The world's largest ATM security conference (ATM Security 2011) was held in London last month and it is clear that ATM security is still a major issue.
Skimming remains the dominant threat, although losses are falling in most countries. Ironically, a sign of the progress that is being made against skimming is the recent MasterCard announcement of a liability shift for inter-regional Maestro ATM transactions in the USA. Criminals are continuing to skim magnetic stripe cards around the world, but are finding fewer countries in which to use cloned cards.
The USA, as one of the few countries still to adopt EMV, is becoming the destination of choice – Europol says that 80 percent of non-EU fraud against EU payment cards is committed in the USA. The MasterCard announcement is recognition that the pressure on the USA to adopt EMV has now passed a tipping point.
There was a notable change of emphasis at this year's ATM Security conference: less focus on skimming, and growing concerns about two other, very different types of crime – gas/explosive attacks and malware.
A return to more crude forms of attack, such as gas and explosion is on one level a sign of the progress being made in other areas. It is a particularly violent form of attack, however, which often results in extensive collateral damage to surrounding buildings. The industry needs to address such threats urgently; otherwise local residents and merchants will not want ATMs located near their premises.
At the other end of the spectrum are malware (malicious software) attacks, which include various types of electronic fraud at the ATM. This type of attack can be from the outside, but is often via an insider, such as an engineer or a member of IT support. Understanding the true extent of malware fraud is difficult, as most banks do not wish to acknowledge such attacks for fear of alarming customers, but it is clear that these threats are on the rise and that banks are starting to take malware more seriously.
The industry deserves credit for the progress made in tackling ATM crime, but cannot rest on its laurels. ATM fraud will never be eliminated, but by working together with solutions providers and law enforcement agencies around the world, ATM deployers should be able to keep it under control.
Reprinted from Banking Automation Bulletin (see http://www.rbrlondon.com/newsletters for more information).
/ Dominic Hirsch is managing director of Retail Banking Research, a London-based strategic research and consulting firm.