Preventing transaction reversal fraud at the ATM

Preventing transaction reversal fraud at the ATM

While the industry has made tremendous strides against schemes like skimming and jackpotting, a sophisticated type of physical-digital attack known as transaction reversal fraud (TRF), or ATM remote reversal fraud, poses a rising threat. Unlike brute-force cash-out schemes, TRF exploits a fundamental security feature designed to protect customers and turns it against ATM owner/operators. The result is an almost invisible theft. For ATM owners/operators focused on protecting assets, understanding and proactively mitigating this vulnerability is critical to sustaining a secure and resilient ATM fleet.

How TRF works

Transaction reversal fraud is a manipulation scheme that exploits an ATM’s cash dispensing process to steal currency while tricking the host system into believing the transaction failed. The central component of this attack is the ATM’s built-in transaction reversal logic. This logic is a customer safeguard: if an ATM prepares to dispense cash but registers an error condition—such as a power failure or a sensing malfunction indicating  that the cash was not taken—it instructs the host system to reverse the debit to prevent the customer’s account.

‍MAC encryption is an effective strategy for the prevention of TRF attacks.‍

In the classic TRF attack, there is one reversal per transaction, triggered by a physical fault (e.g., “cash not taken”). Here’s how the process typically unfolds:

1. Transaction initiation. A criminal, often using a prepaid or compromised card, initiates a cash withdrawal.
2. Cash presentation. After authorization, the ATM begins the dispense sequence, where the cash is pre-positioned behind the shutter, ready for the consumer to take.
3. Physical manipulation. As the cash is presented, the fraudster physically interferes with the mechanism. This might involve using a thin metal strip or other obstruction to block the cash’s exit or disrupt the optical sensors that confirm the bills were removed.
4. Error and reversal. The obstruction causes the ATM to register a fault (e.g. “cash not taken” or “dispenser jam”), executing its safeguard protocol and sending a message to the host to reverse the transaction and credit the customer’s account back for the withdrawal.
5. Cash seizure. The criminal quickly removes the physical obstruction and seizes the cash before the machine can retract it into the reject bin. The result is a successful cash withdrawal for the fraudster with no corresponding debit to the account.
   

But recently, some attackers have been able to trigger multiple reversals with a single authorization by tampering with the ATM’s message flow or exploiting host logic and “replaying” multiple reverse messages, not just physical manipulation. This is where MACing is critical. The attacker still needs to be on site to initiate the first authorization and switch cards if the burner card is blocked.

How TRFs are different from other types of attacks

TRF attacks on ATMs are a subset of a broader category called “remote reversal fraud” (RRF), where a payment is temporarily validated to acquire value (such as goods or services) before it is canceled or reversed (usually through a chargeback or payment system vulnerability).

While TRFs may sound like a man-in-the-middle (MITM) attacks, they are different:

MITMs target data alone, intercepting the flow of data to steal credentials or alter transaction data.

TRFs target both hardware and software, tricking the ATM’s sensors into dispensing cash and triggering a false error that prompts a reversal. The core vulnerability here is the physical and logical sequencing of the cash dispense, not the interception or alteration of the network message itself.

Effective deterrents for TRF attacks

Because TRF exploits a logical security feature, mitigation requires strategic operational and security adjustments that shift the ATM’s logic and fortify its physical components. The following measures are essential to TRF prevention:

Logical and software countermeasures

The most impactful change is to correct the core vulnerability in the transaction flow:

Disable cash prepositioning. The ATM software should be updated to prevent the machine from pre-staging the cash behind the shutter until the transaction is approved and the account has been successfully debited. The cash should be held at the rear of the dispenser and only presented once success is confirmed. This is the single most effective deterrent to TRF. Where supported by hardware and software, disabling cash prepositioning is highly effective.

Enhanced fault condition mapping. The ATM’s error-handling software should be refined to isolate specific dispenser or sensor fault codes that have been historically linked to TRF and program the machine to enter a hard stop instead of starting an automatic reversal when those codes appear post-authorization.

Real-time fraud analytics. Monitoring system capabilities should be implemented or enhanced to spot patterns indicative of TRF—such as repeated, low-dollar withdrawals followed by consecutive reversal error codes at the same terminal—to trigger an immediate ATM shutdown or alert.

Physical and communication security

These measures provide the layers of defense necessary to deter and prevent the physical component of the attack:

Dispenser fortifications. Installing anti-TRF hardware upgrades to the cash dispenser’s shutter and opening to physically impede a criminal’s ability to insert tools or manually obstruct the sensors.

Dedicated camera surveillance. Using internal cameras, or specific cash slot cameras, to record any physical manipulation or attempted seizure of cash from the dispenser opening.

Mandatory message authentication codes (MAC). Ensuring that all transaction messages, including reversal requests, between the ATM and the host processor are secured with MAC encryption (“MACing”) to cryptographically verify that the message has not been tampered with in transit and, crucially, that it originated from a verified, trusted ATM. This strengthens the integrity of the communication channel, making it virtually impossible for an external party to inject a fraudulent reversal message into the network flow.

By adopting this comprehensive strategy—shifting the dispensing logic, physically securing the dispenser and locking down the communication channel with solutions like MACing—we can together effectively combat transaction reversal fraud to protect the ATM as a trusted financial channel.

To learn more about CDS security protocols to protect against TRF and other attack vectors, watch for our periodic security alert and tips for improving security at your location.