The costly crisis of ATM physical attacks: Understanding the problem
“I think attacks on ATMs, frankly, is the most serious thing facing the financial services industry — and the retail market — this year, and perhaps the next few years to come.”
Let that sink in for a few seconds. And keep in mind that this is not idle hyperbole. It’s the assessment of a former police lieutenant and now-retired security executive for financial services providers.
Today, P. Kevin Smith is managing editor for Bankers Hotline, and he was the first speaker of seven in a morning workshop at the ATMIA conference in Las Vegas today.
Attacks on the rise
Workshop attendees heard plenty of unsettling statistics and anecdotes during the three-hour session. They also heard about existing and forthcoming solutions that could help them become just one more of those statistics and anecdotes.
Smith said that, too often, financial services providers in the U.S. place more emphasis on convenience and customer service than on security.
For instance, Smith mentioned an incident at a bank where he’d worked in which $80,000 was lost in a single ATM theft. The cassette capacity was $40,000, but employees had stored an additional $40,000 inside the ATM to make it more convenient to replenish the machine.
He warned that physical attacks on ATMs are on the rise, and that, U.S. providers should pay attention to what’s happening in Europe and prepare to see it on this side of the pond. “Attacks on ATMs have been huge over there,” Smith said. “And it’s coming here.”
The US: Late to the security party
Randall Phillips of the security firm Thompson Consulting Group, also comes from a law enforcement and financial security background.
He told the workshop group that one issue with ATM security in the U.S. is that, unlike some of their European counterparts, banks here tend to weigh the risk of attack against their tolerance for financial losses, and act only when the tolerance threshold is breached.
Phillips named three responses banks make to the problems of skimming, shimming and jackpotting:
1) “Ohhhh, that problem!” — This group understands the problem — in fact, might have experienced it — and is implementing preventative measures.
2) “What problem?” — This reaction typifies areas of the country where skimming isn’t a big problem yet, but will be, when a problem that started on a coast or border makes its way inland.
3) “What do we do now?!” — Eventually, group No. 2 becomes group No. 3. The skimming problem has hit them and now they’ve got to do something about it.
“Depending on what you’re seeing out there, if you’re not experiencing it, that doesn’t mean you can’t prepare for it,” Phillips said.
Should it stay or should it go?
Doug Hevner related his own experience with skimming attacks as group vice president of financial crimes investigations at Suntrust Bank
“Skimming incidents have been horrible for Suntrust since 2000,” he said. That year, the bank’s ATMs in tourist-mecca Miami Beach were skimmed on six consecutive weekends, without the bank realizing it.
Skimming attacks haven’t let up since, Hevner said. “We had one yesterday in Orlando. We had one Friday in Richmond, Virginia.
“So, it’s out there, it’s continuous, and if you haven’t seen it you’re going to see it. And it’s just a question of how do you prepare for that.”
Hevner said that losses have declined for Suntrust as the bank has gotten better at finding skimmers early. But even this presents a dilemma:
“We have no loss, no cards have been compromised, we know where the skimmer is, and all we have to do is take it off. But if we call the police and they [stake out the ATM] and get an arrest, that’s great, right? But now it’s in the newspaper the next day. So that’s another issue that we have to deal with … It’s a PR nightmare.”