Giving ATM fraud a run for its money

As recent high-profile cases have shown, security at ATMs isn’t necessarily something you can bank on. However, modern technology and crime prevention best practices are currently helping to give fraudsters a run for their money.

ATMs have become an essential and convenient aspect of modern life for many, with an estimated 1.5 million now available for use worldwide. Perhaps surprisingly considering the number of transactions globally, ATM crime is actually very low; in fact, the percentage of incidents of fraud relative to the total number of daily transactions at ATMs is less than one percent. Yet despite this, the ATM industry still has to deal with many associated instances of crime.

Indeed, the need for vigilance both from consumers and issuers cannot be underestimated. The financial services industry has reached a point where it must renew emphasis on the security of the ATM services infrastructure, both in the US and globally. The confluence of industry growth, technology advances, the increasing sophistication of criminal attacks and the new geopolitical landscape post-9/11 makes such security a necessity rather than a mere luxury.

Threats faced

In the early days of cash machine crime, ‘shoulder surfing’ and muggings were the main cause of concern. Times have changed, however, and although these crimes still occur they have been overtaken by more sophisticated tricks, carried out not simply by opportunists or small-time criminals but by highly organized criminals and criminal gangs.

One of the biggest menaces to the ATM industry is presented by skimming devices that are attached to machines by thieves and can then be used, if you are unlucky enough to fall victim to such a crime, to empty out your account. A skimming device is able to read all the account information stored electronically on the magnetic stripe of an ATM card, and may also be able to record your personal identification number, or PIN, as you punch it in on the ATM keypad. The popularity of ATMs in unattended places contributes to a rise in this kind of crime. “Card skimming is still the most frequently used method of ATM fraud being perpetrated across the globe,” warns Anna Istnick, Team leader of Diebold’s Global Security Task force. In other countries, smart cards are an effective method to minimize these kinds of attacks; however the US is years away from implementing such technology.

An even more sinister threat faced by the industry is phishing, which has led to an estimated US$2.75 billion in losses related to ATM and debit cards over the past 12 months, according to Gartner. By stealing identification PIN numbers and account numbers through scams such as phishing, criminals are able to reproduce fake ATM and debit cards. In many instances, this could be reduced if banks did not simply rely on PIN numbers to authorize transactions, but also validated Track 2 Data – an additional security code found on the magnetic strip of every ATM card.

“The industry and law enforcement are working hard to combat these threats,” says Michael Lee, CEO of the ATM Industry Association. “There are success stories of gangs and syndicates being busted – but there is a still long way to go before we have beaten this. Tougher sentences are required for convicted ATM and POS fraudsters.”

Technology to the rescue?

Fortunately, although criminals are constantly seeking to utilize new techniques in their efforts to undermine ATM security, new advancements in technology are making it harder for them to succeed.

Alarms and sensors can certainly act as a deterrent. Certain sensors are able to detect any unauthorized access to safes or any changes in temperature such as heat from explosives or a blowtorch. Others can also detect whether an ATM is being moved or pick up any unusual vibrations from drilling, cutting, hammering or from wedging tools.

Another weapon in the arsenal is ‘jitter’ technology, which can help combat skimming. The device makes it impossible for skimming technologies to read cards. A skimming device needs a nice, smooth card reader, but jitter varies the speed and reverses the direction of the card intermittently and in a random fashion when the card is entered.

Researchers in the UK have also developed a device to help prevent skimming. Engineers at the University of Warwick in Coventry have created a thick plastic ‘skin’ that covers machines and acts as a shield against unauthorized tampering. The skin is made of polycarbonate, thus any device stuck onto it is easily spotted as it sits upon this plastic cover. The good news is that the device is relatively inexpensive, costing between US$400-600, and could be attached to the 400,000 ATMs present in the US.

Another way of protecting against skimming is through the use of a technology called ‘intelligent fraud detection’, which uses sensors to detect the electrostatic signatures given off by surveillance equipment when they are capturing information and transmitting it. The ATM’s owner can immediately be alerted if anything suspicious is picked up.

Although audacious in nature, some criminals are so desperate that they will go to extreme lengths and actually steal an ATM machine from its home. For example, during a six month period between October 2003 and February 2004, 27 ATMs where stolen from sites around west-central Illinois. To prevent cash machines being stolen from their locations, a tracking device can be used. “For merchant ATMs you could put in global positioning technology to track the ATM if it is ever moved,” explains Chris Gill, Senior Manager at Dove Consulting. “But this would be more applicable for the smaller cash dispensing units that would not take as much effort to try and move.”

