The Automated Teller Machine has changed the financial lifestyle of millions of people in the UK with eighty percent of all cash withdrawals now being made at the many tens of thousands of ATMs located throughout the United Kingdom. As in many countries around the world, the UK has experienced a significant growth in the number of ATM deployments over the past few years: 36,750 in 2001 compared to 63,900 in 2007, a 42% increase.

By Alan Townsend, London


Remarkably, the financial institution in-branch ATM estate has remained virtually unchanged over this period of time with 19,067 installations in 2001 and 19,076 in 2007, while the remote financial institution ATM estate has substantially increased from 11,800 to 15,550 in the same time frame.
The real deal has been with the independent ATM deployers, known as IADs in the UK or ISOs (Independent Service Operators) in the USA, who have increased their UK market share almost fivefold in eighty-four months from 5,900 ATMs in 2001 to 29,300 in 2007. This is great news for IADs, financial institutions, retailers with businesses near ATMs and the multi-various ATM industries involved in the ATM lifecycle, bringing as it does more jobs, more prosperity, more retail spending and more convenient access to cash for the public.
However, this is an achievement that also carries a responsibility to ensure that those hosting ATMs, those who carry out replenishment or services and the public who use them can do so safely.

Attacks increase

Unsurprisingly, as the IAD and remote financial institution ATM market share rose, the industry experienced an exponential increase in ATM attacks, rising from 213 attacks in 2002 to 773 in 2005, with equally significant losses in terms of cash, damage to property and in some cases risk to individuals.
Typically, the majority of ATM attacks take place at convenience stores (26.7% - 2007), followed by leisure facilities (16.5% - 2007) and social locations such as bars and clubs (11.8% - 2007) and are predominantly IAD sector installations, where the security of the premises and the machines are of a lower standard compared to a bank installation. Financial institutions suffer far less attacks; in branch (8.8% - 2007), supermarkets (7.3% - 2007) and petrol stations (6.8% - 2007), the latter two being where a large proportion of the financial institution remote ATM estate is located.
In order to attempt to rectify this situation a number of organisations decided to work in partnership and collectively gather all the data, procedures and preventative measures available to find solutions to the escalating wave of ATM crime. The principal organisations involved were the ATM Security Working Group, British Bankers' Association, Building Societies Association, Association for Payment Clearing Services, British Security Industry Association, LiNK Interchange and ATM Industry Association.
One of the first tasks was to create a joint crime database in order to understand and analyse the scale, geography and methodology of the problem. Technically not a difficult task, but trying to work around the "politics" of getting individual ATM deployers to part with this sensitive data was a challenge. Nonetheless, the combined database was achieved and is now used as a first touchstone to consider the advisability of locating an ATM in any particular location and is extensively used by UK police forces when investigating ATM related crime.
The next stage was to develop industry security guidelines that could be used as a reference point by all involved in the ATM installation, replenishment and servicing processes of these machines. There was already guidelines published for "through-the-wall" ATMs, but nothing was available for the "stand-alone" and remote "pod" or "converted telephone" style of machines. These security guidelines were written and published and now form the basis for the security requirements for these type of installations.
Another important job was to obtain buy-in from the UK police forces, particularly in those areas adversely affected by ATM crime. Within the UK there are fifty-two separate police forces, as well as a number of other forces with specific responsibility for railways, military establishments, royal parks, etc., so no easy task.
The group collectively wrote to every force targeting three key areas of police activity; prevention, intelligence and enforcement, offering a fast track information service, access to the crime database and, crucially, financial support in relation to rewards and specialist equipment. This approach has successfully led to several police operations against professional gangs targeting ATMs, with support from the industry, leading to the arrest and conviction of numerous prolific criminals.

