Protect Your ATMs From Top Hat Attacks

posted by Mike Burke on Thursday, December 14, 2023 in SHAZAM Blog

ATMs have become an attack vector for fraudsters who deploy a number of tactics to access the machines. Criminals compromise ATMs by installing skimming devices, executing hook and chain attacks and orchestrating “top hat” attacks.

Recently, we’ve seen an uptick in top hat attacks, where persistent fraudsters work to gain access to the upper enclosure (top hat) of machines.

Tips to Layered Top Hat Security

As fraudsters continue to hone their tactics and identify top hat weaknesses, here are some tips to protect your machines from top hat attacks:

Control ATM access. Have a policy and procedure in place to document the names of technicians who are approved to service your ATMs, along with their working hours. Including photos of approved technicians with your documentation may be helpful, as there have been instances of criminals using fake identification to gain access.

Additionally, set up a system to record where and when approved technicians access your ATMs. Once a system is in place, share the names of those who are allowed to access your ATMs with staff. This is especially critical for ATMs with exposed upper enclosures in remote locations, including convenience stores, malls and hotels.

Rekey the top hat lock. Make it a practice to replace top hat keys to prevent readily available universal keys from opening ATMs.

Alarm the top hat. Add an alarm system that sends your financial institution and law enforcement notification anytime an unauthorized person attempts to break into one of your machines.

Video surveillance. To catch a criminal, you need proof. Video security systems record and store video with time stamps. If a criminal attempts to attack one of your ATMs, having visual evidence of when and where the attack took place will assist law enforcement in arresting and prosecuting the individuals responsible.

There’s no single solution to protect your ATMs from criminals. We encourage you to take a multi-layered approach and routinely review your policies and procedures to account for emerging security risks.

SHAZAM, Inc. and ITS, Inc. provide this blog for general informational purposes only. Our blog may be shared by a direct link wherein the content remains as originally presented and has not been altered. SHAZAM, Inc. and ITS, Inc. assume no responsibility for errors or omissions in the contents on the blog. By using this blog, reader agrees that the information published does not constitute nor is a substitute for legal advice which should only be sought from a qualified, licensed attorney. 


comments powered by Disqus