Dye packs, which can be put in the currency cassette is another practical method designed to deter would-be criminals. “If an ATM is stolen then it will activate the dye pack mechanism so any cash taken out of the machine would be stained/discolored and more identifiable,” continues Gill. “This is something banks do in their bank branches to make sure they track any cash stolen from tellers.”

Withdrawing cash at a machine can be made safer by ensuring that enough space is left between the customer withdrawing money and the next person in a queue. Markings on the floor indicate what this distance should be, and anyone encroaching on this space can act as a warning of suspicious activity, “The use of defensible space is a cheap solution that seems to prevent a lot of shoulder surfing and distraction-based crimes at ATMs,” recommends Lee.

Despite these new and effective technologies, however, one of the potential drawbacks is the difficulty of deploying them on older machines – making older machines more of a target for criminals. “With some of these technologies, the age of the machine can sometimes make technology upgrades problematic – particularly with regard to the sensors and alarms,” warns Gill.

However, there are other options. “One of the key points of compromise at the ATM is often the card reader, so it is possible to replace just the card reader module of the ATM with something that is more up-to-date,” he says. “Similarly, older pin pads can be replaced with newer ones, which is part of the whole 3DES compliance mandate for encrypted pin pads. So I think there are individual components of an ATM system that can be upgraded to provide a more secure environment, which often eliminates the need to replace the whole unit.” Lee questions whether criminals can even distinguish between a new and older machine anyway. “Do ATM criminals really know which machines are older?” he asks.

Best practice make perfect

All in all, there are a number of best practices that need to be implemented to improve the overall security – and operational efficiency – of the ATM industry. Diebold’s Istnick believes there are a number of important best practices for ATM vendors, including the need for an awareness of, participation in and implementation of security-related industry standards; prompt and diligent attention to fraud trends and new attack methods as reported in the press, law enforcement and financial institutions, with appropriate design analysis and action if required; and the ability to anticipate future attack methods (physical as well as data-oriented) and develop corresponding new technologies to thwart them.

Adding to these recommendations, Gill also supports more vigilance in the industry, particularly when it comes to the siting and location of ATMs by banks. “They need to consider whether visibility is adequate for customers and also law enforcement officials driving by the ATM,” he highlights. “Is there adequate lighting? Is there ease-of-access? I know in the US, drive-ups provide a safer environment, particularly from robberies. Rather than just putting an ATM just where you think it is appropriate, I think security experts should be involved with the ATM siting process – which, could result in more secure locations.”

Gill also believes that, along with ensuring the situation of the machine is appropriate (ideally gaining local police approval), there needs to be regular reviews. “It is not enough to put an ATM out there and not have security personnel reviewing the environment to make sure it is appropriate,” he suggests. “This should be done quarterly, semi-annually or annually depending on the size of the ATM fleet. You might have a security expert checking the ATM annually, but also on a monthly basis there might be a checklist for the branch personnel – to have them review the safety of the ATM.”

Deployers need to be more proactive when it comes to monitoring ATMs, and effectively spotting any suspicious transactions taking place. Currently, he thinks much more could be done to identify suspicious patterns with respect to card jams, retained cards and changes in transaction patterns. “If something appears out of the ordinary, this can signal the fact that criminals are trying to perpetrate fraud on multiple fraudulent accounts at the same time.” Banks that have off-site machines in places such as supermarkets also need to work closely with their partners to make sure they are safe and secure to use.

Indeed, in recent years the popularity of cash machines has started to wane. Consumers are now increasingly turning their attention towards using debit cards in store or getting cashback at the point-of-sale, and the convenience that this kind of purchasing brings has resulted in a five percent decrease in the number of ATM transactions made between 2004 and 2005. However, although there is a small risk of crime at an ATM, it is unlikely that the threat of fraud is deterring customers from using them. With enough vigilance and sensible practices, the risk can be reduced even further. “Consumer demand for cash has not been significantly dented by these threats,” reassures Lee. “We are trying to educate customers about sensible use of ATMs and responsible management of their cards just like it is important to fasten a safety belt when driving to minimize risk.”

So is the end of ATMs in sight? The experts think not, at least not for now – but safety steps cannot be ignored if the threat of ATM crime is to be mitigated.

Sidebar:

Sidebar2: