ATM security in the battle against fraud and physical attacks
For today’s banks the monitoring and security of ATMs is a major priority. Not content with card skimming – where card details and a customer’s PIN are captured – or card trapping, we are now seeing, in the most extreme cases, gangs physically ripping out ATM units using heavy equipment or resorting to gas explosions. Thankfully, a new generation of CCTV cameras and compact DVRs/NVRs are offering users more ‘bang for their buck’ in the confined conditions in and around ATMs, and even, should the need arise, allowing images to be connected with transactional metadata. Video analytics is also starting to be employed to pick-up on suspicious activity.
Figuring out the threat
To put the fraud and physical security challenges associated with ATMs into some sort of perspective the European ATM Crime Report issued by EAST (the European ATM Security Team) last October – covering the first six months of 2015 – revealed that ATM related fraud incidents were up by 15 percent when compared to the same period in 2014. The report suggested that this was driven by increases in card trapping and transaction reversal fraud.
Offering his take on how things stand today, EAST Executive Director, Lachlan Gunn, says the biggest ATM associated damage – despite all the headlines about explosives or ram raids – is fraud: “That is where you see the multi-million losses.” According to Gunn, the big change that helped in Europe was the implementation of EMV ‘Chip and PIN’, however he contends that there is no room for complacency: “It is fairly difficult for criminals to clone a chip but, as you know, most chip cards still have a magnetic stripe on them. That is potentially the risk.” From 2011 to date, Gunn reveals that EAST has gradually seen skimming-related losses creeping up: “The difference is that a high 90 percent of these losses are outside Europe. In other words, if your card is skimmed at an ATM the fraud spend, if any, is unlikely to take place in the UK or even Europe.”
So what security measures are being rolled out to stem the tide of ATM crime and help to deal with customer queries? According to Jenny Månsson, Business Development Director – Industry Segments – at Axis Communications, the AXIS P12 Series, and now the AXIS F Series of network cameras have been gaining traction for ATMs thanks to their flexible, small footprint capabilities. The concept for both series of cameras is to remove the optics and image sensor [sensor unit] from the larger camera body and put it on the end of a ribbon cable: “The AXIS P12 Series is working very well, we have a few global banks that have already standardised on this and are placing them in all of their ATMs,” explains Månsson.
Månsson flags-up the enhanced capabilities found in the latest F Series: “It is a similar model to the AXIS P12 in terms of the fact that it is a flexible camera but there are some added features – including enhanced possibilities to manage varied lighting conditions, which is quite important for ATMs.” Månsson adds that the F Series has a four-camera version: “You actually have a body with four different lenses. There are areas in Asia where it is mandatory to have up to four camera so the F Series is very suitable for that.”
When it comes to tying in video footage with transactional data to shed light on customer disputes, and suspicious activity, Månsson explains that by using the Axis Camera Application Platform (ACAP) it is relatively straightforward to upload the appropriate software to the camera. Bringing the two together saves resources, reckons Månsson, as it removes the necessity to rush around pulling information from different areas of the bank.
From his perspective, Salim Idris, General Manager for Dedicated Micros in the Middle East, points out that regulatory requirements are certainly helping to shape ATM video surveillance solutions: “We have revamped our fourth-generation DV-IP ATM Advance [DVR/NVR] to accommodate such requirements from the Central Bank of the UAE, Kuwait, Qatar and Saudi Arabia.” Idris adds that the UAE recently launched a new mandate requiring banks to upgrade their ATMs with High Definition (HD) cameras and to go from analogue to IP. Idris says that despite the acceleration toward IP, the new DV-IP ATM Advance – which has features like transaction capture built-in – is intentionally a hybrid design: “It can still take analogue inputs for parts of the region like Saudi.”
With discussion regarding the vulnerability of IP end points, Idris feels that it is important that video surveillance architecture is as secure as possible. According to Idris, Dedicated Micros DV-IP ATM Advance – with a built-in layer 3 enhanced network switch – is what he terms a ‘Closed IPTV’ solution: “This provides an extra layer of protection to ensure that cameras aren’t the means of access to the corporate [bank] network,” he explains. The revamped solution has been well received in the GCC (Gulf Cooperation Council) and is currently being implemented by six major banks. Idris confirms that two of these have been completed and handed over in the UAE while the others are replacing their systems more gradually.
Remote head cameras
Peter Ainsworth, Director of EMEA Marketing at Tyco Security Products, is concerned, as technology moves from analogue to IP, about the potential for individuals to use end points like cameras to hack into a bank’s network: “If you ripped out an analogue camera on the front of an ATM you just ended up with a length of copper wire going into the back. With network cameras you have, potentially, direct access to the bank’s network.”
Ainsworth singles out one remedy in particular:
“A few manufacturers – Tyco included – are producing remote head cameras. The lens and the sensor is separate to the main body, and the electronics, so that takes away this issue of having the camera in the ATM.”
Catching-up with Dr Rustom Kanga, Co-Founder and CEO, of iOmniscient, a vendor which specialises in video analytics to handle complex and crowded scenes, when asked if this type of analysis is a new concept for the world of ATM protection. He responds that it is really only over the last five to six years that an analytics-based solution has been high on the agenda for banks: “We have now implemented this in several locations. One project involves a bank in Qatar,” confirms Kanga.
Regarding what sets iOmniscient’s approach apart from other vendors operating in this space, Kanga is keen to highlight the ‘uniqueness’ of its capability by virtue of the potential to deal with ‘difficult-to-spot skimming devices’ which can be inserted above the slot where a customer is meant to enter their card: “This is a core application because it is so important to find these devices. Our solution does two things. One is to cope with objects that are so well blended into the background that a human being wouldn’t normally see them. We talk about it as ‘seeing the invisible’. You could have something that is plastic and transparent, basically a little sliver of a device.”
Kanga goes on to say that the beauty of iOmniscient’s video analytics-based ATM protection system [iQ-Bank] is also how it copes with the issue of obscuration: “This ability to see such a device despite obscuration is a patented capability from iOmniscient.”
He gives a typical scenario to illustrate his point:
“A person might stand in front of the ATM or move their hand across the keyboard, hiding the [skimming] device. When they head-off however, if a device has been left behind, our system will quickly say ‘okay’ that shouldn’t be there and raise the alarm,” explains Kanga.
Drilling down to sensors which can detect the vibration signature of different types of attacks on ATMs, Honeywell Security has developed a seismic sensor, the SC100, with what it claims are enhanced filtering and detection algorithms. These algorithms, says Honeywell, can help to filter out false alarm sources. According to Honeywell the SC100 has also been designed with flexible installation in mind so, for instance, a simple dip switch can change the sensor’s setting to tie-in with the type of deployment whether that be for an ATM, or even a vault, and the potential attacks it is likely to encounter.
Taking biometrics in vein
Although not deployed yet on ATMs in the UK, Ravi Ahluwalia, Deputy General Manager for The Information Systems Group (EMEA) at Hitachi confirms that its finger vein technology is very strong in the Japanese ATM market: “This is where you use your card and place your finger which is then scanned and checked against a template stored on your card. There is no need for a PIN. Already 80 percent of ATMs in Japan use our technology and we have deployed the same proposition in ATMs in Poland and Turkey.”
It is clear that, despite the multitude of challenges banks are facing, from skimming devices to physical attacks, the bar continues to be raised around the solutions available to address such activity.
Source | SecurityNewsDesk