By Kevin Christensen
As more details of the $45 million international ATM heist begin to surface, ATM operators and their financial institution partners are learning more about the importance of third-party vendor management practices and fraud prevention strategies. With millions of prepaid cards issued worldwide and consumer demand for the cards reaching all-time highs, it's clear that regardless of their format — debit, credit or prepaid — all cards have become extremely valuable to crooks.
What makes this heist unique, however, is the sophisticated strategies employed by the criminals themselves, or more appropriately, the cybercriminals. To pull off their multi-million dollar assault, these virtual gangsters had to breach several different processing systems through presumably several different layers of controls. Not only were they able to use card numbers and PINs associated with compromised prepaid accounts; they also gained access to the processor systems that manage ATM withdrawal limits on those accounts. This allowed the fraudsters to raise limits, helping them increase the velocity of cash withdrawal.
As processors shore up their systems against cybercrime, ATM operators and their FI partners want to know what they can do now to protect themselves and their cardholders. To help prevent another incident similar to the recent heist, FIs should employ proper vendor management programs, implement controls at both the ATM and card authorization systems and continue to educate themselves and their customers. Below are several strategies for doing exactly that.
Vendor management and security reviews
- Annually review critical service providers (e.g., data processors) and ensure they adequately demonstrate proper security controls. Review available audit reports (e.g., SSAE 16, PCI Data Security) and information security programs to understand the companies' commitment to securing data. Ensure that they are maintaining maximum security settings for hardware, operating systems and applications.
- Ask for frequent updates from processing partners on how they are adapting to emerging threats. If the information raises any red flags, follow up with the organization to ensure they are being fully addressed.
- Review the FI's own controls surrounding security changes. Only grant access to employees who absolutely need it to perform business duties.
At the ATM
- Mount surveillance cameras at various locations around ATMs to help capture close views and angles. Many of today's systems are also capable of advanced protection, such as detecting long-time intervals for a single user and linking video footage to a specific transaction. Surveillance footage was an important aspect of the recent heist investigation, and a visible camera presence could encourage criminals to bypass a terminal.
- Disable or remove unused and unnecessary services, such as remote ATM access, and ensure that the ATM is using the latest operating system and application software.
Card and authorization systems
- Educate yourself on EMV. Globally, more countries are shifting away from mag-stripe cards in favor of the less vulnerable chip cards — or EMV cards as they are more commonly called. As EMV-enabled cards become more prevalent, thieves and cybercrooks will find counterfeiting to be a crime of the past. That's because duplicating EMV chip cards is nearly impossible.
- Engage card-blocking systems to help stop fraud before it becomes widespread. Fraudsters have studied and tested the world's detection systems (both new and emerging), and many have learned exactly how to fly under the radar. Particularly in the case of ATM flash fraud, immediate card-blocking technology has become critically important to stemming financial losses quickly.
- Leverage the power of ATM terminal profiling. This technology watches for multiple transaction requests from the same machine. The system compares that incident with the protected ATM's normal activity and scores the transaction accordingly. High scores trigger action, such as fraud analyst review or an automatic decline, depending on the FI's unique fraud strategies.
Information exchange and education
- Because ATM-hopping is a strategy frequently employed by fraudsters, particularly members of ATM crime rings, it's important to monitor the various fraud alert information networks. Numerous organizations provide regular information and information exchange mechanisms to help actively share fraud characteristics and incidents.
- Go beyond ATM terminal and system protection to educate cardholders and customer service representatives about skimming and social engineering scams. While it appears as though the heist criminals obtained PINs through system compromises or hacking (and not through skimming), other fraudsters are actively engaging in both cardholder- and customer representative-facing attempts to obtain or change PINs.
Card fraudsters are well aware of the country's impending switch to chip cards, which is why many analysts predict that card compromises will increase as we creep closer to the migration of U.S. payment systems to the EMV standard. Hackers, too, are only getting better at system compromises. ATM operators and their FI partners must stay on top of their processor partners to understand how they can collaborate for the best possible protection against this growing problem.
Kevin Christensen is vice president of audit
at Shazam, where he oversees audit and
compliance programs as well as the company's
risk management program, which includes
fraud operations and chargebacks. Christensen's
blog appears regularly on ATM Marketplace.
Read more about security.
photo: anonymous account