At one of the most sophisticated banks in Singapore, a nation with one of the lowest skimming rates in the world, thieves this past January pulled off one of the most costly ATM skimming frauds recorded anywhere, ever.
Nearly 700 customers of the Development Bank of Singapore had money stolen from their accounts in the two days before the crime was discovered. DBS paid out $1 million in compensation to accountholders who lost funds in the attack and DBS Group Holdings chief executive Piyush Gupta apologized for the incident. But the damage to customers’ trust was done.
In the wake of the crime, DBS announced new account safeguards including one that alerts customers by SMS — i.e., text message — if an ATM withdrawal from their DBS account exceeds a set amount (which the bank will not disclose so skimmers can't simply work under it). The bank had its SMS alert program up and running within just 11 days of the skimming scandal.
The Singapore scandal and response brings up a question closer to home: Should U.S. financial institutions adopt a similar safeguard against skimming crime that costs their industry at least $1 billion annually?
“Any additional layer of protection is always a good idea,” said McAfee consultant and ID theft expert Robert Siciliano. “The bank itself will do their own cost benefit analysis — they look at the risk, they look at the reward, they make a determination of its user-friendliness — and I think the consumers, the majority of them … would embrace this.”
Consumers have already taken to various other types of alerts. For instance CapitalOne allows its Visa cardholders to request an email alert for any transaction over $20 and any transaction made outside of the United States. Wells Fargo allows users of its mobile app to opt into a text alert program that goes beyond CapitalOne’s to include card-not-present transactions, ATM cash withdrawals, declined transactions and gasoline transactions. From there, it presumably would be a short step to a service that would allow all mobile users to opt into text notices — not just the ones with a smartphone and the mobile app.
Diebold features MobiTransact in its mobile banking program. This service allows a bank customer to receive low-balance notifications as well as real-time SMS alerts for transactions that have taken place while their ATM debit card was locked.
"Diebold views the notification of consumers of [ATM] activity as a high-value service," said Chuck Somers, vice president of ATM security and systems for Diebold. "For legitimate transactions, it reinforces a multi-channel communication to the consumer … and offers the ability to do paperless transactions with a high degree of security."
Somers said the cost of SMS implementation would depend on the systems a financial institution has already deployed and their interoperability. But he said it certainly would not require the deployment of any different technology to consumer phones or ATMs.
“As far as enabling the alerts is concerned, it’s really going to depend on how their systems are set up,” said Jason Kuhn, director of product development and chief privacy officer for Payment Alliance International. “If I was an FI or an issuer, I would have to set up a real-time feed with the different transaction processors that are out there or however I’m getting my real-time transaction detail. And all of those transactions are going into a fraud monitoring system anyway … so they would just have a series of triggers they would set: whenever [a card number] is used at an ATM; whenever a point of sale transaction occurs for a user-configurable amount greater than ‘X’.”
Better late than never
The inherent weakness of SMS alerts is that they occur only after the crime has been committed. But real-time SMS notifications could still significantly narrow the gap between the time a skimming incident occurs and the time it is discovered and addressed. As the two-day delay in uncovering the DBS skimming fraud showed, time can be big money to a financial institution.
Not only banks, but also consumers would benefit from faster discovery, Siciliano said. "Certainly it’s relatively reactive — the damage has already been done," he said. "But at the same time, you only have by federal law just a couple of days to refute unauthorized ATM withdrawals and it would be good to know it off the bat."
He said that for businesses, early notice could be even more important because they aren’t covered by the same protections as consumers are.
A final remark from Kuhn summed up the texting question neatly. "We’ve all got to change to keep up with security anyway," he said, "so why not use that as an opportunity to be able to provide additional benefits to your customer?"
cover photo: iStockphoto