News

ATM security is a hot topic

December 2, 2004

Security is a big concern in the ATM industry, and for good reason. Not only are financial institutions and independent sales/service organizations faced with meeting mandates like Triple DES, they're also constantly working to stay ahead of ATM scam artists.

Brian Fisher, product director for ACI Worldwide's Proactive Risk Manager anti-fraud product, said ATM fraud is a growing problem. ACI, which provides transaction processing software for banks, retailers and processors, introduced PRM in 1998 to address everything from money laundering to skimming - the process by which criminals create duplicate credit and debit cards from mag-stripe data captured when the original cards are scanned.

This story and all the great free content on ATM Marketplace is supported by: ACI Worldwide

"Until recently, gas stations and restaurants were the most common places for that to happen," Fisher said. "Employees would carry a card reader around with them and copy the information when they scanned someone's credit card. But now, organized crime is doing things to copy a card number at the PIN pad of an ATM. It's an ever-increasing problem."

In fact, Fisher said, a recent estimate put card skimming incidents at between 50 and 60 million in 2003.

Anti-fraud products allow banks to search systems by account numbers for cards they think have been skimmed and/or compromised. Such products keep a record so that banks can monitor cards' activity.

"This way a bank can investigate to confirm the known place of compromise," Fisher said.

But that's just one security angle.

Jim Shaffer, ACI's senior product manager of security initiatives, said mandates from Visa, MasterCard and other networks are forcing banks to get serious about their security upgrades.

In the field

Take Ireland's Ulster Bank: Ulster Bank Group, which serves the Republic of Ireland and Northern Ireland, completed implementation of ACI's Automated Key Distribution System about six months ago, said Denys Whitley, project manager for Ulster Bank's ATM and cards and Group IT department. The system allows banks to download encryption keys to an ATM via a central point rather than sending service technicians to machines to manually load keys.

Whitley said Ulster was planning an eventual upgrade to a remote key downloading system; with the Triple DES mandate looming, the bank group decided to move forward sooner rather than later.

Whitley said Ulster chose AKDS because it was already operating on a BASE24 platform. And from a security perspective, he said, AKDS is built to an internationally agreed method.

"The main difference from previous (remote key system offerings that Ulster considered) … is that AKDS is built to a new, internationally agreed method using PKI (public key infrastructure) to protect the key download," Ulster said.

Whitley added that implementation of AKDS, which includes 420 NCR ATMs spread throughout Ireland, saved the bank group time. Upgrading the machines on its own would have taken Ulster between six and eight weeks, Whitley estimated. Implementation of AKDS took about two weeks.