ATM Fraud and how bank clients can protect themselves against fraud
The issue
On 14th Oct 2015, Centenary Bank’s managing director Fabian Kasi issued a statement in respect to the 25 complaints received by the bank from her customers over inconsistencies in their account balances in the bank. This was after a system upgrade.
The bank decided to block all customer ATM PINs and requested the customers that want to withdraw over the ATM platform to first reset their ATM PINs. This exercise is currently at all their 63 branches. The bank also instituted cash withdrawal limits to Ugx. 100,000. The basics
In Uganda, there are two types of ATMs. NCR and Diebold, with NCR accounting for over 70% of all ATMs as they were the first in the market. Diebold is coming more aggressive with new breed ATMs.
How does ATM fraud happen?
- Card Skimming Remains the number one threat globally but one that is on the wane thanks to deployment of anti-skimming solutions, Europay, Mastercard and Visa (EMV) technology and contactless ATM functionality. Essentially, skimming refers to the stealing of the electronic card data, enabling the criminal to counterfeit the card. Consumers experience a normal ATM transaction and are usually unable to notice a problem until their account is defrauded.
How to fix it?
It’s that small, metallic square you’ll see on new cards. That’s a computer chip, and it’s what sets apart the new generation of cards.
“If someone copies a mag stripe, they can easily replicate that data over and over again because it doesn’t change,” says Dave Witts, president of U.S. payment systems for Creditcall, a payment gateway and EMV software developer.
Unlike magnetic-stripe cards, every time an EMV card is used for payment, the card chip creates a unique transaction code that cannot be used again. If a hacker stole the chip information from one specific point of sale, typical card duplication would never work “because the stolen transaction number created in that instance wouldn’t be usable again and the card would just get denied,” Witts says.
Magnetic stripe
A stripe of magnetic information that is affixed to the back of a plastic credit or debit card. It can be black, brown or silver in color. It is the common type of card in the United States today. Often, it’s called a “magnetic swipe” card, because the card is activated by swiping it through a device that can read the data in the stripe. The credit card’s magnetic stripe contains three tracks of data. Each track is about one-tenth of an inch wide. The first and second tracks in the magnetic stripe are encoded with information about the cardholder’s account, such as their credit card number, full name, the card’s expiration date and the country code. Additional information can be stored in the third track. With the new generation of credit cards, such as chip cards, no magnetic stripe is needed. Also called magnetic strip or magstripe.
How hackers use the information
- Selling information on the black market Once a cybercriminal, or a group, has a mass of stolen information they have to move quickly in order to make a profit and that often starts by going to an illegal online marketplace.
- Counterfeiting cards In this scenario, all a crook needs to access and spend your money is the information stored in the magnetic strip on your debit or credit card. This information, also known as track data, is transferred to any card with a magnetic strip using equipment that only costs fraudsters about $100. Since counterfeit cards will only work as long as the hacked account has not been flagged, frozen or closed due to suspected fraud, criminals have to move quickly to get what they can from the card before it no longer works.
- Performing online commerce transactions One example of a card-not-present fraud is the use of e-commerce sites such as eBay and Craigslist to make online transactions that result in a clean profit for the cybercriminals. “Let’s say I’m a criminal, I have a stolen credit card, go to eBay, find an iPad and buy it with that card,” Tjiputra said. “I then have it shipped to my assistant’s home address and at the same time I put another advertisement on eBay selling that iPad for what appears to be a very attractive lower-than-market-value price, like $250.”
- Opening new accounts Exact card and bank account numbers are temporarily useful, but the more personal information a fraudster can get about you, the deeper and more inconspicuous damage they can do. “Personal information is the holy grail,” Tjiputra said. “Social Security number and date of birth can get you anything — car loan, house mortgage, credit cards, you name it. Cellphone numbers, addresses and account passwords are even more helpful when all added together.” Fraudsters know it, too. Nearly half of all 2013 data thefts did not involve payment card information, according to Trustwave’s report. In addition to lines of credit and loans, criminals can also open utility accounts, such as electricity, cellphones or satellite TV, using your information without you, or anyone else, even knowing. By putting their own addresses and contact information on the new accounts, cyber criminals can get away with spending the fraudulent lines of credit and using the services until the next time to check your credit report. “It’s much more difficult to detect this type of fraud when the fraudsters have all the correct account application answers,” Wooten said. “Having access to a full user profile makes it that much easier to pretend you are someone else and take advantage of them.”
- Card trapping Trapping is the stealing of the physical card itself through a device fixed to the ATM. In a pre-EMV or chip-and-signature environment, the PIN does not need to be compromised.