ATM fraud prompts card rethink?
1
10 Card Technology Today February 2005 feature ATM fraud in the USA has grown rapidly in the last few years, and now stands at around US$50 million a year, according to estimates by the Electronic Funds Transfer Association (EFTA). ATM fraud has continued to rise globally in 2004, with growth rates in excess of 35%. The most pressing concern for the US banking industry is that while ATM fraud is a global problem, most major world economies (except the US) are embracing Europay MasterCard Visa (EMV) standard smart chip cards in their ATM and POS networks. Chip cards reduce card counterfeiting and counter the most damaging types of fraud being perpetrated today. Chip cards also provide a platform for offering value added applications on top of payment functionality. The USA, despite pressure from the card networks, has not joined the migration to EMV. This is mainly because of the massive cost of upgrading the national POS infrastructure, and the fact that fraud at POS is not at a high enough level to justify the massive investment required in hardware, training of retailers and re-education of customers. ATM fraud levels alone also do not justify migrating the whole country’s ATM and POS networks in tandem to support chip cards. But there is a sound argument for starting to first upgrade just the ATM network to support EMV. Many customers affected The average amount that can be defrauded from any one ATM debit card customer is relatively small when compared to many instances of credit card fraud. In the one case of an organised gang that compromised around 60 ISO machines between 2001 and 2003, cards and PINs were replicated for 21,000 accounts for a total take of around US$3.75m. Although some people would have lost much more, the average loss suffered by each bank customer was just US$178. Taking this figure and applying it to the US$50 million in ATM fraud perpetrated in the USA in 2003 reveals that approximately 281,000 customers were affected. This is a large number of enquiries, investigations and reparation processes. The cost involved, often not tracked or released by banks, means that the growing annual ATM fraud figure hides a much larger problem. A study by HNC Card Alert Services in 1995 estimated total costs at four times the direct fraud losses involved. Leaving aside the impact from loss of consumer confidence and negative publicity, which are harder to quantify but real nevertheless, we can assume that total cost to the banking industry from ATM fraud in the USA is approaching US$200 million per year and rising. This growth is likely to continue, despite efforts to foil skimming attacks and improve security practices. Measures being promoted by organisations such as the ATMIA’s Global ATM Security Alliance (GASA) include best practices for: the video surveillance of ATM users; regular inspections of the equipment by bank staff; and customer education to encourage them to report odd equipment and shield the PIN pad during use. Banks are also lowering daily cash withdrawal limits to minimise their exposure to risk, even though this has more of an impact on customer convenience than fraud vulnerability. And the ATM manufacturers have responded to the threat by incorporating improved designs for new models and offering new modules for existing machines. Half measures These measures are only partially successful for a number of reasons. The criminal is always aware of video surveillance and can take the necessary precautions such as hiding their appearance when making withdrawals, and subtle and rapid attachment of scanning equipment. And thanks to the ISOs, ATMs are now sited in a much broader range of locations, which make video surveillance and regular checks more difficult. Customers are not sure what they are looking for when it comes to compromised machines, and a lot of the externally attached equipment is high quality and extremely subtle. There is also a wide variety in ATM models, which makes customer vigilance fairly ineffective, and most customers usually do not cover the PIN pad sufficiently to completely obscure a camera. The problem The fundamental problem is that the magnetic stripe is not secure. It is too easy to duplicate, and any initiative that does not address this weakness is just a band-aid on an open wound. As the chip card closes the door on ATM fraud in most parts of the developed world, the criminal focus will turn to the remaining relatively unprotected magnetic stripe ATM networks in the US. In 2005 and 2006, this could result in a huge growth in the volume and value of attacks. The obvious solution to the problem is to upgrade the ATM infrastructure to support EMV. This does not have to be linked into an upgrade to the POS infrastructure and does not need to be linked to a migration deadline . As it’s the issuers and not the ATM acquirers that pay for the fraud, there would likely be push back from many ISOs and acquirers about investing in upgrades required for chip support. But banks who do commit to protecting their customers from fraud on their own ATMs could gain significant competitive differentiation, and may be able to put pressure on any ISOs they sponsor to follow suit. Phased introduction A phased introduction of chip cards and support in ATMs across a bank’s customer base and network could have a major impact on reducing the up-front and operational costs of fraud. But gradually introducing support for chip cards could also have other benefits. From a banking perspective, it could ease some pressures. Moving towards embracing the EMV standard, if only the ATM network at first, would go some way to easing the pressure on the US banking industry from the card schemes, which are interested in seeing global compliance. Some US banks have been undergoing trials with chip cards, but this has not been security driven. They are interested in the multi- application potential for the cards in delivering value-added services, be it in the form of stored value ticketing systems for transport, or loyalty programs and other business initiatives that banks can enter into with the retail and entertainment industries to leverage the card real estate. Adding the potential for differentiation through such services to the fraud-reduction capability of EMV further strengthens the case for US banks to begin moving to chip cards. This feature was contributed by Nigel Walsh, executive chairman, Level Four. He can be contacted at tel: +44 207 661 9322, email: [email protected], web: www.levelfour.com ATM fraud prompts card rethink? As technology and administrative measures have borne down on credit card fraud at point of sale (POS), criminals have turned to card-not-present fraud and the vulnerable ATM infrastructure to perpetrate their crimes. In recent years there have been a number of instances of ATMs owned by independent sales organisations (ISO) being internally compromised. External skimming and video devices are also increasingly being used to capture magnetic stripe data and customers’ PINs.
-
Upload
nigel-walsh -
Category
Documents
-
view
214 -
download
0
Transcript of ATM fraud prompts card rethink?
