September 17, 2019
Automated teller machines (ATMs) are everywhere — at the grocery store, outside the bank and in the mall— making it easy for us to stay connected with our cash. ATMs, however, also provide lots of opportunities for someone looking for an easy way to rob an ATM [people really ask this question online!].
After all, a device filled with money will always be tempting, making ATM security imperative.
Fortunately, UL’s experts test and verify that ATM containers are built to deter theft. While UL’s testing process of breaking into an ATM container may look like a safecracking scene from a crime thriller, it’s more than just a good show. It’s security in action.
Crash and grab cash
Security and Life Safety Principal Engineer Lou Chavez and UL’s team of experts helped the banking industry secure their ATMs — the entire ATM — from being stolen. Once the ATM is in a different location, that’s generally when criminals attempt infiltration.
“Banks were having problems with ATMs being ripped off their islands by forklifts or pickup trucks,” Chavez said. “We worked with the banking industry and UL’s Standards Technical Panel to develop anchoring requirements to make it harder to rip ATMs off of their intended pads. Banks also take additional requirements including placing bollards, usually metal tubes filled with concrete, around ATMs to make it more difficult to get a forklift or truck next to the ATM.”
Breaking and entering
UL 291, the Standard for Automated Teller Systems, provides details for three levels of testing: business hour service, 24-hour service Level 1 and Level 2 testing. The levels determine how extreme the testing of the ATM will be. For example, a Business Hour Service ATM will receive the lowest level of testing, limited to only 5 minutes of actual time “attacking” the container since it will be emptied every night. A Level 1 test uses hand tools to attack the door of the security container for 15 minutes, and a Level 2 attack will be similar but with a more aggressive complement of tools and the ability to attack any portion of the containers.
Related Content | Modern-Day Cyber Pirates Phish Portals, Not High-Seas
One such test conducted in UL’s Northbrook, Illinois, laboratory, started with two lab associates inspecting the inside of the ATM container and looking at all the moving pieces: the lock, the hinges and the door. As Staff Engineering Associate Cyndi Prosser explained, breaking into a safe or an ATM container is sometimes an inside job, so the person attempting to break in already has inner knowledge of the safe and its contents.
The real work began when the team members picked up the sledgehammers and electric drills. After multiple broken drill bits, some heavy application of WD-40 and countless horizontal swings of an 8-pound sledgehammer, the case was opened in under 11 minutes. The team dislodged the internal locking device by knocking some screws out of place.
While the open door may be cause for celebration from the people doing the work, it means the tested object will have to go back to the manufacturer for redesign to help ensure that others won’t be able to gain access to the container the same way.
More than a locked box
For banking equipment that doesn’t require security, UL has a different category of testing, TPEU, that looks at the equipment for fire and shock hazards, in addition to nondestructive entry attempts.
Chavez explained that using a sledgehammer isn’t the only way to gain access to a panel. Tests that involve using a wire to try and grab money from inside the machine are also performed to make sure people can’t pull money out of the machine.
Additionally, the logical security of ATM devices is also very important.
Attacks on the software of ATMs, as well as communications protocols, is something that UL works with the industry on through contributions to the ATMIA Software Security Best Practices, evaluations against the PCI ATM Security Best Practice Requirements, and with our own UL2900-2-3 Standard.
"We understand that the security of these devices is a combination of both physical and logical controls," said Andrew Jamieson, director of technology and security at UL. "We have services to look at everything from the cryptographic key management to how components are decommissioned to prevent unauthorized reuse," Jamieson said.
Added Chavez, “ATMs have network connections," he said. “Anything with a network connection can be susceptible to a cyberattack. If you could gain access to an ATM, you might be able to have it spit out money.”
Breaking into an ATM isn’t the most sophisticated of crimes as most criminals don’t care about the cameras inside ATMs. Image quality, however, may make the difference in apprehending a suspect, which is where UL 2802, the Standard for Performance Testing of Camera Image Quality, plays a role. After all, do you want the police to have a fuzzy or clear picture to work with as they investigate the crime?
Whether it’s fire and shock hazard, theft deterrence or physical security, UL looks at all vulnerabilities to help determine the key points of attack.
For more information about UL’s work with security products and systems, visit https://www.ul.com/offerings/security-products-and-systems-compliance-testing.