Automated teller machines, better known as ATMs, turn 50 on June 27. Computer science professor Pradeep Atrey, from the University at Albany, State University of New York, explains the security features and concerns of modern cash machines.

1. How does an ATM work?

The first ATM was put in service 50 years ago. Today's cash machines like this one are convenient. But they can be vulnerable to theft and fraud, an expert warns. Associated Press/Swayne B. Hall

In the broadest sense, an ATM works by accepting a cash request from a user, verifying the user’s authority to access a particular bank account, ensuring that account has enough money to fulfill the request and dispensing the money – all without the assistance of a bank clerk or teller.

From the very beginning, all the way back to the first ATM placed in use in London in 1967, the user’s identity was the main problem banks needed to solve. Rather than today’s plastic card with a magnetic strip and embedded microchip, the first machine accepted a slip of paper with a mildly radioactive substance – carbon-14 – printed on it in a particular pattern. The machine matched the pattern to a number code entered by the user. If it matched, and if the funds were available, the machine dispensed cash.

When using modern ATMs, a customer inserts a plastic card into the machine’s reader, which registers either the data encoded on the card’s magnetic strip or its embedded chip. It prompts the customer for a personal identification number, usually called a PIN, often four or six digits long.

If the card and PIN match, then the customer can deposit money, check an account balance or, most commonly, request a cash withdrawal. When the customer specifies an amount of money, the machine uses an internet connection or a phone line to connect to the customer’s bank, verifying the funds are available and dispensing the cash.

2. What security issues do ATMs have?

Because ATMs contain large amounts of cash, they are attractive targets for criminals. The most brazen thefts have involved physically stealing the ATM as a whole, though muggers have also accosted ATM users, who, unsurprisingly, are likely to be carrying cash.

As a result, most ATMs today have built-in cameras, to record evidence in case of a mugging or other crime, or to monitor people who might be tampering with the machine.

A more sophisticated theft involves covertly monitoring the device and its users. Thieves can install small cameras in different places on an ATM, sometimes hidden by plastic panels that look like normal parts of the machine. With those, they can capture the card number, its expiration date, the name on the card, and even the three-digit card verification value number on the back. That’s more than enough information to use the card to make unauthorized online purchases look legitimate. Fraudsters may also sell the data in online black markets.

By installing fake card slots, or even extra attachments (called “skimmers”) on top of the existing card slot, attackers can read the information on cards’ magnetic strips. That can help them make fake duplicate cards.

Hidden cameras also let thieves watch users enter their PINs. A recent study found that a thermal camera can also capture PINs, by identifying which number keys are slightly warmed, because they were pressed by the user.

3. Can ATMs be hacked?

Tech-savvy criminals have several options for hacking ATMs. The outer casings of ATMs often conceal hidden USB ports, used for software maintenance and update. If an attacker can locate the hidden port, he can insert a portable USB drive with a malicious program installed, taking control of the machine. That essentially allows the attacker to dispense cash without using a card.

A few years ago, a new attack became popular. Called by police a “black box” attack, the theft involves cutting holes in the ATM casing and disconnecting cables between the computer and the mechanism that actually dispenses the cash. Plugging another computer into the cash dispenser’s controls lets an attacker order it to release of cash.

The ATM’s telecommunications connection offers another means of attack. By intercepting communications between the machine and the bank, an attacker can collect useful card and account data. That may also offer a way to remotely install malicious software and take control of the machine itself: for instance, to issue commands to dispense cash.

4. WHAT CAN A CUSTOMER DO?

ATM-related fraud and theft can’t be completely prevented. Banks are working to develop additional security measures. Individuals can also take preventive measures to protect themselves when using ATMs:

n If your bank issues them, use a chip-enabled card. They provide improved security by verifying the physical card is genuine, and not a fake duplicate.

n It is often safer to use an indoor ATM, rather than one directly on the street. The latter can be accessed more easily by criminals before or after your transaction.

n Check the ATM to see if it looks like it has been physically altered or damaged, if anything is attached to the built-in card reader or if there are any small cameras around the keypad. Avoid using it if anything looks suspicious.

n Be careful of your surroundings and people in the ATM area.

n Cover the key pad when entering your PIN so no observer or spy camera can see it.

n If you enter the correct PIN but the transaction fails, immediately contact the bank that issued the card.

5. How can new technology make ATMs more secure?

As the ever-escalating arms race between security professionals and criminals continues, customers will find themselves urged to use increasingly advanced security methods to identify themselves at ATMs.

Related Stories