Why a two-day conference about ATM security?
There are the sheer numbers – 60,000, Alan Townsend, the ATM Industry Association’s European security advisor, told Professional Security over lunch. And you can expect tens of thousands more. And use of cash keeps rising, though use of electronic cash is rising more. The cash in transit (CIT) sector moves billions of pounds around the UK each week. Most of the banknotes keep going into and coming out of cashpoint machines. The ATMs, and the cash in transit crews or whoever feeds money into the machines, are targets for thieves. Why should that bother you, if you are not in CIT or banking? Because, as one of the speakers, Adrian Hazard, group corporate security manager at Alliance and Leicester, put it, ATMs are on the high street, in universities, hospitals, train and other transport hubs, in convenience stores.
But first, the ATM Industry Association’s conference at the Radisson SAS Hotel in Portman Square, London W1 on October 23 and 24 was a European affair. Some visitors were from the Continent. During a coffee break a slim man walked towards me. I shook his hand warmly because I saw from his event badge that he was Audrius Sapola, head of security for SEB Vilniaus Bankas. He’s been Vilnius security man at that Swedish-owned bank for four months. Previously as security and safety manager for the Baltic oil firm Lietuva Statoil, he’s been in the magazine a few times, most recently July 2004 as a user of digital CCTV to combat forecourt crime. Now in a new sector, he was in London for both days of the conference. He’s taking a security and risk management distance learning course with the University of Leicester.
As Audrius said, things are changing very quickly. Think about it – imagine, 25 years ago, that a Lithuanian could work for a Nordic bank, and visit London?! And who would have predicted cash machines in pubs? The companies providing ATMs suggest tens of thousands more machines, still to come, offering more services, banking and others. The list of attenders too shows how wide ATMs are affecting business. Former loss prevention man Les Kynaston is ATM security manager for Tesco Personal Finance; ben Birtwistle is ATM fraud control manager, Royal Bank of Scotland Group; Charlie Woodhead is fraud detection services team leader, at LINK Interchange Network Ltd. That’s the company that operates the LINK cash machines, connecting 58,000 cash machines. It incidentally saw a record £16.5 billion withdrawn from its ATMs in December 2005. In a word, ATMs are good to have in-store – they draw customers. But criminals too. Audrius Sapola incidentally reported that ATM crime is not a big problem in Lithuania. Yet.
Adrian Hazard, a member of the British Bankers’ Association security liaison group (SLG) has a 20-year background in financial services. He described Alliance and Leicester’s ‘hybrid ATM estate’. For the last ten years the Leicester-based bank’s physical security manager, he is also in charge of internal investigations of fraud. In 2006, the bank had 2500 ATMs, compared with 500 in 1999. They are in the bank’s 254 high street branches; leisure centres; petrol stations; post offices. Largely replenished by CIT crews, some cashpoints are ‘self-fill’, by the retail host with cash from the retailer. The prospect is of more in-bank ATMs, as the Alliance and Leicester looks to make its branches more self-service and open-plan. Hence the bank has a dedicated ATM business unit, which works with the bank’s corporate security department; and security companies G4S, Reliance Security Services, Secure Options, and Initial Electronic Systems. Only from 2001 did the bank see ATM attacks. By 2005, robberies of banks fell to a handful, an all-time low. Since 2003, attacks on CIT have become a primary concern, Adrian Hazard added. He showed a photograph of a ram-raid by a JCB on a through-the-wall ATM, in a purpose-built room attached to a petrol station. Criminals have: used (half-heartedly) crowbars, or drills; tried to cut through adjoining walls; threatened bank staff replenishing branch ATMs; done an attack even where there was 24-hour guarding; in another case, man-handled a ATM down three flights or stairs. In sum, criminals are well-organised and violent. In one 2005 case, criminals ram-raided a convenience store while staff were carrying out a morning replenishment. Last but not least, customers have been attacked while using ATMs, although Adrian Hazard added, such crimes are few compared to the billions of transactions at the machines. He spoke of criminals staging diversions to minimise the risk of a police response to an ATM robbery. And – a point that cropped up with other speakers – just as the security guys learn; so do the criminals. On the banks’ side, besides the loss of cash, there is, Adrian Hazard detailed, collateral damage; insurance implications; and a negative press, in what is an increasingly competitive banking market-place.
As for counter-measures, since 2002 the Alliance and Leicester has required a basic security assessment of a third party ATM installation. If the location scores below a risk assessment threshold, it’s referred to Adrian Hazard’s team. It’s for them to consider lighting, signage, and other factors; and an installation can be rejected on security grounds. With Reliance and Initial Electronic, the bank has an alarm response service. In Northern Ireland, because of the fear of tiger kidnap – bank staff being forced to do as criminals say, because the employee’s family is held hostage – G4S replenishes the bank’s ATMs, not staff.
