Explosive attacks on ATMs have been on the rise, forcing one bank to shut down hundreds of machines. With cash usage declining and security costs increasing, is it still worthwhile for retail banks to have ATMs? Jane Cooper reports

Physical attacks on ATMs have been on the rise in Europe, and an emerging trend of criminals using solid explosives is a serious concern for the industry. It’s not just the loss of cash or collateral damage to property that banks need to worry about, but also the threat to lives.

For this reason, ABN AMRO took swift action in December 2019 when a “certain type” of cash dispenser was being targeted by criminals. The Dutch bank closed 470 ATMs — more than half its network — and said in a statement that “the escalating violence used to explode them [is] a source of serious concern, leaving its traces throughout society. Neighbours and businesses must be able to feel safe.”

Mike Lee, CEO of the ATM Industry Association (ATMIA), explains that the most common way to physically attack ATMs is with explosives, which can be either gas or solid. And there is a huge difference between gas and solid explosives, says Claire Shufflebotham, Global Security Director at TMD Security. With gas attacks, the criminal is limited by the cannisters they have to carry, whereas 150g of solid explosive can fit in the palm of the hand, and is enough to cause serious damage.

ATM bombing

The shockwaves are also far greater: the velocity of solid explosives is 5.3 miles per second, compared to 1.2 miles per second for gas. “It is literally a bomb. In South Africa, they actually call it ATM bombing,” Shufflebotham says.

The European Association for Secure Transactions (EAST) estimates that the average cash loss per solid explosive attack is €27,065 and in one case the collateral damage was around €200,000. According to EAST’s November 2019 fraud update, six countries in Europe reported solid explosive attacks, with the use of Triacetone Triperoxide (TATP) — a highly unstable explosive dubbed the ‘Mother of Satan’ — also on the rise.

The same criminal gangs have reportedly been attacking ATMs in Europe, starting in the Netherlands and then crossing borders into Germany, Switzerland, Italy and elsewhere. ATMIA’s Lee points out that trends don’t just start in Europe: “New methods of attack can start anywhere, not just Europe… Criminals are becoming more sophisticated and organised and they share information, methods and software on the dark web.”

Industry in denial

In fact, as Shufflebotham notes, the explosive attacks on ATMs actually started in Latin America and South Africa, where the mining industry there gave criminals easy access to explosives.

The response in the industry has been somewhat reactionary, notes Shufflebotham, and observers have been in denial about types of potential attacks.

For example, “In the UK there were gas attacks and no one thought solid explosive attacks would happen, but now there is at least one a month in the UK. What they said would never happen has started to happen,” says TMD Security’s Shufflebotham.

A typical response to physical attacks has been to increase the physical security on the ATMs, which has precipitated a dangerous cycle of adding defences – resulting in more explosives being used. One way to break this cycle is to make the cash worthless, thus removing the incentive for the attack altogether.

“Ink staining invalidates the cash in the machines,” says Bernd Redecker, Director, Product and Solution Security at Diebold Nixdorf. However, he notes, there is a question of legislation and whether stained money is legal tender — in some countries it is, and some countries it is not. Shufflebotham adds more industry collaboration is needed and says, “Everybody needs to be aware that a stained note is a stolen note, not something that has fallen into an ink pot.”

Ink staining has proved to be an effective deterrent in South Africa and has dramatically reduced the number of explosive attacks.

The Dutch banks are also looking at a number of methods to invalidate cash, and in a statement said, “once a suitable method has been found, it will be installed in cashpoints as soon as possible.”

Given that cash usage is declining, and the physical risks to ATMs are increasing, is it still worthwhile for retail banks to provide ATMs?

In an environment where bank branches are closing, Lee of the ATMIA says, “the ATM becomes even more important as the most popular financial services touchpoint, providing access to cash a wide range of value-added services so it always remains worthwhile to keep ATMs.”

In the Netherlands, three of the major banks — ABN AMRO, ING and Rabobank — have joined forces to form Geldmaat, an organisation that operates the ATMs and makes sure the distribution of machines is more efficient, even in times of declining cash usage.

Bob Meara, Senior Analyst, Banking, at Celent says the Netherlands is the most digitally-driven economy in the Western world, and has the lowest cash utilisation as well as the highest rates of internet banking. “If ATMs go away in any kind of large measure, it is likely to start in somewhere like the Netherlands.”

The situation is similar in Sweden, which, according to a September 2019 report by Kearney, is predicted to be completely cashless in five years. Major banks, such as SEB, have also opted to not operate their own ATMs and have formed Bankomat, which is jointly owned by the larger banks.

Meara adds that even though cash usage is declining, its presence is still persistent, and the highest usage tends to be among the underbanked or lower-income segments. In some markets, “Regulators and governments are wary to disadvantage those constituents,” says Meara.

Cash becomes a political issue

This is evident in the UK, for example, where cash has become a political issue in the form of the Access to Cash review. In May 2019, the UK government announced the future of cash would be protected. Natalie Ceeney, the Chair of the review, said at the time: “Cash use is falling rapidly, but digital payments don’t yet work for everyone. We need to safeguard the use of cash for those who need it, and at the same time work hard to ensure that everyone can participate in the digital economy. If we sleepwalk into a cashless society, millions of people will be left behind.”

In the UK, unlike the Netherlands, the major banks are keen to own and operate their ATMs, says Graham Mott, Director of Strategy at Link, the network that connects ATMs in the UK. If the machine is owned by the bank and is being used by the banks’ own customers, he points out, it can be used for more individual services. He predicts in the future there will be fewer ATMs, but the aim is for them to cover the same areas in a thinner, yet still extensive ATM network. “There will still be ATMs in the right places; there will still be access to cash,” says Mott.

When asked if it is still worthwhile to operate ATMs, Meara at Celent comments, “I think so, although the strategic rationale might be challenged in the near term.” For ATMs that are physically tied to branches, “Their role may change materially but they will stick around for as long as we have branches.” In contrast, Meara expects standalone ATMs to become “fewer and far between”.

In this more challenging environment, and faced with increasing physical security risks, there are still actions that retail banks can take to protect themselves from losses. Redecker at Diebold Nixdorf notes, “It is good to take a risk-based approach — there are countermeasures you can add to the security of the machine. It is a good idea to assess the risk you are running on a regular basis.” If retail banks do that, he adds, they could take the decision not to do something right now, but in a few months’ time the risk position could change and they adapt accordingly. Also, he says, “the industry should not only consider solutions for a single point, security has to be considered holistically — you have to look at the process as well.”

Shufflebotham’s advice for retail banks is similar and says that ATM providers need to understand what countermeasures are at their disposal: “Deployers and service providers have got to look at the alternatives and not wait until an ATM on their estate has been hit… All deployers should be aware of the risks and have lab-proven countermeasures they can deploy if there is any risk on their network. Once they get hit it is too late. They need to be ready – and not put their head in the sand,” she says.