ATM Fraud Prevention Framework

Download the ATM Fraud Prevention Framework Here

There is a great deal of inconsistency in the ATM industry when it comes to specifying/testing/evaluating the security and anti-fraud measures that are applied to ATMs and other self-service terminals. Best practice is available and many types of fraud could be easily prevented simply by appropriate use of already well-understood and widely available countermeasures. To address this issue, and to make ATMs a less attractive target for criminals, FTR Solutions has developed the ATM Fraud Prevention Framework.

This document serves several purposes. Firstly, and most importantly, it provides a basis for institutions to develop a comprehensive anti-fraud specification for their ATMs. When an institution is planning the purchase of new ATMs, the requirements related to anti-fraud measures are often omitted, unclear, or left to the vendor(s) to specify. It is also common for groups of ATM operating institutions (or a banking association) to agree a voluntary code of practice defining a minimum ATM fraud standard to which they will all conform. This framework will help institutions to consider what anti-fraud controls to deploy in their ATMs.

Secondly, the framework provides a complete set of tests that can be used to compare an ATM configuration against anti-fraud requirements. This can be useful for validation as part of a new deployment or for confirming that an ATM deployment conforms to a defined code of practice or standard. It is also very useful to periodically confirm that the controls that are in production continue to provide adequate protection against all known types of fraud threats.

Finally, the framework provides a context within which the risk of adverse test findings can be meaningfully interpreted. It is common for institutions with ATM fleets to conduct penetration tests on their ATMs. It is also, unfortunately, all to common for organisations providing penetration testing services to present their findings without offering a meaningful interpretation of the risk presented by any adverse findings. For example, if a penetration tester identifies that a particular operating system control is not in place it is often given a disproportionately high risk due to the fact that compensating controls have not been adequately accounted for.

Throughout the document, the content is presented in terms of ATMs, but it is equally applicable to other forms of self-service business machines (SSBMs), including lodgement/cash recycling machines. When reading this document the term “ATM” can be taken to mean ATM/SSBM as appropriate.

We are providing this material free-of-charge, under the Creative Commons Attribution-NoDerivatives 4.0 International license, as a contribution to the ATM security industry. If you have any comments or suggestions, or would like to provide feedback on the ATM Fraud Prevention Framework, This email address is being protected from spambots. You need JavaScript enabled to view it..

More in this category: Carrier-Grade NAT »

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site you are accepting the use of cookies in accordance with our privacy policy.
Privacy Policy Accept