Among the bank’s security measures are signs (to tell criminals of time delays, or locking bars), ATM ‘pods’ or purpose-built rooms as a secure area for CIT to replenish ATMs. But, Adrian Hazard added, even these do not deter ‘duress attacks’ – robbers using or threatening violence against staff. Other measures are overt – footplates painted yellow, anti-drill bars painted red, so that an ATM unit is not damaged and can stay in service. He ended with a look into the future, welcoming a recent downturn in the volume of attacks. He praised some police force operations – such as Bandsaw (West Yorkshire) and Arctic (Norfolk, Suffolk and Cambridgeshire) – that did lead to a dip in attacks, he said. "However, I see our biggest risk as complacency," he said. "Th criminals clearly have not gone away. The ATM estate will grow into new and challenging sectors with the public’s need for access to cash remaining and the financial services sector looking for cost-effective ways of providing this." Industry and law enforcers need to co-ordinate, he stressed. Yet some police forces are not ‘switched on’ to ATM crime, he said; one force, he claimed, classifies well-organised ATM attacks simply as criminal damage. Or, police have failed to gather basic evidence from a scene, such as CCTV footage. Some banks still do not report attacks, nor share information. That is, despite the competition between banks, they have to share information, he argued, because ‘my problem today could be yours tomorrow’. As for the speed of innovation, security products to deal with specific criminal methods, Adrian Hazard spoke of time from design to manufacture being weeks. He summed up: "As an industry we have been playing catch-up over the last three to four years, and in some ways we always will be. However I feel we have come a long way in the last three or four years."
Earlier, David Anscombe, national security manager for Abbey, and chairman of the British Bankers’ Association’s (BBA) security liaison group (SLG). Abbey unlike most banks and building societies replenishes its ATMs between 6pm and 6am, because there is then no risk to staff or customers, and little or no disruption to day-time services. The downside, he admitted, is that such night visits are fairly regular. In Abbey’s case, by 2001 the bank realised it was becoming a target for ATM criminals: as David Anscombe put it: "Just to say we were losing a few bob." The bank moves £1.3 billion a month in ATM money. He described a physical security product that had cut losses for Abbey; locking bars, one barring each cassette that holds banknotes inside the machine. After a trial at seven sites, installation levelled out in 2006, at more than 1100. The bank has 1400 branches. While the number of attacks on its ATMs hasn’t really changed, Dave Anscombe reported, across the banking industry such attacks have gone up. He showed photographs of the mangled backs of ATMs – a success, he said, because the ATM held thanks to the bars. Criminals have used sledgehammers, even industrial cutters. Dave Anscombe, a former Met Police Flying Squad man, has been 11 years at Abbey, security manager there for four years, and recently has had a retail facilities role added. As he put it, it has made his work ‘varied’: "One day I am head of the hostage team for the Abbey in the UK and the following day I am dealing with toilet rolls; I am pleased to say I spend more time dealing with toilet rolls than hostages." The SLG dates from 1996, members coming from the major English and Scottish retail banks. Don Randall of JP Morgan is a link to City banks, Dave Anscombe reported, for schemes such as Project Griffin. On 7-7, as intended in Project Griffin, banks in London that have signed up to Griffin allowed some of their security staff to assist police. The Building Society Association runs its own SLG.
From 1999, the BBA’s SLG changed focus as work against fraud went to APACS, the Association for Payment Clearing Services. BBA SLG is now a forum covering emerging physical security threats and trends. It meets every couple of months; and topics include terrorism, ACPO, CIT, robberies; training; exchange of information; new equipment; and a reward scheme for criminal convictions. Dave Anscombe, like Adrian Hazard, spoke of Irish banking security ‘voluntary’ standards, that mean unless you invest in CCTV, banknote degradation (when stolen, the notes are stained and ruined) and other security products, you do not get insurance – in other words, the requirements are in fact mandatory. Police attenders are generally from the City of London force, or Ken Meanwell, ACPO’s intruder alarm man. In Dave Anscombe’s words: "He talks about three minutes then gets a barrage of questions." That is, bank security people take issue with ACPO alarm response requirements; Dave Anscombe spoke of changes to Abbey alarm panels costing the bank £3m. As for CIT, a separate working group is looking at banking hall attacks, particularly in London. He said: "We are looking towards best practice, things like: should there be an airlock; are the transfer hatches appropriate for the [cash] boxes being used?" Expect, he added, banking hall security guidelines by early next year.
In other words, the UK’s six or seven thousand bank branches have the same security problems ; and banks have invested in robbery reduction, and target hardnening. Training for branch staff is imperative, but Dave Anscombe spoke of a big turnover of staff, across the industry, adding: "We know more about our customers than we do about our staff; and that’s very true." Yet regional managers are looking after 30 to 40 branches, and training for their staff is not always high on those managers’ lists – because they are there to make money, like anybody else. The SLG is looking at renewing an old hostage training video, Benefit of Hindsight. As Dave Anscombe put it: "I am not saying it’s old, but there’s people wearing flared trousers [in the video]." As for exchanging information, he spoke of standardised reports to the BBA, for others such as the police to access.
Other speakers over the two days were Paul Fullicks, security director, Securitas Cash Handling Services Europe; Steve McGregor, of De La Rue Currency, on counterfeit notes; martin Lewis, manager of the fraud control unit at APACS, on the impact of Chip and PIN; and consultant Dave Easy, on co-ordinating crime data with law enforcers.
About the ATM Industry Association
A worldwide trade association, it has published security and other ATM manuals. It is drafting best practices for preventing insider fraud. Online, members can access a fraud reference library and crime database.
