About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« April 2013 | Main | June 2013 »

May 20, 2013


ATM Cash-Outs: A Major Escalation

The banking news this week has been dominated by the story about the two ATM cash-out schemes that netted the criminals a total of $45 million. (We mentioned the $40 million fraud involving prepaid cards issued by a bank in Oman in a post earlier this month.) The news articles and opinion pieces have focused on what I consider secondary aspects of this attack—counterfeit card production and prepaid cards. Some observers have pointed to this attack as further justification for a faster move to EMV reader capability in the United States. While it is certainly true that an EMV-only environment will virtually eliminate counterfeit card crimes such as this, the reality is that a dual EMV-magnetic stripe environment is going to exist, both here in the United States and the rest of the world, for quite some time. And while some categorize the United States as the only EMV holdout, the fact that 94 percent of the ATM cash withdrawals took place at ATMs outside the United States shows that we are not the non-EMV island that we are often portrayed as. Others have pointed out that the targeted cards were tied to prepaid accounts, implying or outright stating that a prepaid card management application is less secure than a regular debit card management application. This is not the case, as the fraud was not a product or an access device issue.

The real threat from this attack comes from the criminals' ability to gain access to the card management application on a real-time basis. It is still unclear whether they gained the account number and PIN from accessing the card management system or through the more traditional skimming means. What is clear is that they had the ability to continually replenish account balances and reset usage limit parameters during the 10–13 hour attack that involved more than 3,600 withdrawal transactions from ATMs located in 26 different countries. The investigation of the two processors located in India will tell if there was some level of insider involvement or if the criminals learned how to gain access to the card application and make the changes to keep the fraudulent attack going.

So how should bankers and card management processors address these concerns? I would suggest they consider an immediate review and understanding of their card management application access controls that identify the personnel having the authority to make "on-the-fly" changes to specific account parameters. Some access is required for actions such as flagging a reported lost or stolen card, but other parameters should be completely off limits or tightly controlled and monitored. Another safeguard would be to have account velocity monitoring, which would identify unusual card usage activity or usage from different parts of the world occurring at about the same time.

This highly sophisticated and coordinated attack is a game changer for the security controls of all types of card management applications. Let us know how you are responding.

David LottBy Dave Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 20, 2013 in ATM fraud, cybercrime | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c01901c607e9d970b

Listed below are links to blogs that reference ATM Cash-Outs: A Major Escalation:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 13, 2013


Which Is Riskier, Change or Avoiding It?

There is no denying that any level of change brings with it some level of risk. However, sometimes avoiding change can result in even greater risk. That is the quandary many retail banks find themselves in today as they grapple with the issues of mobile banking and payments and their role in the bank's overall delivery-channel strategy. Sustainability and regeneration are principles normally associated with the community development and environmental arenas, but they can be easily applied to the banking industry and its consumer delivery channels.

Numerous research studies document a large gap in banking attitudes and product or channel usage between the Gen Y or millennial customers and the older customer segments (those who are over 35, if you consider that old). (The Retail Payments Risk Forum discussed some of this research in a paper posted on our website in April.) Younger customers have less loyalty to bank brand, readily adopt new technology, are highly influenced by advertising and peers, expect free or low-cost banking products and services, and are driven by convenience. While they do have a higher overall trust level of banks compared to nonbanks, the gap is not anywhere near as large as that of the older customer segment. The younger segments have eagerly adopted online and mobile banking and are viewed as the early adopters of mobile payments. In fact, when they select a financial institution, the quality and expansiveness of the mobile banking offering is a major factor in their decision.

So what does this changing landscape have for the future of the traditional brick-and-mortar-branch delivery channel? For some time, banks have tried to establish branches primarily as sales centers while moving basic service transactions to alternative automated, less-expensive delivery channels. This effort will continue, but banks must also regenerate their overall delivery-channel strategy to provide sales and service capabilities through virtual channels in order to attract and retain the growing Gen Y customer segment. This regeneration and sustainability effort involves the "right sizing" of each channel to provide their existing and future customers with the appropriate level of services and features as well as capacity to meet service quality goals. Not only will this effort require risk assessments to be continually made for each delivery channel, but also to develop a holistic risk assessment of each customer across all delivery channels.

Let us know what changes, if any, you are making in your overall delivery-channel strategy to address the changing demographics of existing and potential bank customers.

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 13, 2013 in mobile banking, mobile payments | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c0191021786d2970c

Listed below are links to blogs that reference Which Is Riskier, Change or Avoiding It?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 6, 2013


Staying One Step Ahead of ATM Attacks

Ever since the first ATMs were installed in the United States more than 40 years ago, criminals have used a variety of methods to steal money, through either physical or virtual attacks on machines or customers. The early ATMs were installed primarily through the exterior wall of bank branches, so they were generally as secure as the building's cash vault. Consequently, the attacks generally took the form of robbing customers using or employees servicing an ATM.

The industry reacted, with some state regulatory nudging, with camera surveillance, improved lighting and visibility, privacy screens, drive-up reconfigurations, and customer safety education programs. When less-armored, freestanding cash dispensers began to appear in retail locations, criminals turned to trying to pull the entire ATM out from its floor or wall anchors and then cracking it open at a remote location.

As criminals grew more sophisticated, they turned their attention from such aggressive physical attacks to stealthier ones. In one such activity, referred to as "skimming," they place false card readers over the real ones to capture the data on the cards' magnetic stripe so they can create a counterfeit card. The criminals may generally also install a pinhole camera positioned to capture the customers entering their PINs on the keypad. Card skimming has become a major problem for the card payments industry overall and has been an impetus for the migration to chip cards throughout the world and finally in the U.S.

Some recent efforts to attack ATMs have involved gaining unauthorized access to the applications controlling ATM transaction authorizations. In an incident in Oman that took place earlier this year, cyberthieves established real-time access to the authorization files on a foreign bank's prepaid card application system and changed the balance available for withdrawals. They also continually reset the daily usage counters. Using a large gang of money mules with counterfeit cards and the PIN to access the prepaid account, the criminals conducted a coordinated attack, making continuous cash withdrawals at numerous foreign ATMs until the cash supply at all the ATMs was exhausted. This gang netted the equivalent of almost US$39 million—yes, that's not a typo, it was $39 million.

It now appears there is a trend, at least in Europe, of criminals resorting to physical attacks on the ATMs again. Gangs have been injecting explosive liquids and gases into ATMs, then igniting them to blast open the ATM vault to gain access to the currency cassettes. I believe it is only a matter of time before such attacks are initiated here in the United States.

These activities emphasize that criminal attacks against our payments system will continue to take different forms and target all payment channels. In a comprehensive risk management plan, stakeholders must always anticipate the next type of attack and take the necessary and prudent preventive measures. Sometimes we are lulled into a sense of complacency with mature payment channels and focus all our efforts on the emerging channels or payment products. How long has it been since you have done a risk evaluation on your ATM delivery channel?

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 6, 2013 in ATM fraud, crime, identity theft, risk management | Permalink

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a01053688c61a970c017eeadcbd0a970d

Listed below are links to blogs that reference Staying One Step Ahead of ATM Attacks:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad