Skimming. It's a big problem for financial institutions and consumers. Members of the Global ATM Security Alliance say card skimming is one of the ATM industry's greatest concerns -but it's not the only one.

There's also "spoofing" or "phishing," as it's commonly called, when unsuspecting Web users open bogus e-mail links or fictitious Web sites and enter all the information criminals need to pull the victims' cash right out of ATMs.

And then there's basic cash and cardholder security at ATMs, not to mention the danger of having transactional data compromised - an increasing concern with the industry's migration toward Microsoft Windows-based operating systems.

These crimes are global in scope, in many cases perpetrated by multi-national crime rings, said Mike Urban, technology operations director for Minnesota-based Fair Isaac Corp. and an executive officer and member of fraud management for GASA.

So GASA, which was founded in June 2003 with the assistance of the ATM Industry Association, is using a global approach to address the industry's security challenges. The first step was recruiting an international group of ATM deployers and manufacturers, law enforcement and fraud prevention agencies, financial industry associations and security consultancies.

Mike Lee, ATMIA's international director and GASA's chief executive officer, said two of GASA's key projects are compiling best practices manuals that address ATM fraud and crime, and establishing a real-time crime information system.

The information system, formerly known simply as the GASA Crime Information System, was recently named Cognito. Lee said the database provides up-to-date information about ATM crime.

Jim Richardson, a member of GASA's executive committee, said the increasingly sophisticated nature of ATM crime makes it possible to gather electronic data on one continent and use it to clean out customer accounts on another.

"Card information can be stolen in the United States, for example, and then it can be used fraudulently all over the world. And that is a concern," Richardson said. "The value of something like Cognito is that you're at least able to identify, from some common source, the kinds of activities that criminals are doing. Cognito offers what (criminals) are doing to defraud people, especially bank customers; and then it explains how to identify what others in the industry are doing to defeat it."

GASA just added a feature called Operation ATM Firewall to the database, giving its users new information to combat fraud.

Operation Firewall, which recently ended a 6-month trial period, is "a global inventory of current counter-measures for all ATM crime types and associated criminal modus operandi," Lee said. "The purpose is to empower users of GASA's data management system to make informed decisions about preventive technologies, solutions and strategies."

To meet its second goal, GASA also is creating a comprehensive series of best-practices manuals. Each manual in the series is designed to address a specific area of ATM crime. Thus far, the manuals address physical ATM security for stand-alone and through-the-wall ATMs, PIN security and key management, ATM transactional security and cyberspace security. One on ATM cash security is on the way, Lee said.

The manuals are "based on what we learn about fraud from our members," Urban said. "Because, obviously, criminals target weaknesses in the system, the 'best practices' we've come up with are going to evolve and change over time. The sooner we can get all of that information out to the industry, the better it will be for everyone."

The cyberspace security manual, which is one of the most detailed, has been broken out into three parts: best practices for general cyber security; best practices for ATM cyber security, which is aimed at Windows-based ATMs; and a white paper on a continuous cyber security process.

The three-part document was written by Ian Simpson, a member of GASA and ATMIA, and the manager of IT compliance for Bank of Western Australia Ltd., to address security issues associated with the Windows XP platform.

After incidents like the one in 2003 - when 13,000 Bank of America Windows-based ATMs were indirectly shut down after database servers on the same network were infected by the Slammer worm - GASA leaders knew they had to address cyber space security problems, Lee said.

"Windows-based ATMs offer new opportunities for deployers and enriched functionality for customers, and it is essential to ensure there is no downtime resulting from cyber attacks," he said. "ATMs have a three-decades-old reputation for superb service and continuous uptime, and that track record needs to be preserved in the new cyber era for ATMs we are entering now."

Cardholder security is another concern, Urban said, adding that educating consumers about how to protect themselves is going to be the industry's first step in the right direction.

For instance, he said, "We need to explain (to consumers) that they need to actually cover up their PIN-entering hand with their free hand while they're using the ATM."

A significant number of card compromises could be thwarted, he said, if ATM users simply made physically viewing their PINs more difficult.

GASA is working to make access to that kind of security information easy. The manuals and the database are available to GASA members in five languages - English, Russian, Korean, Spanish and Afrikaans.

Urban said GASA is working to increase its membership from the current 20 to 100 next year - which will mean more information about problems and solutions that can be added to the Cognito database and used to revise manuals.

Hopefully, Urban said, most of the new members will be FIs, since they typically face the largest number of potential security breaches.

GASA is currently working out a membership fee schedule, which Urban said the group expects to complete by the end of 2005's first quarter. Law enforcement agencies will not pay a fee to join.

In the meantime, companies can join GASA by applying directly through Lee or GASA's executive committee.

For more information, visit www.globalasa.com or e-mail Lee directly at mikelee@atmiaeurope.com.