An automated teller machine, also known as an automatic teller machine (ATM, American, British, Australian, Malaysian, South African, Singaporean, Indian, Maldivian, Hiberno, Philippine and Sri Lankan English), automated banking machine (ABM, Canadian English), cash machine (British English), cashpoint, cashline, minibank, or bankomat is an electronic telecommunications device that enables the customers of a financial institution to perform financial transactions, particularly cash withdrawal, without the need for a human cashier, clerk or bank teller.
- Docutel in the United States 1969
- Continued improvements
- Financial networks
- Global use
- Transactional secrecy and integrity
- Customer identity integrity
- Device operation integrity
- Customer security
- Card fraud
- ATM looting
- Related devices
According to the ATM Industry Association (ATMIA), there are now close to 3 million ATMs installed worldwide.
On most modern ATMs, the customer is identified by inserting a plastic ATM card with a magnetic stripe or a plastic smart card with a chip that contains a unique card number and some security information such as an expiration date or CVVC (CVV). Authentication is provided by the customer entering a personal identification number (PIN) which must match the PIN stored in the chip on the card (if the card is so equipped) or in the issuing financial institution's database.
Using an ATM, customers can access their bank deposit or credit accounts in order to make a variety of transactions such as cash withdrawals, check balances, or credit mobile phones. If the currency being withdrawn from the ATM is different from that in which the bank account is denominated the money will be converted at an official exchange rate. Thus, ATMs often provide the best possible exchange rates for foreign travellers, and are widely used for this purpose.
The idea of out-of-hours cash distribution developed from bankers' needs in Asia (Japan), Europe (Sweden and the United Kingdom) and North America (the United States). Little is known of the Japanese device other than it was called "Computer Loan Machine" and supplied cash as a three-month loan at 5% p.a. after inserting a credit card. The device was operational in 1966.
In the US patent record, Luther George Simjian has been credited with developing a "prior art device". Specifically his 132nd patent (US3079603), which was first filed on 30 June 1960 (and granted 26 February 1963). The roll-out of this machine, called Bankograph, was delayed by a couple of years, due in part to Simjian's Reflectone Electronics Inc. being acquired by Universal Match Corporation. An experimental Bankograph was installed in New York City in 1961 by the City Bank of New York, but removed after six months due to the lack of customer acceptance. The Bankograph was an automated envelope deposit machine (accepting coins, cash and cheques) and did not have cash dispensing features.
It is widely accepted that the first ATM was put into use by Barclays Bank in its Enfield Town branch in north London, United Kingdom, on 27 June 1967. This machine was inaugurated by English comedy actor Reg Varney. This instance of the invention is credited to the engineering team led by John Shepherd-Barron of printing firm De La Rue, who was awarded an OBE in the 2005 New Year Honours. Transactions were initiated by inserting paper cheques issued by a teller or cashier, marked with carbon-14 for machine readability and security, which in a latter model were matched with a six digit personal identification number (PIN). Shepherd-Barron stated; "It struck me there must be a way I could get my own money, anywhere in the world or the UK. I hit upon the idea of a chocolate bar dispenser, but replacing chocolate with cash."
The Barclays-De La Rue machine (called De La Rue Automatic Cash System or DACS) beat the Swedish saving banks' and a company called Metior's machine (a device called Bankomat) by a mere nine days and Westminster Bank’s-Smith Industries-Chubb system (called Chubb MD2) by a month. The online version of the Swedish machine is listed to have been operational on 6 May 1968, while claiming to be the first online ATM in the world (ahead of a similar claim by IBM and Lloyds Bank in 1971). The collaboration of a small start-up called Speytec and Midland Bank developed a fourth machine which was marketed after 1969 in Europe and the US by the Burroughs Corporation. The patent for this device (GB1329964) was filed on September 1969 (and granted in 1973) by John David Edwards, Leonard Perkins, John Henry Donald, Peter Lee Chappell, Sean Benjamin Newcombe & Malcom David Roe.
