monitoring and event management, regular software updates and periodic hardware upgrades, and continuing education are a must for any financial institution that stands a chance of protecting their customers’ assets and maintaining their trust.

It’s simply not realistic for many financial institutions to self-manage all of this. As one VP of Operations in a North American retail bank recently said, “[ATM security] is getting bigger than we can handle.” The industry needs a better way forward.

Secure channels, minus the stress.

More and more retail banks and credit unions are finding that the best route to alleviating the stress of managing self-service security is to stop thinking about it altogether. In these cases, they’re not just hoping attacks don’t occur; they’re choosing to outsource responsibility for self-service security to experts that specialize in deterring, detecting and dealing with ATM attacks around the world.

Instead of hiring expensive, hard-to-find security professionals and dedicating resources and time to identifying and managing the necessary defensive upgrades to resist evolving attacks, financial institutions rely on industry professionals who do it every day. In the process, they benefit from:

  • Access to a 24×7 Secure Operations Center (SOC), monitoring, threat response, audit/reporting support and consultation
  • Services that can cover everything from maintenance to necessary updates that evolve with the needs of the market
  • Insights from specialists who are at the forefront of threat mitigation across the industry and know how to proactively minimize risk

How can Diebold Nixdorf help? We can help financial institutions secure their self service channel through our Self-Service Fleet Management program, powered by Diebold Nixdorf AllConnect ServicesSM. As part of this agreement, designed to reduce the total cost of ATM fleet ownership, we offer a suite of services called Managed Security Services that ensures multi-layered protection is integrated and updated throughout an ATM fleet.

Diebold Nixdorf will provide protection across the ATM fleet in a sustainable, logical manner. Based on the protection needs of each individual ATM, customers are provided with Security Core Services (which provide baseline levels of protection needed to comply with industry requirements and standards) or Security Enhanced Services (which build upon that foundation, adding advanced protection for higher-risk environments). We also conduct monitoring of real-time information from the ATMs we protect, ensuring optimal uptime and quick responses to any suspicious events we detect.

An ATM security services agreement often makes sense not only for small- to medium-sized financial institutions that don’t have the expertise or resources in-house to protect their assets and maintain compliance, but for larger organizations that simply see how cost-efficient it is to have dedicated professionals manage their security. We currently manage security for around 26,000 devices globally, and our customer base is highly diverse.

What makes sense for you?

Every financial institution’s situation is different, but many share self-service security management as a pain point. Despite most banks having at least one primary supplier for ATM devices, 41 percent of banks feel they lack a trusted security partner[1]. Does that sound like you? If so, it may be time to change that paradigm.

If you are wondering whether internal or external management of your self-service security makes the most sense for your organization, reach out. We are happy to talk it through with you. Whatever you do, make sure someone is keeping a close eye on your fleet—the risks are just too high these days to simply hope nothing goes wrong.

[1] Forrester, 2016