When creating strategies and tactical responses to ATM and Self-Service Terminal fraud and security threats the importance of the role that consumers can play should not be underestimated. Consumers far out-number employees, law enforcement and other interested parties within the industry. Further, they are often more than familiar with specific terminals and their locations.Like most successful initiatives, one which is win-win for all parties (except the perpetrators of crime) is almost certainly going to gain favour and thus be accepted and acted upon. Consumer education, when designed, structured, and implemented well is an immensely important component of ATM and Self-Service terminal fraud prevention.

A consumer education initiative needs to consider not only the key messages to be presented but also the most effective way of delivering the messages. A campaign that works well in one country may be much less effective in another due to local cultural differences. Thought must be given to how the objectives will be achieved in different operating environments.Objectives include educating consumers to help themselves avoid becoming victims of crime while not exaggerating and fuelling the perception that ATM and Self-Service crime is worse than it actually is.

Causing unnecessary fear, leading to mistrust, of what is an important and convenient service channel, benefits neither the consumer nor the industry. Making it clear what steps are being taken to protect consumers and emphasizing that they will be helped if ever anything does go wrong will strengthen trust. Consumer education campaigns should be approached in much the same way as other marketing campaigns. In addition to printed material, full use should be made of the ATM and Self-Service terminal environment itself and in particular the graphics capabilities that most terminals have today. Displaying a high quality image of someone’s hand covering a keyboard as the PIN is entered is but one example of the effective use of pictures and graphics.Some points and messages which may be considered include:

1) Safety first. Use terminals in well-lit and safe locations for the time of day. If suspicious persons are around the location move to an alternative location.

2) Be observant. If something about the ATM does not seem or ‘feel’ right then abort the transaction and move away. Do not remove any suspicious devices from the ATM as it may be under surveillance by the criminals.

3) Card is cash. Consider the card to be representative of all the cash you have secured in the banks vault. Don’t leave your card somewhere that you would not be happy leaving all your cash.

4) PIN is your key. Treat your PIN like you would the keys to your private drawer that contains your personal diary. Don’t allow anyone to see it or know it, not a family member, not a bank employee nor any other person.

5) Shield your PIN. When entering your PIN, use your free hand, wallet or purse to shield your keying.Again, similar to other marketing campaigns the messaging and mode of delivery should be updated over time and refreshed to emphasize specific points in response to new and developing threats. Encouraging consumers to not only protect themselves by following some simple guidelines, but perhaps incentivizing them to notify the authorities about suspicious activity or devices are some of the many possibilities. A small reward or formal recognition for reporting concerns that are subsequently proven to be related to a criminal act builds goodwill between all parties. The Safety first message however must never be compromised.

The above article was written by Douglas Russell, DFR Risk Management Ltd.

ATM Crime:
Attacks against ATMs may be classified as either ATM physical attacks or ATM fraud.

ATM Physical Attacks:
ATM physical attacks are normally perpetrated with the intention of gaining access to the cash or other valuable media within the ATM safe or ATM security enclosure. Some of the most common methods include Ram Raid, Explosive Attack (gas and non-gas) and Cutting (e.g. rotary saw, blow torch, thermal lance, diamond drill). The success of ATM physical attacks is often measured by what percentage of the cash is stolen and the speed by which the attack is completed.

ATM Fraud
There are many different categories of ATM fraud. In general ATM fraud can include any deliberate ‘criminal’ technique which involves the use of an ATM to obtain something of value to the perpetrator. The most common types of ATM fraud include Card Theft (e.g. Lebanese Loop) , PIN Compromise (e.g. Shoulder Surfing), Card Skimming, Cash Trapping, Transaction Reversal and Deposit Fraud.

ATM Fraud in more detail:

Card Theft
Card theft is where the perpetrator physically obtains the consumer’s card at or in the vicinity of an ATM. The most common method of card theft is Card Trapping. The most popular method of trapping a card at the ATM is known as Lebanese Loop. A Lebanese Loop is designed to be entered within the card entry slot of the ATM card reader in such a way as it does not prevent the consumer from entering their card, but it does prevent the ATM card reader from ejecting or returning the card to the consumer. The perpetrator can subsequently remove the trapped card once the consumer has departed from the ATM with the belief that the ATM has captured or swallowed their card. Another variant of card trapping is known as the Algerian V trap. Other methods of card theft include card swapping where the consumer’s card is exchanged for a card of similar appearance. This distraction method is often executed at the time that the consumer’s card is being returned or ejected to the consumer following a transaction at the ATM.

PIN Compromise
PIN compromise methods range from the very technically sophisticated to the relatively easy technique known as shoulder surfing. Shoulder surfing involves the perpetrator standing close enough to the consumer to observe the numbers entered on the key pad. A more sophisticated method of observation or surveillance involves the use of a miniature camera which can either transmit the image of the PIN being entered or store the recording within the device. With the increase in the number of mobile phones with video capture capabilities, such phones are adapted to compromise PINs. Keyboard overlays are devices which are designed to look very like the genuine ATM key pad and are fixed on top of the genuine key pad. The Keyboard Overlay will record the numbers entered on the key pad but also permit the genuine keyboard to accept the PIN being entered. Similarly to the use of cameras, the keyboard overlay may transmit the information to a remote receiver or store the information locally. Sophisticated ATM Infrastructure Hacking, Architecture Hacking, Network Hacking, Social Engineering, Phishing and various other methods are also used to compromise PIN codes.

