Moving Money: the ATM makers’ view of the future
The received wisdom in some quarters is that cash is dying, hastened to its welcome grave by the rise of mobile banking and payments mechanisms.
It ought to follow, then, that the days of the hole in the wall cash dispenser are equally numbered. If that’s the case, the manufacturers of ATMs are all being remarkably sanguine.
Far from being displaced by mobile technology, all of the major makers are embracing mobile to their corporate bosom as a channel that integrates well with the ATM – and with the point-of-sale devices they all sell to retailers – and that consumers are embracing with equal enthusiasm.
“We are certainly seeing more transactions going through the mobile channel, but it is early days and there is still a need for the endpoint redemption of cash,” said Owen Wild, global marketing director for financial services security solutions at NCR. “It is still very early for the full mobile channel to fulfil the needs cash, whether it’s staging on a mobile or other forms of authentication at some point. There is a need to go to some centre and issue the cash.”
At Diebold, Jim Block, director of advanced technology development, is in broad agreement. “Where I think it starts to diverge between mobile and cashless is that mobile can be a channel to actually get cash,” he says. “A rise in digital payments does not necessarily equate to a decrease in cash payments – notes in circulation are up and value in circulation is up. Most experts say that [cash] is going to be at this level at least until the end of the decade, but you are also going to see this increase in digital payments and we’re sitting in an interesting place to help translate that move. I think the most important thing to be tuned into is that society wants these changes – to be mobile is clearly a mechanism that people want to use, you see that across many industries. What it boils down to is a transformation from physical to digital and digital to physical and the ATM can play a part in that alongside the mobile.”
Over at Wincor Nixdorf, Reinhard Rabenstein, senior vice president and chief technology officer (right), says the rise of mobile is a driver for greater channel integration at banks. “We are very much working on seamless integration of channels and process automation and have been for years,” he says. “If you go to a traditional bank today you will recognise that all of the channels are still organised as silos. They are more or less working independently. I strongly believe there is a chance to make it more efficient and, for a cost point of view, a much more attractive place.”For Wincor, he says, this means that the strategy is to “reduce the complexity of the channel infrastructure”. He points out that with the current generation of ATMs the full package of software is resident in the device. “We are taking it off the ATM, decentralising the logic and creating a net-centric paradigm,” he says. “There is only one key goal which is eliminating the software complexity.”Rabenstein goes further, suggesting that the ATM is actually the best place to start integrating channels. “The interoperability between a mobile phone and the other channels can only be organised if it It is integrated with those other channels and everything comes together at a central point,” he said, adding that Wincor is currently working with customers the UK and Europe to deploy this net-centric architecture, though he declines to name customers.
ATM Security: NCR’s approach
Given that they are essentially boxes full of money, it’s hardly surprising that ATMs have been subject to attack since the beginning – early thieves would drive up with a forklift truck and steal the whole caboodle before retiring to somewhere to open the box at their leisure.
Best known are the card cloning and skimming attacks, where devices are attached to the ATM to capture the security details of legitimate users’ cards that can then be used to remove money.
Such attacks have increased in sophistication over the years, as have the defences against them, with physical changes to the reading mechanism and the addition of jamming devices to interfere with the skimming equipment, but it is a constant arms race.
“Clearly all of the same type of threats and attacks are happening as in the past – the list has got longer, but the big ones are still the big ones,” says Owen Wild, global marketing director for financial services security solutions at NCR. “If anything, what we’re seeing is a continuing evolution of sophistication: we’re certainly seeing more logical, software-driven attacks starting to emerge. Unfortunately, we are seeing more explosive attacks, particularly in Europe.”
Explosive attacks – it’s not a euphemism or piece of jargon: the criminals blow the ATM up with explosives to get at the money – have been increasing over the past few years, with a concentration initially in African countries, and generally where the device is relatively exposed, such as away from bank premises in shopping malls.
“We continue to expand how we look at the threats – it can’t be one simple solution that mitigates everything,” says Owen.
His colleague Jack Mannion, director of solutions management at NCR Financial Solutions, outlines two situations. “There are straightforward ATM attacks and there are also the kinds of attacks where the bank network is compromised, in which the ATM is used as a vehicle to deliver the cash,” he says.