Prevention

In order to tackle specific styles of attacks, individual ATM deployers now employ a range of preventative measures to deter criminals. Broadly speaking the method of attack can be divided into three main areas; complete removal of the ATM, brute force in-situ or professionally conducted attacks in-situ.
The first method will frequently involve the theft of a truck or four-wheel drive vehicle that is then used to ram-raid the premises, demolishing all in its path, and the uplifting of the ATM onto the vehicle to be cut open at some later stage at the criminal's convenience. Ram-raids are a particular cause of concern to the insurance industry and community at large, as the criminals who commit these crimes have no regard to the extensive structural damage caused to the premises that will often require the business to close for weeks depriving rural communities of basic commodities.
The second method will involve

This image illustrates the potential collateral damage from a ram raid. Photo: Townsend

the forcible entry to the premises or area where the ATM is located and attacking the machine with various tools easily purchased at the local DIY store. These attacks are often aimed at the smaller, less secure ATMs of the type found in convenience stores, bars and leisure facilities.
Finally, the third type of attack is conducted by criminals with a working knowledge of the security locking mechanisms employed in ATMs. These attacks will frequently involve drilling or oxyacetylene equipment and are known to take as little as three minutes to get to the cash inside the safe.
To combat all three methods of attack, various preventative measures have been developed and employed including enhanced anchoring systems, upgrading safe specifications, ceramic anti-drill / cut devices, oxyacetylene flame resistant parts / deflectors, individual cassette locking equipment and much more.
Was the effort worth it? Of course. Over the past two years the ATM industry has experienced a sustained reduction in attacks; in 2006 attacks were down by 11.1% compared to 2005, with losses down by 13.4%, in 2007 attacks were further reduced by 16% compared to 2006, with losses down by 17%.
It is right to say that the number of attacks has not returned to the 2002 level and, given the dramatic increase in the number of ATMs deployed in the UK since that time, it is highly unlikely that this will ever be achieved. However, the all important attack rate per thousand ATMs deployed has reduced significantly from the 2005 level and with a little more effort will undoubtedly return to or surpass the 2002 figure.
More recent developments will help secure further reductions. In December 2007 the UK ATM industry reassessed how it dealt with the two main elements of ATM crime, namely fraud and physical attacks. In an effort to totally break down all partnership barriers the ATM Crime Group, previously reporting through the Association for Payment Clearing Services, will in future only deal with fraud issues and report through LiNK Interchange. The ATM Security Working Group, which is supported by the ATM Industry Association and whose membership contains many IADs, will now deal with all issues relating to ATM physical crime and has opened its membership to the financial institution sector of the industry.
This strategic realignment and simplification of reporting structures will ensure that everyone involved in the ATM security lifecycle is up-to-speed with the latest attack data, security procedures and preventative solutions - working in isolation is no longer an option.

Some security guidelines Guidelines depend on the risk you are trying to reduce, so the most important advice is that all ATM installations need to be fully and independently risk assessed – you cannot put in place security measures if you don’t know what the risks are. Host premises: The security of the premises in which the ATM is located should be of a standard to resist / deter criminals entering illegally, therefore, good quality locking systems on doors and windows, overnight shutters, intruder alarms, CCTV, fogging systems and unique taggant sprays are all worth considering. Merchant-fill ATMs: The simple most important security measure for merchant-fill ATMs is never leave money in the machine overnight. This type of ATM should be loaded with only sufficient cash for the days trading before the premises are opened for business. Once the premises are securely closed, the cassettes and any excess cash should be removed and placed in a safe of an appropriate standard; the ATM facia and safe doors should be left open and the machine should be visible from outside the premises so any would-be criminal can see the ATM is empty. CviT (Cash & Valuables In Transit)-fill ATMs: The ATM safe should be of an appropriate standard commensurate to the amount of cash being held overnight. The ATM should be sited deep into the premises well away from preimeter glazing, preferably against a wall of solid construction and the ATM should be securely fixed through the safe by a minimum of four resin anchor bolts, minimum 12mm diameter to a depth of 150mm. Security collars or anti-lasso devices, cash degradation systems and bollards or anti-ram raid protection should be considered in higher risk deployments.

The autor:
Alan Townsend was responsible for founding the ATM Security Working Group (ATMSWG), which was formed to consider crime and security issues relating to the "stand-alone" or "freestanding" type of ATM operated by Independent ATM Deployers (IAD) in the UK. In 2006 Alan was engaged as the ATMIA Europe Security Advisor and since that time he has edited a number of ATMIA security guidelines, assisted in arranging the "SEC" series of ATMIA conferences and been available to members for general security advice. Contact: alan@atmia.com