Article
Defining differences: A second look at ATM fraud
Some experts argue that the ATM industry needs to take a second look at how it approaches and deals with fraud.
Use "identity theft," "phishing" and "ATM" in the same sentence during a presentation at an ATM conference and see what happens.
You'll likely find few interested in linking the three, and any discussion that revolves around the subject to be, well, taboo.
 |
  |
 |
Soon after the release of Gartner Inc.'s July 2005 report, "Criminals Exploit Consumer Bank Account and ATM System Weaknesses," mainstream media picked up the story and ran. Stories about fraud, identity theft and fake ATM cards flooded the Internet.
Leaders in the ATM industry were quick to point out not only that some of the report's findings were misleading but that some mediums' interpretation of those findings veered from the truth.
Some insiders argue, however, that the industry needs to take a second look at how it approaches and deals with fraud - for instance, fraud that occurs at the ATM after an incident of identity theft or after a phishing attack.
Rob Evans, director of industry marketing for Dayton, Ohio-basedNCR Corp., is one such insider. "It's not going to be practical too much longer for people in this industry to say this isn't an ATM problem," Evans said. "I think it's a waste of time. We can do better and we should do better."
The connection
"We need to have a discussion about how to protect consumers," Evans added.
And other industry observers share Evans' perspective.
At September's ATMIA Conference West in Scottsdale, Ariz., Celent analyst Ariana-Michelle Moore and Mike Urban, technology operations director for Fair Isaac Corp., challenged their audience to carefully consider the many faces of ATM fraud. Moore boldly stated that "sometimes ATM fraud is identity theft. Sometimes it is not." And Urban highlighted "ATM phishing fraud trends" that reveal a correlation between online phishing attacks and ATM/debit card compromises.
"PIN-phishing card fraud loss is the fastest-growing type of ATM card loss in the U.S.," Urban said. "It hasn't surpassed phishing, but it's close."
According the July 2005 Fair Isaac report, "Identifying and Controlling Debit Card Phishing Scams," ATM card fraud cases that resulted from phishing attacks jumped 30 percent from 2004 and 60 percent from 2003 when compared to the first quarter of 2005.
-- Rob Evans, |
It's not going to be practical too much longer for people in this industry to say this isn't an ATM problem.
The report also notes that identity theft is the "fastest growing white collar crime."
Moore said during her ATMIA presentation that "identity theft can cross channels," a phenomenon that is necessitating broader definitions of fraud and identity theft.
"Monitoring," she added, "is very important, because you're laying down the groundwork to fight the fraud of tomorrow."
But transaction monitoring is fragmented, and those who are tracking transactions at the ATM, for instance, often aren't comparing notes with those who track card compromises. "It's hard to get a bird's-eye view of what is happening," Moore said.
Low-tech problems
Monitoring transactions across the board is an important step, said Nina Owens, global solutions leader of payments strategy for MasterCard Advisors LLC, the consulting arm of MasterCard International based in Purchase, N.Y. Unfortunately, she added, from a database management perspective, most problems result from internal breaches, not elaborate schemes.
"When it comes to the data security, there could be an issue with transmitting information from the ATM or POS, but most of the time that data is encrypted," Owens said. "The real risk is in how you maintain protocols for customer data at the database - that's where we see the weakest link being."
"What you have to think about is the data clerk who's entering the information into the system," she added.
|
In the Fair Isaac report, Urban points out that employees selling sensitive customer information for financial gain are giving phishers a marked advantage. "One of the key benefits for the phishers who obtain information from internal sources is the ability to personalize e-mails with customer names, account numbers and other forms of personal reference."
Rick DuVall, senior products manager at Omaha, Neb.-based ACI Worldwide Inc., said "low-tech stuff," such as shoulder-surfing and the placement of fake fascia, cameras and skimming devices on ATMs, is causing most of the problems.
"From our standpoint, I don't necessarily believe that the processing of the transactions is the weakest link," DuVall said. The Payment Card Industry (PCI) consortium "is doing a pretty good job of coming up with security standards that the industry as a whole is going to live by. … We've all done Triple DES, and we're all doing remote key loading."
"The systems are very secure today," he added.
Educating the public: Whose job is it?
In DuVall's mind, the weakest link is the consumer. And Urban pointed to consumers' willingness to supply phishers with personal information as a problem. "A lot of banks ask for PINs when consumers set up accounts, and if consumers are used to doing that, then they won't think twice about entering their PIN again" when a phisher asks for it.
Regardless of how the information is leaked or stolen, consumer and employee education is an industry responsibility, as is cross-channel transaction analysis.
Reader response
See what readers had to say about this story ...
Included In This Story
ATM Industry Association (ATMIA)
The ATM Industry Association, founded in 1997, is a global non-profit trade association with over 10,500 members in 65 countries. The membership base covers the full range of this worldwide industry comprising over 2.2 million installed ATMs.
Related Media
SecurityPresented ByDiebold Nixdorf
Subscribe
Get the latest news and resources from ATM Marketplace.