Both the DACS and MD2 accepted only a single-use token or voucher which was retained by the machine while the Speytec worked with a card with a magnetic stripe at the back. They used principles including Carbon-14 and low-coercivity magnetism in order to make fraud more difficult.
The idea of a PIN stored on the card was developed by a British engineer working on the MD2 named James Goodfellow in 1965 (patent GB1197183 filed on 2 May 1966 with Anthony Davies). The essence of this system was that it enabled the verification of the customer with the debited account without human intervention. This patent is also the earliest instance of a complete "currency dispenser system" in the patent record. This patent was filed on 5 March 1968 in the US (US 3543904) and granted on 1 December 1970. It had a profound influence on the industry as a whole. Not only did future entrants into the cash dispenser market such as NCR Corporation and IBM licence Goodfellow’s PIN system, but a number of later patents reference this patent as "Prior Art Device".
Devices designed by British (i.e. Chubb, De La Rue) and Swedish (i.e. Asea Meteor) quickly spread out. For example, given its link with Barclays, Bank of Scotland deployed a DACS in 1968 under the 'Scotcash' brand. Customers were given personal code numbers to activate the machines, similar to the modern PIN. They were also supplied with £10 vouchers. These were fed into the machine, and the corresponding amount debited from the customer's account.
A Chubb-made ATM appeared in Sydney in 1969. This was the first ATM installed in Australia. The machine only dispensed $25 at a time and the bank card itself would be mailed to the user after the bank had processed the withdrawal.
Asea Metior's Bankomat was the first ATM installed in Spain on January 9, 1969 in downtown Madrid by Banesto. This device dispensed 1,000 peseta bills (1 to 5 max). Each user had to introduce a security personal key using a combination of the ten numeric buttons. In March of the same year an ad with the instructions to use the Bancomat was published in the same newspaper.
Docutel in the United States (1969)
After looking firsthand at the experiences in Europe, in 1968 the ATM was pioneered in the U.S. by Donald Wetzel, who was a department head at a company called Docutel. Docutel was a subsidiary of Recognition Equipment Inc of Dallas, Texas, which was producing optical scanning equipment and had instructed Docutel to explore automated baggage handling and automated gasoline pumps. In 1969 a venture capital consortium purchased Docutel with the aim of bringing its ATM to market without delay. By 1974, Docutel had acquired 70 percent of the U.S. market; but as a result of the early 1970s worldwide recession and its reliance on a single product line, Docutel lost its independence and was forced to merge with the U.S. subsidiary of Olivetti.
Witzel was recognised by the United States Patent Office as having invented the ATM in the form of U.S. Patent # 3,761,682; the application had been filed in October 1971 and the patent was granted in 1973. However, the U.S. patent record cites at least three previous applications from Docutel, all relevant to the development of the ATM and where Wetzel does not figure, namely US Patent # 3,662,343, U.S. Patent # 3651976 and U.S. Patent # 3,68,569. These patents are all credited to Kenneth S. Goldstein, MR Karecki, TR Barnes, GR Chastian and John D. White.
On September 2, 1969, Chemical Bank installed the first ATM in the U.S. at its branch in Rockville Centre, New York. The first ATMs were designed to dispense a fixed amount of cash when a user inserted a specially coded card. A Chemical Bank advertisement boasted "On Sept. 2 our bank will open at 9:00 and never close again." Chemical's ATM, initially known as a Docuteller was designed by Donald Wetzel and his company Docutel. Chemical executives were initially hesitant about the electronic banking transition given the high cost of the early machines. Additionally, executives were concerned that customers would resist having machines handling their money. In 1995, the Smithsonian National Museum of American History recognised Docutel and Wetzel as the inventors of the networked ATM.
