ATM fraud prompts card rethink?
-
Upload
nigel-walsh -
Category
Documents
-
view
214 -
download
0
Transcript of ATM fraud prompts card rethink?
![Page 1: ATM fraud prompts card rethink?](https://reader035.fdocuments.in/reader035/viewer/2022080110/575075c31a28abdd2e9b3439/html5/thumbnails/1.jpg)
10Card Technology Today February 2005
feature
ATM fraud in the USA has grown rapidly in thelast few years, and now stands at around US$50million a year, according to estimates by theElectronic Funds Transfer Association (EFTA).ATM fraud has continued to rise globally in2004, with growth rates in excess of 35%.
The most pressing concern for the US bankingindustry is that while ATM fraud is a globalproblem, most major world economies (exceptthe US) are embracing Europay MasterCard Visa(EMV) standard smart chip cards in their ATMand POS networks. Chip cards reduce cardcounterfeiting and counter the most damagingtypes of fraud being perpetrated today. Chip cardsalso provide a platform for offering value addedapplications on top of payment functionality.
The USA, despite pressure from the cardnetworks, has not joined the migration to EMV.This is mainly because of the massive cost ofupgrading the national POS infrastructure, andthe fact that fraud at POS is not at a high enoughlevel to justify the massive investment required inhardware, training of retailers and re-education ofcustomers. ATM fraud levels alone also do notjustify migrating the whole country’s ATM andPOS networks in tandem to support chip cards.But there is a sound argument for starting to firstupgrade just the ATM network to support EMV.
Many customers affectedThe average amount that can be defrauded fromany one ATM debit card customer is relativelysmall when compared to many instances of creditcard fraud. In the one case of an organised gangthat compromised around 60 ISO machinesbetween 2001 and 2003, cards and PINs werereplicated for 21,000 accounts for a total take ofaround US$3.75m. Although some people wouldhave lost much more, the average loss suffered byeach bank customer was just US$178.
Taking this figure and applying it to the US$50million in ATM fraud perpetrated in the USA in2003 reveals that approximately 281,000customers were affected. This is a large number of
enquiries, investigations and reparation processes.The cost involved, often not tracked or released bybanks, means that the growing annual ATM fraudfigure hides a much larger problem. A study byHNC Card Alert Services in 1995 estimated totalcosts at four times the direct fraud losses involved.
Leaving aside the impact from loss of consumerconfidence and negative publicity, which areharder to quantify but real nevertheless, we canassume that total cost to the banking industryfrom ATM fraud in the USA is approachingUS$200 million per year and rising. This growthis likely to continue, despite efforts to foilskimming attacks and improve security practices.
Measures being promoted by organisations suchas the ATMIA’s Global ATM Security Alliance(GASA) include best practices for: the videosurveillance of ATM users; regular inspections ofthe equipment by bank staff; and customereducation to encourage them to report oddequipment and shield the PIN pad during use.
Banks are also lowering daily cash withdrawallimits to minimise their exposure to risk, eventhough this has more of an impact on customerconvenience than fraud vulnerability. And theATM manufacturers have responded to the threatby incorporating improved designs for new modelsand offering new modules for existing machines.
Half measuresThese measures are only partially successful for anumber of reasons. The criminal is always awareof video surveillance and can take the necessaryprecautions such as hiding their appearancewhen making withdrawals, and subtle and rapidattachment of scanning equipment. And thanksto the ISOs, ATMs are now sited in a muchbroader range of locations, which make videosurveillance and regular checks more difficult.
Customers are not sure what they are lookingfor when it comes to compromised machines,and a lot of the externally attached equipment ishigh quality and extremely subtle. There is also awide variety in ATM models, which makes
customer vigilance fairly ineffective, and mostcustomers usually do not cover the PIN padsufficiently to completely obscure a camera.
The problem The fundamental problem is that the magneticstripe is not secure. It is too easy to duplicate, andany initiative that does not address this weaknessis just a band-aid on an open wound.As the chip card closes the door on ATM fraud inmost parts of the developed world, the criminalfocus will turn to the remaining relativelyunprotected magnetic stripe ATM networks in theUS. In 2005 and 2006, this could result in a hugegrowth in the volume and value of attacks.
The obvious solution to the problem is toupgrade the ATM infrastructure to supportEMV. This does not have to be linked into anupgrade to the POS infrastructure and does notneed to be linked to a migration deadline .
As it’s the issuers and not the ATM acquirersthat pay for the fraud, there would likely be pushback from many ISOs and acquirers aboutinvesting in upgrades required for chip support.But banks who do commit to protecting theircustomers from fraud on their own ATMs couldgain significant competitive differentiation, andmay be able to put pressure on any ISOs theysponsor to follow suit.
Phased introductionA phased introduction of chip cards and supportin ATMs across a bank’s customer base andnetwork could have a major impact on reducingthe up-front and operational costs of fraud. Butgradually introducing support for chip cardscould also have other benefits.
From a banking perspective, it could easesome pressures. Moving towards embracing theEMV standard, if only the ATM network at first,would go some way to easing the pressure on theUS banking industry from the card schemes,which are interested in seeing global compliance.
Some US banks have been undergoing trialswith chip cards, but this has not been securitydriven. They are interested in the multi-application potential for the cards in deliveringvalue-added services, be it in the form of storedvalue ticketing systems for transport, or loyaltyprograms and other business initiatives that bankscan enter into with the retail and entertainmentindustries to leverage the card real estate.
Adding the potential for differentiation throughsuch services to the fraud-reduction capability ofEMV further strengthens the case for US banks tobegin moving to chip cards.This feature was contributed by Nigel Walsh,
executive chairman, Level Four. He can be contacted
at tel: +44 207 661 9322, email:
[email protected], web: www.levelfour.com
ATM fraud promptscard rethink?As technology and administrative measures have borne down on credit card fraud atpoint of sale (POS), criminals have turned to card-not-present fraud and thevulnerable ATM infrastructure to perpetrate their crimes. In recent years there havebeen a number of instances of ATMs owned by independent sales organisations (ISO)being internally compromised. External skimming and video devices are alsoincreasingly being used to capture magnetic stripe data and customers’ PINs.