He adds that a problem for all of the manufacturers is that as the ATM estates of banks around the world ages – and many are well past their replacement date, to the point where there are products out there that they don’t technically support anymore – opportunities are being created for the criminals. “Yes, we are seeing more logical attacks but we are also seeing criminals targeting old technology,” he says. “We are seeing criminal gangs physically stealing the key parts of the ATM taking them away and reverse engineering them to understand how they work. Not all of our customers stay up-to-date with all the latest patches and if you don’t maintain that level you do leave yourself more vulnerable. At the layman level we could liken it to McAfee bringing out the latest version of their product every year, but the customer still has to implement it.”
NCR is responding by trying to shorten its response cycle, and becoming more proactive in implementing what it has learnt from criminal attacks in the past few years. For instance, Mannion points to the emergence of “stereo skimming” – where the device is capable of disabling the anti-skimming measures. “We’d thought it could happen, so we were ready when we started to see it,” he says.
NCR has developed a Skimming Protection System that is intended to shorten the response time to new attack vectors. “It’s a long game with SPS,” says Mannion. “If a new type of attack happens, traditionally what we do is do is design a new device, and certify it with customers. With SPS we’re aiming for a channel where we can add new devices without certification – we are not at that stage yet because there is so much that has to happen and there is a lot of software out there that we will need to support it, but it’s all part of staying ahead of the curve. It’s more of a philosophy for us right now we have released the base model, if you want to think of it like that, and we will we will continue to grow it.”
Such is the importance of the ATM in banking channels that vendors are no longer just the ATM guys, he argues. “Software is the key differentiator for the future – though the ATM is the heart of the business along with our retail point-of-sale – if you look at the business you can generate out of an ATM and the services you can offer,” says Rabenstein. “We are developing services that helps us in two ways. One is organising productivity in very different ways, and the second to reduce the total cost of ownership. Hardware is only around 18% of the cost of an ATM deployment over an average lifetime of eight years. We can look at that remaining 82% and improve services offerings, software deployments, customisation and other aspects of that. “We are developing software suites that allows the customer to save maybe 8-10% of the costs over the years. This can only be done if the banks are moving away from the silo-based proprietary software stack.”
At the same time, this will allow the vendors and the user banks to deploy innovation (and security modifications) more rapidly.
“The question is how we can integrate innovations into the ATM faster,” says Rabenstein. “For example, why was it so hard to introduce cash recycling? Because the acquirers had built-in protocols that were developed 30 years ago at a time when there was nothing known about cash recycling or mobile.”
Diebold’s Block agrees: “That’s another trend that will be faced in the industry – we have to change the way the ATMs are deployed and managed. Your iPhone or any other mobile device is constantly being updated. We have got to get to the point where ATM networks can react as quickly to consumer’s needs and desires as other devices are refreshed. That’s not an easy task especially in an industry as staid as banking.”
Like Wincor Nixdorf, Diebold also sees this as meaning the ATM devices will become less autonomous. “One of the things we will see is more functionality being moved back from the terminal,” says Block. “I think it will be a gradual process because there are economics involved, capital flow and all of the things of the banks has to worry about but eventually the value of the estates is going to be so diminished they have to consider upgrades.”
In doing so, the vendors will likely have to collaborate more than they already do, says Rabenstein. Microsoft’s Windows XFS – eXtensions for Financial Services – is already being used as a common platform, but he says it needs to go further. “We have to think about the flexibility and standardisation of the application platform with XFS,” he says. “I am 100% sure that we will see in the future app stores coming that are integrated into the ATM networks, so there is one engine that does acquiring and issuing in the old-style but on the other the ATM could be connected to a factory of services that provides interesting functions.”
He cites the example of instantly offering overdrafts or loans at the ATM using real-time interfaces to a credit scoring system, something that one of the company’s Australian customers is currently trialling.
“That’s just one value-added service that you can provide immediately and quickly to the channel. In a multichannel world that same functionality can be called by the internet banking service or by your mobile phone. So regarding the future of cash, yes, the mobile channel will take over more and more of the transactions: in 2014 the industry is expecting 158 billion transactions via the mobile channel – that’s seven times more than four years ago – but the ATM will have a role.”
Block says that it will also have a role in the bank’s relationships with account holders, which is another reason for keeping the estate up do date, “The ability to maintain current and fresh capabilities and functionalities in as friction-free a manner as the mobile does is key. The other thing is being integrated into the banking enterprise in general: you have to think of the ATM as a thread in your enterprise not as something that is a channel in its own right,” he says. “If you end up with the machine that is the most antiquated and degraded, then the customers are going to walk to the next block and use someone else’s.”