ATM ITM Threats & How to Prevent Them

Physical and cyber attacks on ATMs and ITMs are a growing threat for community financial institutions — and most institutions are less protected than they think. In this webinar, Cook Solutions Group's Steve Ryker (VP of Security, 34-year banking background) and Daniel Smallwood (VP of Product at the time of recording) walk through the specific attack types CSG's team is seeing in the field, why they're increasing, and the layered security approach that stops them.

This session was originally delivered to a group of Pacific Northwest financial institution security officers and covers both the physical and cyber threat landscape — drawing on real incidents CSG tracked through its Network Operations Center, particularly around the Puget Sound and Tacoma corridor where attack frequency has been highest.

What Types of ATM and ITM Attacks Are Financial Institutions Facing?

Most ATM and ITM attacks fall into two broad categories: physical attacks and cyber-based attacks. Physical attacks tend to occur between 2 and 3 AM — when staff is off duty, law enforcement presence is lowest, and traffic past the location is minimal. Both skilled and unskilled attackers are active, and the damage they cause often runs into the hundreds of thousands of dollars even when they walk away empty-handed.

The most common physical attack types covered in this session include:

• Hook and chain attacks — Using a heavy stolen vehicle (often a moving truck or large pickup) to attach chains to the ATM or ITM and rip it off the concrete pad. The machine is then transported to a secondary location for cash extraction.
• Heavy equipment attacks — Stolen front-end loaders or other heavy machinery used to ram or lift ATMs off their mounts and onto flatbed trucks.
• Rooftop entry — A coordinated attack using ladders to access the roof, cut through, and disable alarms and cameras from inside the ATM service room — allowing extended time to work on the machine undetected.
• Pry bar attacks — Unsophisticated attempts to force open ATM or ITM safes. Rarely successful at getting cash, but frequently cause total equipment loss.
• Vandalism — Damage caused by frustrated customers or opportunistic actors, from liquid spills to hammer strikes on the exterior.

What Cyber Threats Target ATMs and ITMs?

While physical attacks get more attention, cyber-based threats are a persistent and evolving risk. ATMs and ITMs are Windows-based computers — and any attack that can compromise a workstation can, under the right network conditions, compromise an ATM.

• Jackpotting — Attackers gain physical access to the top hat of an ATM (which is not protected by the UL-rated safe), connect directly to the computer inside, and load software that bypasses the host and triggers the cash dispenser to empty the cassette — often in under five minutes.
• Network-based attacks via phishing — When ATMs are not properly segmented from the institution's production network, a phishing click on a staff workstation can potentially expose ATMs to malware. Air gaps and proper firewall rules between ATM networks and general networks are critical.
• Ransomware and malicious software — While not always traditional ransomware, malicious software applied to ATMs and ITMs can lock machines, corrupt data, or extract sensitive information — including check images, account numbers, and electronic journal data stored on the machine's hard drive.

The Five Essential Layers of ATM and ITM Protection

Daniel Smallwood outlines five protection layers that every institution should evaluate for their ATM and ITM fleet. No single measure is sufficient — the goal is to make your locations the ones bad actors choose to avoid.

1. Alarm coverage — including the top hat. Most ATM alarms only protect the safe door. The computer inside the ATM lives in the top hat, which has no factory alarm contacts. Adding top hat door contacts closes a critical blind spot that skilled attackers actively exploit for jackpotting and cyber attacks.
2. Overview cameras. The camera inside an ATM or ITM is mounted to the top hat — which means if the top hat is flipped open or spray-painted, you lose your video record. An exterior overview camera mounted to the building or overhang captures the full scene: approach, vehicle, license plate, and the sequence of events. This is what investigators and law enforcement actually need.
3. Endpoint protection on the ATM computer. Antivirus, anti-malware, and application whitelisting software should be deployed on every ATM and ITM — treated the same as any other Windows endpoint in the institution's IT environment. Talk to your ATM vendor and your IT team about what's currently in place.
4. Hard drive encryption. ATMs and ITMs store sensitive data: electronic journal records, partial and full account numbers, and check images on imaging-capable machines. Hard drive encryption ensures that data is unreadable if the computer is removed or the drive is extracted.
5. Windows security patch management. ATMs run Windows and need to be patched on the same schedule as servers and workstations. Unpatched machines are exposed to known vulnerabilities — WannaCry is the most cited example, but new CVEs continue to emerge. Patching should be treated as a routine maintenance requirement, not an afterthought.

Additional Deterrence and Detection Measures

Beyond the core five, the webinar covers several additional measures that are gaining traction with CSG's financial institution clients:

• Sirens and strobes on alarm trigger. Counterintuitively, making a loud visible response to an alarm — rather than a silent alert — is highly effective at aborting attacks in progress. Attackers on-site are on high alert, and any unexpected stimulus tends to cause immediate retreat. Even a few minutes of deterrence can prevent total equipment loss.
• Video analytics with action triggers. Modern camera systems can be configured to detect specific objects — chains, large vehicles, unusual activity in a drive-up lane at 3 AM — and trigger immediate notifications. This moves surveillance from a post-incident forensic tool to a real-time deterrence and response system.
• GPS trackers in ATM cassettes. Chip-based tracking devices embedded in cash cassettes or inside ATM enclosures allow law enforcement to locate stolen machines and assets after an attack. The technology has improved significantly and is increasingly cost-effective for institutions that have experienced or are at high risk of hook and chain attacks.

Related Resources

• Can risk assessments help protect ATMs and ITMs from hook and chain attacks?
• How can I protect my ATM and ITM machines from cyber threats?
• What is ATM security patch management in banking?
• What is ATM hard drive encryption in banking?