Fraud experts are paid to think of every conceivable method that bad guys might concoct to exploit financial systems (perhaps this is why they’re typically not the most in-demand party guests). Unfortunately such a vigilant – and some may even say paranoid -- mindset is necessary now more than ever, particularly in a post-EMV payment card world.
Data released in December 2016 by the ATM Industry Association (ATMIA) reinforces this notion that extreme diligence remains essential. A global survey of ATM operators (40 percent of respondents hail from outside the US or Europe) reveals that a plurality (42%) continue to see increased levels of security incidents – both in fraud schemes as well as physical attacks on the machines themselves.
Machines That Go Boom in the Night
Three-quarters of the physical attacks on machines were found to occur at non-bank sites. The use of explosives is the most common and the most rapidly increasing form of attack. Of course, these incidents pose risks beyond the mere theft of currency, including extensive structural damage as well as human injury. This is certainly a troubling trend with ramifications well beyond the cash cassettes.
Ever Evolving Fraud Schemes
Compared to the physical damages caused by the use of explosives, the fraud category seems a little mundane. Card reader skimming remains the most common tactic (24% of fraud incidents), followed by compromised PIN’s (19%). For the latter, capturing an unsuspecting ATM user’s info using a smartphone camera is on the rise, as is the low-tech approach of “shoulder surfing” or spying on someone using the ATM. Offering perhaps one small comfort, the use of fake keypads to capture PINs appears to be on the wane. And ranking a distant third in the ATMIA survey is deposit fraud (12%). However, this statistic may be understated given that many non-bank ATMs do not accept such transactions.
Avoiding the Jackpot
While skimming remains the fraud tactic of greatest concern to respondents by a wide margin, the clear number two is the lesser-known practice of “jackpotting” – forcing the dispensing of cash without a legitimate transaction. This can be accomplished either through the introduction of malware or “black box” equipment. If this scheme isn’t already on your radar, it’s worth some late-night reading while you’re already losing sleep.
Meanwhile, the ATM industry’s deployment of security countermeasures can best be characterized as “good, but not great.” Only 40 percent of survey respondents report having implemented countermeasures (whether against physical attack or fraud) on more than 75 percent of their ATMs, with a similar number having done so on 25-75 percent of machines. Once they are put in place, most survey respondents consider the efforts to be only “moderately effective.” The deployment of biometric screening, which promises a more airtight fix, still appears to be a way off, with fewer than six percent of respondents having implemented such solutions.
ATMIA’s survey provides further proof that proper security requires ongoing vigilance – which means ongoing system changes to stay a step ahead of the bad guys and solid testing procedures to ensure those changes are smoothly implemented.