Dec. 13, 2016
by Yossi Geller, Senior Director of Marketing, ThetaRay
ATM fraud is a growing epidemic that is not going away anytime soon. From brute force to hi-tech hacking techniques, how did this phenomenon evolve and, more importantly, what can the industry do to stop ATM criminals from cashing in at everyone's expense?
Dirty, but effective
Within just a decade, fraud has evolved from crude crowbar or explosive-style robbery into a highly sophisticated practice involving the penetration of a bank's IT systems — often from half a world away.
In its infancy, ATM theft was almost comical. Notorious confidence-man-turned-security-consultant Frank Abagnale would superglue the cash dispenser door closed, then wait for an unsuspecting customer to attempt a withdrawal.
Receiving no money, the customer eventually would give up and leave — at which point the thief would return to the ATM, pry open the glued door and take the money.
The birth of skimming
Hands-on methods were quickly replaced by technologies such as skimming devices, false fronts attached to ATMs and connected directly to their network cables, providing access to card data.
Beginning around 2002, fraudsters were able to steal as much as $200,000 a day using a simple skimmer that transferred information from the ATM user's magnetic stripe card to the fraudster's laptop computer.
ATM skimming really began to take off globally in 2010 with the large-scale production of skimming devices, especially the wireless variety.
When 3-D printing came along in 2011, high-quality skimming devices became even simpler to produce, with razor-thin Bluetooth-compatible versions replacing clunky overlays.
Today, ATM skimming is a growing epidemic that shows no sign of slowing. Between 2014 and 2015, FICO reported an increase of 546 percent in U.S.-based attacks. Europe recorded a total of 18,738 skimming attacks last year.
The present danger
In recent years, ATM fraud has matured beyond skimming. A thief can now hack into a bank system from a remote location and program an ATM to spit out money at a specified time when accomplices will be waiting at the machine to collect the cash.
Sophisticated ATM fraud is often carried out via malware that gives hackers full access to an ATM without installing any physical device.
The shift to digital attacks indicates that criminal groups view malware is an easier and safer way to steal cash and card data. These attacks will only increase in the future.
Another increasingly popular tactic is transaction reversal fraud, which grew from 1,270 incidents in 2015 to 4,840 in 2016. In these situations, the criminal uses software to corrupt transaction messages so that the ATM user receives an error message stating that cash will not be dispensed. The transaction amount is credited back to the customer's account, while the criminal gets the cash.
The European ATM Security Team has speculated that the spike in transaction reversal fraud is likely to blame for an overall increase in ATM fraud. EAST reported a 28 percent increase in ATM-related fraud attacks, up from 8,421 incidents in 2015 to 10,820 in 2016.
Along with the increase in cases of ATM fraud, the amount of money stolen is rising, as well. Losses were up 12 percent compared with 2015. According to EAST, this rise was the result of an 8 percent rise in international skimming losses.
We are witnessing sophisticated and well-orchestrated fraud attacks such as a Japanese ATM cash-out scheme that stole $19 million from South Africa's Standard Bank.
Within three hours, a criminal gang conducted 14,000 transactions in Japan using a small army of money mules. The heist required extensive knowledge of ATM transaction processing in Japan and of methods used by banks to identify fraudulent activity.
Another new unsettling trend in Japan involves fraudsters targeting the elderly. Thieves posing as a relative in need of emergency cash or a government official collecting fees or fines, contact the victim by phone with instructions to transfer funds at an ATM.
The thief offers to "help" the victim with the transaction by providing instructions at the ATM via mobile phone. Japan's National Policy Agency has reported that victims collectively lost $252 million to this scam in the first eight months of the year.
How do we end the epidemic?
Deployers cannot assure the future of ATM security by looking to past ATM fraud. Instead, financial institutions and independent ATM deployers must assume that criminals are already at work on the next new type of attack.
To stay ahead of them, deployers need to be able to detect anomalies in normal transactional data that suggest illegal activity is taking place — whether by a tried-and-true method or a whole new kind of attack. Only then will we be able to stop ATM fraud in its tracks and end the epidemic once and for all.
(click graphic to view full-screen)
infographic courtesy ThetaRay
cover photo istock