Editor’s Note: The following was written by Conrad Storz, owner of Storz Cash Services in Jeffersonville, Indiana, regarding his recent ATM troubles. We always encourage operators to write to us ([email protected] and [email protected]) about any issues they’re facing – for publication or not.
Statement of Concern Regarding Security and Communication Practices in ATM Transaction Processing
As the operator of a fleet of ATMs, I feel compelled to raise serious concerns about how this industry responded to recent cyberattacks that targeted remote management systems (RMS).
These incidents appear to have exploited known vulnerabilities in backend systems managed entirely by the provider. Unfortunately, security updates that could have reduced the impact or prevented the breach – particularly a specific software version designed to block unauthorized remote configuration changes – were not made available as approved versions until after the attacks occurred. To the best of my knowledge, that software version, or iterations of it, had been available elsewhere for some time but had not been approved or distributed for operator use.
This delay in providing a critical update raises questions about the timeliness of communication and the effectiveness of preventative protocols. ATM operators depend on their providers not only for secure infrastructure but also for timely access to the tools necessary to protect their equipment and customers.
Compounding the issue, this messaging received during the breach advised operators to reconnect affected ATMs to the RMS and stated:
“The impacted ATMs had security and configuration items changed that can leave your ATM open to other attacks. Connecting to RMS allows you and or your provider to confirm that your machine has been corrected.”
This guidance left significant ambiguity. It was unclear whether the changes referenced were made by malicious actors or through provider-driven adjustments. Additionally, the suggestion to reconnect to a system that had recently been compromised raised concerns about whether such a step would meaningfully enhance security. Greater technical clarity would have helped operators make informed decisions during a critical window of risk.
Further, some of the recommended responses – such as password changes – represent general good practices but were not sufficient to address the specific threat vector at hand. These measures, while well-intentioned, did not reflect the nature of an attack that originated beyond the operator’s control.
As an independent operator, I rely on the security posture and responsiveness of the providers I work with. I respectfully urge all ATM transaction processing providers to consider the following steps for future incidents:
-Publish a detailed and timely account of vulnerabilities and how they were exploited.
-Ensure critical security updates are made available to operators as soon as they are validated.
-Provide clear, technically specific remediation guidance during and after security events.
-Avoid language that places undue burden on operators for systemic issues outside their control.
-Commit to greater transparency, accountability, and collaboration with field operators.
The trust between ATM providers and operators is built on shared responsibility and clear communication. I hope these suggestions will help improve how we respond to future threats – together.