CONTINUE TO SITE »
or wait 15 seconds

Article

ATM industry's response to Heartland hacker illustrates need for more PR

Commentary: ATM players need to do a better job of educating consumers, mainstream media and government regulators about ATM and payments security.

August 24, 2009 by Tracy Kitten — Editor, AMC

It's been a week since federal authorities captured the man behind the United States' largest financial data-security hack, the Heartland Payments breach. As the week unfolded, more details emerged.
 
The breach has been a slap in the face for the Payment Card Industry Data Security Standard, since Heartland had been given the seal of PCI certification before the cyber attack. The breach has also marred the reputations of Visa and MasterCard, and left consumers once again questioning the security of retail ATMs.
 
Court records revealed a direct link between the cyber breach and the Citi ATM compromise at 7-Eleven, which came to light several months ago.
 
More than 130 million debit and credit cards were reportedly compromised, and the 28-year-old mastermind, Albert Gonzales, behind the scheme is accused of also playing roles in the TJX Cos. and Hannaford Brothers Co. compromises.
 
The former Secret Service informant allegedly was able to break into networks at retailers and major financial institutions to steal card numbers and PINs.
 
Mainstream news reports hit with force last week, with financial advice coming from all angles and directions. Among the top precautions consumers were advised to take: Avoid retail ATMs all together, since they are incorrectly labeled as being less secure than bank-owned ATMs; don't use debit; and avoid online purchases.
 
In reality, the payments industry is actually very safe, and consumers are often given poor advice. But the ATM industry has done little to put itself out in front in a way that gets the truth out to the public.

 The ATM Industry Association has spearheaded a few initiatives through its best practices, but much of the onus falls on the banks and credit unions, since they have direct relationships with their customers and members. ISOs also could do more positive PR.
 
ISOs should educate the merchants they place ATMs with, telling them to talk with their customers about the safety of retail ATMs. And getting the word out to the mainstream media is critical. It can be challenging, but the industry needs to do a better job of putting itself out in front of the cameras and having its voice heard.
 
ATMIA could be a great organization to lead the PR pack.
 
"The ATM industry as a whole is very secure," says Mike Lee, chief executive of ATMIA. "Following the mass migration to Windows XP ATMs, we have been working on new ATM software security best practices due out in mid-September. Crime will migrate increasingly to cyber space because the prize — breaking into data storage systems containing sensitive customer data — brings a big pay-off and the risks of detection may be lower than in other crimes and in other operating environments."
 
But most consumers don't know or care about XP ATMs and the difference between an ATM-skimming attack and a cyber hack. Most also don't understand that retail ATMs, in many ways, are more secure than their FI counterparts, since FI ATMs are unattended after-hours and get higher transaction volumes — thus making them prime targets for skimmers.
 
"The percentage of transactions at ATMs that are fraudulent is miniscule relative to fraudulent transactions to credit cards," says Sam Ditzion, chief executive of Tremont Capital Group, a strategic planning and acquisition advisory firm that specializes in the ATM industry.
 
And what about the notions that debit is less secure than credit and online transactions are bad? Neither claim is founded.
 
Yes. Debit is vulnerable, but the consumer never pays the price, unless the suspicious charge or withdrawal is not reported to the FI. Even then, the vast majority of suspicious transactions and breaches are captured by the bank or credit union before the customer or member even notices. And the FI always absorbs the cost.
 
The same is true of online transactions. Advising consumers to stop buying goods online is ridiculous. More, not fewer, transactions will occur online over the coming months and years. Online purchases are convenient and secure. And if a card is compromised, again, the FI bears the loss.
 
"I have never heard of an example in which a victim of skimming fraud did not get a complete refund from their bank very quickly," Ditzion said. "So sure, consumers need to be vigilant and review their statements, but if you see that your account got compromised, your bank will credit your account."
 
Lee told me last week that this breach may be the nudge the United States needs to make a move toward EMV — which could be a good thing.
 
"We have seen a fraud migration toward non-EMV compliant markets," Lee said. "There is no bullet-proof vest that prevents all attacks by criminals on our things of value, whether cash, cards or online payments."

Included In This Story

ATM Industry Association (ATMIA)

The ATM Industry Association, founded in 1997, is a global non-profit trade association with over 10,500 members in 65 countries. The membership base covers the full range of this worldwide industry comprising over 2.2 million installed ATMs.

Request Info
Learn More

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
DC AG sues Bitcoin ATM operator Athena Bitcoin for allegedly exploiting scam victims
NCR Atleos earns #5 rank in fintech rankings
SEC to revamp cryptocurrency policies amid Trump's pro crypto push
Chase selects Nova Credit for cash flow underwriting
Metropolitan Commercial Bank named as an SBA loan provider


©2025 Networld Media Group, LLC. All rights reserved.
b'S1-NEW'