Sept. 23, 2014
by Josh Ablett, anti-fraud advisor, Intellinx
Many fraud experts expect an explosion of ATM-related fraud over the next two to three years as criminals exploit magnetic stripe card fraud. At Intellinx, we've seen smaller financial institutions employ several best practices in order to combat ATM fraud.
Following is our compiled list of the most common types of fraud — and the most effective ways to counteract them:
1) Take across-the-board action against ATM skimming fraud
ATM skimming is definitely on the rise. Consider taking a risk-based approach to the installation of anti-skimming devices — equipping high-risk ATMs (e.g., those near urban centers, highways, international borders, etc.) with anti-skimming devices.
Additionally, train your staff how to inspect ATM vestibules and card readers for tampering and have them carry out these inspections several times a day.
Be sure also to build a solid working relationship with your local peer banks and law enforcement agencies. This can help to ensure that you'll receive early warning of possible regional skimming attacks, should they occur.
Finally, implement a process at your institution to detect common points of compromise (i.e., the location(s) where your customers’ card data and PIN were initially obtained by thieves in a skimming attack).
As reports of fraud come in, analyze them with other reported losses for common points where transactions took place. Although most institutions are already taking advantage of alerts from Visa and Mastercard, there’s still more that they can do within their own four walls to automate this process.
2) Adopt a holistic approach to ATM deposit fraud
While less common than card-not-present and counterfeit fraud, ATM deposit fraud is still an issue for many smaller institutions.
If you still use envelopes for ATM deposits, you can spot empty envelope fraud by monitoring for unusual deposits and reviewing these deposits before funds are made available.
Duplicate check deposit is a growing problem for banks that are switching to image-enabled ATMs and remote deposit capture. This makes it essential to take holistic approach, monitoring all deposits (paper and image) for anomalies.
3) Actively manage the rules in your card fraud system
Some smaller institutions take a “set it and forget it” approach to the rules implemented in their card fraud detection system — or they just assume that their outsourced vendor is taking care of it.
Put a proactive process in place for rules review. Then, if you see card fraud losses rise, analyze them to determine whether you need to turn off rules that have become ineffective and add new rules to the losses that your rule set missed the first time around.
4) Invest in real-time detection
Now is the time to take the leap and invest in a real-time card fraud detection system that can decline suspect cards at the point of transaction. Once you have the ability to stop unusual activity at the first sign of fraud, you’ll naturally reduce your losses and increase your ability to respond to massive card breaches.
This might also be the time to consider switching to an outsourced processor if you’re not using one already. They usually can provide this capability “out of the box.”
One word of caution about real-time rules: Be sure to implement travel markers at the same time. Customers — especially those who travel regularly — will become justifiably frustrated if they discover that your institution has blocked their card without providing them the option to register their plans for international travel.
5) Beware of internal fraud
Unfortunately, fraud is not exclusively the purview of external actors. With their large amounts of cash, ATMs are an attractive target for internal fraud as well.
Many smaller institutions have learned from painful experience to monitor ATM log files for manipulation and to enact a dual-control system to ensure the integrity of ATM loading and balancing processes.
6) Watch closely for evidence of hacking
Pay special attention to alerts such as the recent FFIEC bulletin warning smaller institutions about cyberattacks on ATM and card authorization systems. This bulletin, in particular, provides specific guidance on recognizing the attack and mitigating the risk it poses.
At Intellinx, we recommend that FIs implement near real-time monitoring of ATM transactions for dramatic variations, and that they pay much closer attention to the log files of Internet-facing systems.
It might also be wise to contract with a "white hat" company of ethical hackers — security experts who specialize in penetration testing and other practices in order to ensure the security of your institution's information systems.
Following these best practices can minimize ATM-related losses as attacks continue to increase in the coming years.
|Josh Ablett is an anti-fraud expert at Intellinx Ltd., a provider of enterprise fraud management solutions designed to protect organizations from internal and external fraud and data theft. The Intellinx anti-fraud suite provides a unified platform of solutions that address enterprise alert and case management, employee fraud, Web fraud, check fraud and other security issues. The company serves more than 150 large and medium-size organizations worldwide including 10 of the world’s largest 50 banks.|
cover photo courtesy mark hillary | flickr