Card Skimming
Card skimming involves making a copy of the information encoded on the magnetic stripe of the card. There are various different types of skimming device designed to be used in different environments, from hand held devices through door access skimmers to miniature card entry slot skimmers. Hand held skimming devices are more commonly associated with card skimming in restaurants and other retail establishments. When used in the ATM environment the perpetrator will either use distraction techniques to temporarily obtain and copy the consumer’s card or sometimes pick the pocket of the consumer. Some ATMs are installed in a controlled environment whereby the consumer is required to swipe a card at the door of the ATM location to gain access. Skimming devices may be attached to or used as a replacement for a genuine door access device.ATM card entry slot skimmers have various shapes and sizes and also vary in sophistication. When installed correctly they allow normal operation of the ATM in that the consumer’s card is entered and returned correctly, however the magnetic stripe is copied by the skimming device. One of the most effective ATM skimming devices is known as the Sofia skimmer. The skills of the perpetrators in modifying the packaging of skimming devices makes them very difficult for the untrained observer to detect.

Cash Trapping
Cash trapping is the term used to describe attacks where the consumer’s cash is trapped and prevented from being presented or delivered to the consumer. The variety of trapping devices is significant, ranging from those which require insertion within the ATM’s cash dispenser through false fronts to well engineered electro-mechanical devices which simulate the removal of the cash by the consumer.

Transaction Reversal
Transaction reversal techniques involve highly skilled manipulation of the ATM during a transaction with the result that the host computer believes that the consumer did not receive their cash and thus re-credits or reverses the transaction. Other variants of transaction reversal involve either collusion with someone within the ATM network or detailed knowledge of the rules governing transaction processing.

Deposit Fraud
Deposit fraud covers a variety of criminal techniques from making false deposits, trapping deposits through skilful manipulation of the deposit accepting device. False Deposit fraud includes exploiting processing rules to draw on funds before they have been verified and officially cleared for crediting to an account. Similar to cash trapping, Deposit Trapping allows the perpetrator to obtain the valuable media prior to it being secured within the deposit terminals safe or security enclosure. Highly skilled perpetrators of deposit fraud may use techniques by which the deposit terminal believes it has received and successfully validated a deposit when in fact it has not.

The above article was written by Douglas Russell, DFR Risk Management Ltd.

ATM security issues and ATM fraud issues often follow some distinct patterns based upon the location of the ATM security attacks or ATM fraud incidents. While accurate reporting of bank ATM security and ATM fraud issues varies considerably by country, the following provides a high level overview of some of the geographical patterns of ATM security and ATM fraud attacks:

ATM fraud issues in the most part involve credit card fraud and debit card fraud. The ATM machine may be the ‘common purchase point’ (CPP) where analysis shows that a significant number of credit cards or debit cards were used genuinely in one specific location prior to detection of subsequent fraudulent transactions. Even when not the CPP, automated teller machines may be the mechanism used to convert compromised credit cards and debit cards into hard cash, so long as the credit card fraud or debit card fraud included compromise of the personal identification number (PIN).

ATM skimming is now common in most parts of the world that have a mature network of ATMs, self-service terminals and point of sale (POS) terminals that accept magnetic stripe based credit cards and debit cards. Most bank ATM security issues and ATM fraud issues involving ATM skimming are the result of criminals attaching an ATM skimmer to the ATM card reader slot. Europe has historically been one of the most targeted geographies for ATM skimming attacks, although the world-wide spread of such ATM skimming fraud has been, and continues to be significant.

ATM deposit fraud which includes both cash deposit fraud and cheque fraud (check fraud) at automated teller machines is one type of ATM fraud that is particularly common in the US where many banks have a culture of crediting and allowing drawings against the deposit prior to manual reconciliation and verification.

ATM hacking should really only be used to describe attacks against the internals of the ATMs software or the ATMs systems security but is commonly used to describe attacks against card processors and other components of the transaction processing network. The US have experienced a number of high profile ‘ATM hack’ attacks against well known credit card and debit card processors. Some of the systems security breaches have included compromise of the PIN in addition to the card data, with subsequent fraudulent spend using cloned credit cards and cloned debit cards at ATMs.

Another ATM fraud issue is ATM card theft which includes credit card trapping and debit card trapping at ATMs. Originating in South America this type of ATM fraud has spread globally. Although somewhat replaced in terms of volume by ATM skimming incidents, a re-emergence of card trapping has been noticed in regions such as Europe where EMV Chip and PIN cards have increased in circulation.

ATM funds transfer fraud is prevalent in Asia. This ATM scam involves criminals tricking victims into using the automated teller machine to transfer money into the criminals account.

ATM security attacks involving physical attacks against the ATM security enclosure are widely spread. ATM explosive attacks although originating and not uncommon in Europe are more prevalent in Australia and South Africa.

ATM ram raid incidents also occur globally but are most prevalent in the US, perhaps partly due to the large number of ATMs deployed in soft-target locations such as convenience stores.

ATM security incidents involving a high degree of precision to gain access to the ATM security enclosure occur globally. The UK and Canada have experienced many such precision ATM security attacks in recent years.

TThe above article was written by Douglas Russell, DFR Risk Management Ltd.