The first modern ATM was an IBM 2984 and came into use at Lloyds Bank, Brentwood High Street, Essex, England in December 1972. The IBM 2984 was designed at the request of Lloyds Bank. The 2984 Cash Issuing Terminal was the first true ATM, similar in function to today's machines and named by Lloyds Bank: Cashpoint. Cashpoint is still a registered trademark of Lloyds Banking Group in the UK, but is often used as a generic trademark to refer to ATMs of all UK banks. All were online and issued a variable amount which was immediately deducted from the account. A small number of 2984s were supplied to a U.S. bank. A couple of well known historical models of ATMs include the IBM 3614, IBM 3624 and 473x series, Diebold 10xx and TABS 9000 series, NCR 1780 and earlier NCR 770 series.
The first switching system to enable shared automated teller machines between banks went into production operation on February 3, 1979 in Denver, Colorado, in an effort by Colorado National Bank of Denver and Kranzley and Company of Cherry Hill, New Jersey.
The newest ATM at Royal Bank of Scotland allows customers to withdraw cash up to £100 without a card by inputting a six-digit code requested through their smartphones.
ATMs are placed not only near or inside the premises of banks, but also in locations such as shopping centers/malls, airports, grocery stores, petrol/gas stations, restaurants, or anywhere frequented by large numbers of people. There are two types of ATM installations: on- and off-premises. On-premises ATMs are typically more advanced, multi-function machines that complement a bank branch's capabilities, and are thus more expensive. Off-premises machines are deployed by financial institutions and Independent Sales Organisations (ISOs) where there is a simple need for cash, so they are generally cheaper single function devices. In Canada, ATMs (also known there as ABMs) that are not operated by a financial institution are known as "white-label ABMs".
In the US, Canada and some Gulf countries, banks often have drive-thru lanes providing access to ATMs using an automobile.
Many ATMs have a sign above them, indicating the name of the bank or organisation owning the terminal and possibly including the list of networks to which it is connected.
ATMs can also be found in railway stations and metro stations. In recent times, countries like India and some countries in Africa are installing ATMs in rural areas, which are solar powered and do not require air conditioning.
Most ATMs are connected to interbank networks, enabling people to withdraw and deposit money from machines not belonging to the bank where they have their accounts or in the countries where their accounts are held (enabling cash withdrawals in local currency). Some examples of interbank networks include NYCE, PULSE, PLUS, Cirrus, AFFN, Interac, Interswitch, STAR, LINK, MegaLink and BancNet.
ATMs rely on authorisation of a financial transaction by the card issuer or other authorising institution on a communications network. This is often performed through an ISO 8583 messaging system.
Many banks charge ATM usage fees. In some cases, these fees are charged solely to users who are not customers of the bank where the ATM is installed; in other cases, they apply to all users.
In order to allow a more diverse range of devices to attach to their networks, some interbank networks have passed rules expanding the definition of an ATM to be a terminal that either has the vault within its footprint or utilises the vault or cash drawer within the merchant establishment, which allows for the use of a scrip cash dispenser.
ATMs typically connect directly to their host or ATM Controller on either ADSL or dial-up modem over a telephone line or directly on a leased line. Leased lines are preferable to plain old telephone service (POTS) lines because they require less time to establish a connection. Less-trafficked machines will usually rely on a dial-up modem on a POTS line rather than using a leased line, since a leased line may be comparatively more expensive to operate compared to a POTS line. That dilemma may be solved as high-speed Internet VPN connections become more ubiquitous. Common lower-level layer communication protocols used by ATMs to communicate back to the bank include SNA over SDLC, TC500 over Async, X.25, and TCP/IP over Ethernet.
In addition to methods employed for transaction security and secrecy, all communications traffic between the ATM and the Transaction Processor may also be encrypted using methods such as SSL.
There are no hard international or government-compiled numbers totaling the complete number of ATMs in use worldwide. Estimates developed by ATMIA place the number of ATMs in use currently at 3 million units, or approximately 1 ATM per 3000 people in the world.
To simplify the analysis of ATM usage around the world, financial institutions generally divide the world into seven regions, due to the penetration rates, usage statistics, and features deployed. Four regions (USA, Canada, Europe, and Japan) have high numbers of ATMs per million people. Despite the large number of ATMs, there is additional demand for machines in the Asia/Pacific area as well as in Latin America. ATMs have yet to reach high numbers in the Near East and Africa.
One of the world's most northerly installed ATMs is located at Longyearbyen, Svalbard, Norway.
The world's most southerly installed ATM is located at McMurdo Station, located in New Zealand's Ross Dependency, in Antarctica since 1997. There are two ATMs at McMurdo, but only one active at any time, that are owned by Wells Fargo and serviced once every two years by NCR.
ATMs are ubiquitous on modern cruise ships and also can be found on some US Navy ships.
An ATM is typically made up of the following devices:
Due to heavier computing demands and the falling price of personal computer–like architectures, ATMs have moved away from custom hardware architectures using microcontrollers or application-specific integrated circuits and have adopted the hardware architecture of a personal computer, such as USB connections for peripherals, Ethernet and IP communications, and use personal computer operating systems.
Business owners often lease ATMs from service providers. However, based on the economies of scale, the price of equipment has dropped to the point where many business owners are simply paying for ATMs using a credit card.
New ADA voice and text-to-speech guidelines imposed in 2010, but required by March 2012 have forced many ATM owners to either upgrade non-compliant machines or dispose them if they are not upgradable, and purchase new compliant equipment. This has created an avenue for hackers and thieves to obtain ATM hardware at junkyards from improperly disposed decommissioned machines.
The vault of an ATM is within the footprint of the device itself and is where items of value are kept. Scrip cash dispensers do not incorporate a vault.
Mechanisms found inside the vault may include:
ATM vaults are supplied by manufacturers in several grades. Factors influencing vault grade selection include cost, weight, regulatory requirements, ATM type, operator risk avoidance practices and internal volume requirements. Industry standard vault configurations include Underwriters Laboratories UL-291 "Business Hours" and Level 1 Safes, RAL TL-30 derivatives, and CEN EN 1143-1 - CEN III and CEN IV.
ATM manufacturers recommend that a vault be attached to the floor to prevent theft, though there is a record of a theft conducted by tunnelling into an ATM floor.
With the migration to commodity Personal Computer hardware, standard commercial "off-the-shelf" operating systems and programming environments can be used inside of ATMs. Typical platforms previously used in ATM development include RMX or OS/2.
Today, the vast majority of ATMs worldwide use a Microsoft Windows operating system, primarily Windows XP Professional or Windows XP Embedded. A small number of deployments may still be running older versions of the Windows OS, such as Windows NT, Windows CE, or Windows 2000.
There is a computer industry security view that general public desktop operating systems(os) have greater risks as operating systems for cash dispensing machines than other types of operating systems like (secure) real-time operating systems (RTOS). RISKS Digest has many articles about ATM operating system vulnerabilities.
Linux is also finding some reception in the ATM marketplace. An example of this is Banrisul, the largest bank in the south of Brazil, which has replaced the MS-DOS operating systems in its ATMs with Linux. Banco do Brasil is also migrating ATMs to Linux. Indian-based Vortex Engineering is manufacturing ATMs which operate only with Linux. Common application layer transaction protocols, such as Diebold 91x (911 or 912) and NCR NDC or NDC+ provide emulation of older generations of hardware on newer platforms with incremental extensions made over time to address new capabilities, although companies like NCR continuously improve these protocols issuing newer versions (e.g. NCR's AANDC v3.x.y, where x.y are subversions). Most major ATM manufacturers provide software packages that implement these protocols. Newer protocols such as IFX have yet to find wide acceptance by transaction processors.
With the move to a more standardised software base, financial institutions have been increasingly interested in the ability to pick and choose the application programs that drive their equipment. WOSA/XFS, now known as CEN XFS (or simply XFS), provides a common API for accessing and manipulating the various devices of an ATM. J/XFS is a Java implementation of the CEN XFS API.
While the perceived benefit of XFS is similar to the Java's "Write once, run anywhere" mantra, often different ATM hardware vendors have different interpretations of the XFS standard. The result of these differences in interpretation means that ATM applications typically use a middleware to even out the differences among various platforms.
With the onset of Windows operating systems and XFS on ATMs, the software applications have the ability to become more intelligent. This has created a new breed of ATM applications commonly referred to as programmable applications. These types of applications allows for an entirely new host of applications in which the ATM terminal can do more than only communicate with the ATM switch. It is now empowered to connected to other content servers and video banking systems.
Notable ATM software that operates on XFS platforms include Triton PRISM, Diebold Agilis EmPower, NCR APTRA Edge, Absolute Systems AbsoluteINTERACT, KAL Kalignite Software Platform, Phoenix Interactive VISTAatm, Wincor Nixdorf ProTopas, Euronet EFTS and Intertech inter-ATM.
With the move of ATMs to industry-standard computing environments, concern has risen about the integrity of the ATM's software stack.
Security, as it relates to ATMs, has several dimensions. ATMs also provide a practical demonstration of a number of security systems and concepts operating together and how various security concerns are addressed.
Early ATM security focused on making the terminals invulnerable to physical attack; they were effectively safes with dispenser mechanisms. A number of attacks resulted, with thieves attempting to steal entire machines by ram-raiding. Since late 1990s, criminal groups operating in Japan improved ram-raiding by stealing and using a truck loaded with heavy construction machinery to effectively demolish or uproot an entire ATM and any housing to steal its cash.
Another attack method, plofkraak, is to seal all openings of the ATM with silicone and fill the vault with a combustible gas or to place an explosive inside, attached, or near the machine. This gas or explosive is ignited and the vault is opened or distorted by the force of the resulting explosion and the criminals can break in. This type of theft has occurred in the Netherlands, Belgium, France, Denmark, Germany and Australia. These types of attacks can be prevented by a number of gas explosion prevention devices also known as gas suppression system. These systems use explosive gas detection sensor to detect explosive gas and to neutralise it by releasing a special explosion suppression chemical which changes the composition of the explosive gas and renders it ineffective.
Several attacks in the UK (at least one of which was successful) have involved digging a concealed tunnel under the ATM and cutting through the reinforced base to remove the money.
Modern ATM physical security, per other modern money-handling security, concentrates on denying the use of the money inside the machine to a thief, by using different types of Intelligent Banknote Neutralisation Systems.
A common method is to simply rob the staff filling the machine with money. To avoid this, the schedule for filling them is kept secret, varying and random. The money is often kept in cassettes, which will dye the money if incorrectly opened.
Transactional secrecy and integrity
The security of ATM transactions relies mostly on the integrity of the secure cryptoprocessor: the ATM often uses general commodity components that sometimes are not considered to be "trusted systems".
Encryption of personal information, required by law in many jurisdictions, is used to prevent fraud. Sensitive data in ATM transactions are usually encrypted with DES, but transaction processors now usually require the use of Triple DES. Remote Key Loading techniques may be used to ensure the secrecy of the initialisation of the encryption keys in the ATM. Message Authentication Code (MAC) or Partial MAC may also be used to ensure messages have not been tampered with while in transit between the ATM and the financial network.
Customer identity integrity
There have also been a number of incidents of fraud by Man-in-the-middle attacks, where criminals have attached fake keypads or card readers to existing machines. These have then been used to record customers' PINs and bank card information in order to gain unauthorised access to their accounts. Various ATM manufacturers have put in place countermeasures to protect the equipment they manufacture from these threats.
Alternative methods to verify cardholder identities have been tested and deployed in some countries, such as finger and palm vein patterns, iris, and facial recognition technologies. Cheaper mass-produced equipment has been developed and is being installed in machines globally that detect the presence of foreign objects on the front of ATMs, current tests have shown 99% detection success for all types of skimming devices.
Device operation integrity
Openings on the customer side of ATMs are often covered by mechanical shutters to prevent tampering with the mechanisms when they are not in use. Alarm sensors are placed inside ATMs and their servicing areas to alert their operators when doors have been opened by unauthorised personnel.
To protect against hackers, ATMs have a built-in firewall. Once the firewall has detected malicious attempts to break into the machine remotely, the firewall locks down the machine.
Rules are usually set by the government or ATM operating body that dictate what happens when integrity systems fail. Depending on the jurisdiction, a bank may or may not be liable when an attempt is made to dispense a customer's money from an ATM and the money either gets outside of the ATM's vault, or was exposed in a non-secure fashion, or they are unable to determine the state of the money after a failed transaction. Customers often commented that it is difficult to recover money lost in this way, but this is often complicated by the policies regarding suspicious activities typical of the criminal element.
In some countries, multiple security cameras and security guards are a common feature. In the United States, The New York State Comptroller's Office has advised the New York State Department of Banking to have more thorough safety inspections of ATMs in high crime areas.
Consultants of ATM operators assert that the issue of customer security should have more focus by the banking industry; it has been suggested that efforts are now more concentrated on the preventive measure of deterrent legislation than on the problem of ongoing forced withdrawals.
At least as far back as July 30, 1986, consultants of the industry have advised for the adoption of an emergency PIN system for ATMs, where the user is able to send a silent alarm in response to a threat. Legislative efforts to require an emergency PIN system have appeared in Illinois, Kansas and Georgia, but none have succeeded yet. In January 2009, Senate Bill 1355 was proposed in the Illinois Senate that revisits the issue of the reverse emergency PIN system. The bill is again supported by the police and denied by the banking lobby.
In 1998, three towns outside Cleveland, Ohio, in response to an ATM crime wave, adopted legislation requiring that an emergency telephone number switch be installed at all outdoor ATMs within their jurisdiction. In the wake of a homicide in Sharon Hill, Pennsylvania, the city council passed an ATM security bill as well.
In China and elsewhere, many efforts to promote security have been made. On-premises ATMs are often located inside the bank's lobby, which may be accessible 24 hours a day. These lobbies have extensive security camera coverage, a courtesy telephone for consulting with the bank staff, and a security guard on the premises. Bank lobbies that are not guarded 24 hours a day may also have secure doors that can only be opened from outside by swiping the bank card against a wall-mounted scanner, allowing the bank to identify which card enters the building. Most ATMs will also display on-screen safety warnings and may also be fitted with convex mirrors above the display allowing the user to see what is happening behind them.
As of 2013, the only claim available about the extent of ATM-connected homicides is that they range from 500 to 1,000 per year in the US, covering only cases where the victim had an ATM card and the card was used by the killer after the known time of death.
Originally developed as cash dispensers, ATMs have evolved to include many other bank-related functions:
In some countries, especially those which benefit from a fully integrated cross-bank network (e.g.: Multibanco in Portugal), ATMs include many functions that are not directly related to the management of one's own bank account, such as:
Increasingly, banks are seeking to use the ATM as a sales device to deliver pre approved loans and targeted advertising using products such as ITM (the Intelligent Teller Machine) from Aptra Relate from NCR. ATMs can also act as an advertising channel for other companies.*
However, several different ATM technologies have not yet reached worldwide acceptance, such as:
In Canada, ATMs are called guichets automatiques in French and sometimes "bank machines" in English. The Interac-shared cash network does not allow for the selling of goods from ATMs, due to specific security requirements for PIN entry when buying goods. CIBC machines in Canada, are able to top-up the minutes on certain pay as you go phones.
Before an ATM is placed in a public place, it typically has undergone extensive testing with both test money and the backend computer systems that allow it to perform transactions. Banking customers also have come to expect high reliability in their ATMs, which provides incentives to ATM providers to minimise machine and network failures. Financial consequences of incorrect machine operation also provide high degrees of incentive to minimise malfunctions.
ATMs and the supporting electronic financial networks are generally very reliable, with industry benchmarks typically producing 98.25% customer availability for ATMs and up to 99.999% availability for host systems that manage the networks of ATMs. If ATM networks do go out of service, customers could be left without the ability to make transactions until the beginning of their bank's next time of opening hours.
This said, not all errors are to the detriment of customers; there have been cases of machines giving out money without debiting the account, or giving out higher value notes as a result of incorrect denomination of banknote being loaded in the money cassettes. The result of receiving too much money may be influenced by the card holder agreement in place between the customer and the bank.
Errors that can occur may be mechanical (such as card transport mechanisms; keypads; hard disk failures; envelope deposit mechanisms); software (such as operating system; device driver; application); communications; or purely down to operator error.
To aid in reliability, some ATMs print each transaction to a roll-paper journal that is stored inside the ATM, which allows its users and the related financial institutions to settle things based on the records in the journal in case there is a dispute. In some cases, transactions are posted to an electronic journal to remove the cost of supplying journal paper to the ATM and for more convenient searching of data.
Improper money checking can cause the possibility of a customer receiving counterfeit banknotes from an ATM. While bank personnel are generally trained better at spotting and removing counterfeit cash, the resulting ATM money supplies used by banks provide no guarantee for proper banknotes, as the Federal Criminal Police Office of Germany has confirmed that there are regularly incidents of false banknotes having been dispensed through ATMs. Some ATMs may be stocked and wholly owned by outside companies, which can further complicate this problem. Bill validation technology can be used by ATM providers to help ensure the authenticity of the cash before it is stocked in the machine; those with cash recycling capabilities include this capability.
As with any device containing objects of value, ATMs and the systems they depend on to function are the targets of fraud. Fraud against ATMs and people's attempts to use them takes several forms.
The first known instance of a fake ATM was installed at a shopping mall in Manchester, Connecticut in 1993. By modifying the inner workings of a Fujitsu model 7020 ATM, a criminal gang known as the Bucklands Boys stole information from cards inserted into the machine by customers.
WAVY-TV reported an incident in Virginia Beach in September 2006 where a hacker who had probably obtained a factory-default administrator password for a filling station's white-label ATM caused the unit to assume it was loaded with US$5 bills instead of $20s, enabling himself—and many subsequent customers—to walk away with four times the money withdrawn from their accounts. This type of scam was featured on the TV series The Real Hustle.
ATM behaviour can change during what is called "stand-in" time, where the bank's cash dispensing network is unable to access databases that contain account information (possibly for database maintenance). In order to give customers access to cash, customers may be allowed to withdraw cash up to a certain amount that may be less than their usual daily withdrawal limit, but may still exceed the amount of available money in their accounts, which could result in fraud if the customers intentionally withdraw more money than what they had in their accounts.
In an attempt to prevent criminals from shoulder surfing the customer's personal identification number (PIN), some banks draw privacy areas on the floor.
For a low-tech form of fraud, the easiest is to simply steal a customer's card along with its PIN. A later variant of this approach is to trap the card inside of the ATM's card reader with a device often referred to as a Lebanese loop. When the customer gets frustrated by not getting the card back and walks away from the machine, the criminal is able to remove the card and withdraw cash from the customer's account, using the card and its PIN.
This type of fraud has spread globally. Although somewhat replaced in terms of volume by skimming incidents, a re-emergence of card trapping has been noticed in regions such as Europe, where EMV chip and PIN cards have increased in circulation.