10Card Technology Today February 2005
feature
ATM fraud in the USA has grown rapidly in thelast few years, and now stands at around US$50million a year, according to estimates by theElectronic Funds Transfer Association (EFTA).ATM fraud has continued to rise globally in2004, with growth rates in excess of 35%.
The most pressing concern for the US bankingindustry is that while ATM fraud is a globalproblem, most major world economies (exceptthe US) are embracing Europay MasterCard Visa(EMV) standard smart chip cards in their ATMand POS networks. Chip cards reduce cardcounterfeiting and counter the most damagingtypes of fraud being perpetrated today. Chip cardsalso provide a platform for offering value addedapplications on top of payment functionality.
The USA, despite pressure from the cardnetworks, has not joined the migration to EMV.This is mainly because of the massive cost ofupgrading the national POS infrastructure, andthe fact that fraud at POS is not at a high enoughlevel to justify the massive investment required inhardware, training of retailers and re-education ofcustomers. ATM fraud levels alone also do notjustify migrating the whole country’s ATM andPOS networks in tandem to support chip cards.But there is a sound argument for starting to firstupgrade just the ATM network to support EMV.
Many customers affectedThe average amount that can be defrauded fromany one ATM debit card customer is relativelysmall when compared to many instances of creditcard fraud. In the one case of an organised gangthat compromised around 60 ISO machinesbetween 2001 and 2003, cards and PINs werereplicated for 21,000 accounts for a total take ofaround US$3.75m. Although some people wouldhave lost much more, the average loss suffered byeach bank customer was just US$178.
Taking this figure and applying it to the US$50million in ATM fraud perpetrated in the USA in2003 reveals that approximately 281,000customers were affected. This is a large number of
enquiries, investigations and reparation processes.The cost involved, often not tracked or released bybanks, means that the growing annual ATM fraudfigure hides a much larger problem. A study byHNC Card Alert Services in 1995 estimated totalcosts at four times the direct fraud losses involved.
Leaving aside the impact from loss of consumerconfidence and negative publicity, which areharder to quantify but real nevertheless, we canassume that total cost to the banking industryfrom ATM fraud in the USA is approachingUS$200 million per year and rising. This growthis likely to continue, despite efforts to foilskimming attacks and improve security practices.
Measures being promoted by organisations suchas the ATMIA’s Global ATM Security Alliance(GASA) include best practices for: the videosurveillance of ATM users; regular inspections ofthe equipment by bank staff; and customereducation to encourage them to report oddequipment and shield the PIN pad during use.
Banks are also lowering daily cash withdrawallimits to minimise their exposure to risk, eventhough this has more of an impact on customerconvenience than fraud vulnerability. And theATM manufacturers have responded to the threatby incorporating improved designs for new modelsand offering new modules for existing machines.
Half measuresThese measures are only partially successful for anumber of reasons. The criminal is always awareof video surveillance and can take the necessaryprecautions such as hiding their appearancewhen making withdrawals, and subtle and rapidattachment of scanning equipment. And thanksto the ISOs, ATMs are now sited in a muchbroader range of locations, which make videosurveillance and regular checks more difficult.
Customers are not sure what they are lookingfor when it comes to compromised machines,and a lot of the externally attached equipment ishigh quality and extremely subtle. There is also awide variety in ATM models, which makes
customer vigilance fairly ineffective, and mostcustomers usually do not cover the PIN padsufficiently to completely obscure a camera.
The problem The fundamental problem is that the magneticstripe is not secure. It is too easy to duplicate, andany initiative that does not address this weaknessis just a band-aid on an open wound.As the chip card closes the door on ATM fraud inmost parts of the developed world, the criminalfocus will turn to the remaining relativelyunprotected magnetic stripe ATM networks in theUS. In 2005 and 2006, this could result in a hugegrowth in the volume and value of attacks.
The obvious solution to the problem is toupgrade the ATM infrastructure to supportEMV. This does not have to be linked into anupgrade to the POS infrastructure and does notneed to be linked to a migration deadline .
As it’s the issuers and not the ATM acquirersthat pay for the fraud, there would likely be pushback from many ISOs and acquirers aboutinvesting in upgrades required for chip support.But banks who do commit to protecting theircustomers from fraud on their own ATMs couldgain significant competitive differentiation, andmay be able to put pressure on any ISOs theysponsor to follow suit.
Phased introductionA phased introduction of chip cards and supportin ATMs across a bank’s customer base andnetwork could have a major impact on reducingthe up-front and operational costs of fraud. Butgradually introducing support for chip cardscould also have other benefits.
From a banking perspective, it could easesome pressures. Moving towards embracing theEMV standard, if only the ATM network at first,would go some way to easing the pressure on theUS banking industry from the card schemes,which are interested in seeing global compliance.
Some US banks have been undergoing trialswith chip cards, but this has not been securitydriven. They are interested in the multi-application potential for the cards in deliveringvalue-added services, be it in the form of storedvalue ticketing systems for transport, or loyaltyprograms and other business initiatives that bankscan enter into with the retail and entertainmentindustries to leverage the card real estate.
Adding the potential for differentiation throughsuch services to the fraud-reduction capability ofEMV further strengthens the case for US banks tobegin moving to chip cards.This feature was contributed by Nigel Walsh,
executive chairman, Level Four. He can be contacted
at tel: +44 207 661 9322, email:
[email protected], web: www.levelfour.com
ATM fraud promptscard rethink?As technology and administrative measures have borne down on credit card fraud atpoint of sale (POS), criminals have turned to card-not-present fraud and thevulnerable ATM infrastructure to perpetrate their crimes. In recent years there havebeen a number of instances of ATMs owned by independent sales organisations (ISO)being internally compromised. External skimming and video devices are alsoincreasingly being used to capture magnetic stripe data and customers’ PINs.
