Study finds ATM fraud increasing

ATM fraud is on the rise in the United States, and consumers victimized by such crimes aren't always indemnified, according to a new report by Javelin Strategy & Research.

Javelin said the number of breached bank records rose 16 percent in 2009. The report found that 10 percent of all fraud victims in the United States last year were hit by ATM fraud, defined as an ATM withdrawal by an unauthorized person using a real customer's account credentials.

Furthermore, the report said customers aren't always covered for losses from fraudulent ATM withdrawals, even among institutions that cover PIN card-based fraud losses stemming from store transactions.

"Consumers don't have absolute protection under [the Electronic Funds Transfer Act, which affords certain protections for payment card-based fraud] when their account is compromised using a valid PIN, especially at an ATM," said Don Apgar, Senior Vice President, National Partner Sales at Payment Alliance Intl. "But savvy banks will continue to protect their depositors and keep their confidence in the system high.

"Once consumer confidence in electronic banking systems erodes, so will the banks' profits."

However, Javelin cited Bank of America Corp., JPMorgan Chase & Co., Citigroup Inc.'s Citibank and Wells Fargo as being among the institutions most willing to reimburse customers victimized by ATM fraud.

Differing attack vectors

ATM fraud is perpetrated in a number of ways, the Javelin report said. The most well-known method is a "skimming" attack, whereby criminals place a hidden device over an ATM's card slot that pulls payment information from the magnetic stripes of inserted cards. Fraudsters then use that information to encode replica cards.

Because PIN codes aren't generally contained in the stripe, this attack is usually perpetrated in conjunction with a video camera – often small or hidden, and placed on or near the ATM machine – that captures the PINs as consumers punch them in.

Other methods of attack include the use of malware (to hack into ATM software) and phishing attacks, where fraudsters posing as financial institutions request consumer data through e-mails, phone calls or text messages.

Deceptive perceptions

The report also found that consumers are much more wary of fraud at "off-premise" ATMs (at convenience stores and so forth). But Apgar said that perception is misguided; bank ATMs are often the most vulnerable to fraud.

"You would think that skimming is less likely at ATMs on bank premises, but that's not necessarily true," Apgar said. "The latest reported cases have been at bank-owned ATMs … Bank ATMs tend to be located in unattended kiosks in the branch. Cameras record kiosk activity 24/7, and video is saved for future review, but nobody is watching the video in real time.

"Store ATMs are typically in view of the register, bar or other attended area, and since many ATM owners load their own cash into the machines, they are acutely aware of security."

Countermeasures

But according to Patricia Hewitt, Director of Debit Advisory for Mercator Advisory Group Inc., banks are increasingly devoting substantial resources to ATM security.

In addition to using triple DES encryption around PIN entry (which is mandated by the Payment Card Industry Data Security Standards Council for all PIN pads), many banks are upgrading various other pieces of security technology to guard against malware and skimming attacks, as well as employing outside security providers to help monitor their machines.

She said many banks also examine transaction records for irregularities that might indicate fraud, such as "high [transaction] velocities" (abnormally frequent withdrawals at a particular machine or with a particular card or set of cards).

"Banks are more closely monitoring their ATM transaction activity and are able to react better and faster [to fraud attempts]," she said. "They're also doing a better job of managing the hardware itself – the issue with skimming is the hardware is actually compromised.

"That's another reason why it's not an illogical strategy to turn [security] over to the core competency of someone who has the resources to check the ATM terminals and make sure they haven't been compromised, and to verify that locations are properly secured and monitored."

Whether you want to upgrade your POS offerings, find a payment gateway partner, bone up on fintech regs or PCI requirements, find an upcoming trade show, read about faster payments, or discover the latest innovations in merchant acquiring, The Green Sheet is the resource for you. Since 1983, we've helped empower and connect payments professionals, starting with the merchant level salespeople who bring tailored payment acceptance and digital commerce tools, along with a host of other business services to merchants across the globe. The Green Sheet Inc. is also a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals.

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.