Another simple form of fraud involves attempting to get the customer's bank to issue a new card and its PIN and stealing them from their mail.
By contrast, a newer high-tech method of operating, sometimes called card skimming or card cloning, involves the installation of a magnetic card reader over the real ATM's card slot and the use of a wireless surveillance camera or a modified digital camera or a false PIN keypad to observe the user's PIN. Card data is then cloned into a duplicate card and the criminal attempts a standard cash withdrawal. The availability of low-cost commodity wireless cameras, keypads, card readers, and card writers has made it a relatively simple form of fraud, with comparatively low risk to the fraudsters.
In an attempt to stop these practices, countermeasures against card cloning have been developed by the banking industry, in particular by the use of smart cards which cannot easily be copied or spoofed by unauthenticated devices, and by attempting to make the outside of their ATMs tamper evident. Older chip-card security systems include the French Carte Bleue, Visa Cash, Mondex, Blue from American Express and EMV '96 or EMV 3.11. The most actively developed form of smart card security in the industry today is known as EMV 2000 or EMV 4.x.
EMV is widely used in the UK (Chip and PIN) and other parts of Europe, but when it is not available in a specific area, ATMs must fall back to using the easy–to–copy magnetic stripe to perform transactions. This fallback behaviour can be exploited. However, the fallback option has been removed on the ATMs of some UK banks, meaning if the chip is not read, the transaction will be declined.
Card cloning and skimming can be detected by the implementation of magnetic card reader heads and firmware that can read a signature embedded in all magnetic stripes during the card production process. This signature, known as a "MagnePrint" or "BluPrint", can be used in conjunction with common two-factor authentication schemes used in ATM, debit/retail point-of-sale and prepaid card applications.
The concept and various methods of copying the contents of an ATM card's magnetic stripe onto a duplicate card to access other people's financial information was well known in the hacking communities by late 1990.
In 1996, Andrew Stone, a computer security consultant from Hampshire in the UK, was convicted of stealing more than £1 million by pointing high-definition video cameras at ATMs from a considerable distance and recording the card numbers, expiry dates, etc. from the embossed detail on the ATM cards along with video footage of the PINs being entered. After getting all the information from the videotapes, he was able to produce clone cards which not only allowed him to withdraw the full daily limit for each account, but also allowed him to sidestep withdrawal limits by using multiple copied cards. In court, it was shown that he could withdraw as much as £10,000 per hour by using this method. Stone was sentenced to five years and six months in prison.
An ATM looting is a type of bank robbery in which a series of ATMs are robbed of cash. The thieves do the looting by using identity fraud to create debit cards containing other people's banking information, then they withdraw money from other peoples' bank accounts.
A talking ATM is a type of ATM that provides audible instructions so that people who cannot read a screen can independently use the machine, therefore effectively eliminating the need for assistance from an external, potentially malevolent source. All audible information is delivered privately through a standard headphone jack on the face of the machine. Alternatively, some banks such as the Nordea and Swedbank use a built-in external speaker which may be invoked by pressing the talk button on the keypad. Information is delivered to the customer either through pre-recorded sound files or via text-to-speech speech synthesis.
A postal interactive kiosk may share many components of an ATM (including a vault), but it only dispenses items related to postage.
A scrip cash dispenser may have many components in common with an ATM, but it lacks the ability to dispense physical cash and consequently requires no vault. Instead, the customer requests a withdrawal transaction from the machine, which prints a receipt. The customer then takes this receipt to a nearby sales clerk, who then exchanges it for cash from the till.
A teller assist unit (TAU) is distinct in that it is designed to be operated solely by trained personnel and not by the general public, does integrate directly into interbank networks, and usually is controlled by a computer that is not directly integrated into the overall construction of the unit.
A Web ATM is an online interface for ATM card banking that uses a smart card reader. All the usual ATM functions are available, except for withdrawing cash. Most banks in Taiwan provide these online services.