BID Daily Newsletter
November 03, 2014

BID Daily Newsletter

November 03, 2014

Looking At ATM Fraud In Your Back Yard

A recent study out of the University of California at Irvine had some surprising findings about learning by repetition. Student participants were told to look at pictures and were then tested on what they remembered seeing. Researchers found that viewing images multiple times increased factual recall, but finer details weren't retained. The upshot is that while repetitive learning works, there appear to be limitations to its usefulness.
The study notwithstanding, there are some things that bear repetition - like the importance of banks continuing to guard vigorously against ATM fraud. To be sure, ATM fraud isn't as prevalent at banks as payment card breaches or check fraud, but it is still a major concern for our industry. In fact, ATM fraud is listed among the top 5 types of fraud experienced by banks in the past year, according to "The 2014 Faces of Fraud Survey" from Information Security Media Group.
There are, of course, many different ways thieves go after ATMs. Most commonly, banks have focused on skimming. This problem has existed for many years, but it has also grown more sophisticated over time. Customer information skimming devices have become smaller and they are more difficult to spot, as criminals have become smarter in their attempts to deceive.
Another issue with ATM fraud is card trapping, which occurs when a customer's card is physically captured in the ATM. Here, the thief returns later to retrieve the card, and if he's done his job right will also have previously obtained the pin number by spying on the customer or by overlaying a device on the ATM keypad. Finally, let's not forget cash trapping. Here a device is attached to an ATM that prevents a customer from getting his money. The customer thinks the machine has misfired somehow, while the thief later comes back and steals those trapped funds.
The problem with these types of attacks is that they all require physical access to an ATM, which is obviously fraught with risk for thieves given all the cameras. That's why some security experts predict malware attacks that allow cyber criminals to remotely control ATMs, could soon be on the rise here in the US.
These sorts of attacks are already happening in other places around the world, though not yet to an overwhelming extent. The European ATM Security Team (EAST) recently said ATM malware attacks were reported by four countries. These incidents were related to "cash out" or "jackpotting" as well as to the internal compromise of card and PIN data. Such attacks are new to Western Europe, but they have been seen before in parts of Eastern Europe and Latin America, according to EAST.
Whether this type of malfeasance becomes prevalent in the US remains to be seen, but it's something banks need to have on their radar. These malware attacks can be particular egregious because infections can go undetected for months, or even years.
Earlier this year, FFIEC noted the steps banks are expected to take to address the risks associated with cyber attacks on ATMs. Not only do banks need to analyze the potential dangers to their systems, but they also need to have an effective response program to manage an attack should one occur.
No one has all the answers when it comes to staying protected against would-be fraudsters who are getting trickier in their efforts. However, at the risk of sounding repetitive, we can say with certainty that banks need to be vigilant in combating ATM fraud. After all, saying you can't recall what you did to prevent it just won't get you very far with regulators or with customers.