Golden Rules For Fighting ATM Theft – Useful or Flop?

Earlier this month (September 2009), the European Network and Information Security Agency (ENISA), issued a report urging consumers to be more careful when withdrawing money from ATM machines, with their press release, being enthusiastically reprinted or in several cases mis-reported by news agencies.

Using case studies and examples from around the world, this 35 page report showed how innovative criminals had become in using technology to obtain cash directly from ATMs or via bank card fraud or traditional methods such as physical attacks.

According to ENISA, annual cash machine losses in Europe alone had increased to over $800 million due to a rise of 149% in ATM attacks in 2008. Attack vectors included ‘shoulder surfing’ to sophisticated uses of Blue Tooth wireless technology, network attack and web cameras.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
   Information Leakage – the enemy is within
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

The report entiteld ‘ATM Crime: Overview of the European situation and Golden Rules on How to Avoid it, listed 14 best practices to ensure a consumer’s physical safety and prevent compromise of their bank card. Several of the ENISA Golden Rules are common sense, others require an awareness of technology and good personal organisation, whilst others reduce the flexibility and convenience of using ATM machines.

The full pdf file makes for interesting reading from the perspective of how naïve users still are and how sophisticated today’s attackers are.

However as for its usefulness as an awareness piece? Unless a company or government were to turn it into a security awareness program to educate the end users, then this is quite doubtful. Even then, the awareness programme would at best be an interim measure. The only way forward would be for the industry to look at ENISA’s research and think about how to make ATM processes and systems securer whilst maintaining the freedom of the user.

To read the full paper see

Very briefly the “Golden Rules” listed in the report were:

  1. Don’t use ATMs with excessive signage or warnings
  2. Use ATMs inside banks
  3. Don’t use Free standing ATMs
  4. Be aware of the surroundings
  5. Check that people in the queue are at a reasonable distance
  6. Protect your PIN by standing close to the ATM and shielding the
  7. Pay attention to the front of machines
  8. Pay close attention to the slot you slide in your card
  9. Pay close attention to the ATM’s PIN pad
  10. See if there are extra cameras
  11. Beware if the ATM does not dispense cash or charge fees
  12. Frequently review your account statements
  13. Report confiscated cards immediately
  14. Report any suspicious activity immediately

Ben Chai

About Ben Chai

Ben Chai is a founding director of Incoming Thought Limited a company which specialises in whitepapers and education for corporations in the area of security. Incoming Thought has worked with several organisations such as the Forum of Incident Response and Security Teams, Security Vibes and The Corporate Executive Program. Ben has also been technically involved in several major deployments of Windows technologies (Active Directory, Microsoft SMS, Windows NT, Microsoft Exchange) to blue chip corporations such as Royal Bank of Scotland, Citibank, Total Oil and worked with several businesses in the capacity as a security consultant, helping them with hardening their systems and security processes. Further articles on security matters from Ben Chai can be found in Computer Weekly, ITproportal, Infosecurity from Elsevier and the Incoming Thought Twitter account.


No comments yet.

Leave a Reply