About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

March 4, 2019


The Importance of the Small

In Shakespeare's "A Midsummer Night's Dream," Helena said, "Though she be but little, she is fierce," in reference to the power of her romantic foe, Hermia. In today's pop culture, this quote can be found on T-shirts, coffee mugs, inspirational wall hangings, and social media memes touting women's power. But it has a broader meaning to me, one that says small voices are every bit as important as large ones.

In the payments industry, I think of the small voices as being the smaller financial institutions—which are crucial to the success of the Federal Reserve Payments Study, contributing a great deal to the study findings. The study, which estimates the number and value of noncash payments made by U.S. consumers and businesses as well as the data around payments fraud, is intended to inform policymakers, the industry, and the public about aggregate trends in the nation's payments system. Most recently, this work culminated in a benchmark report on U.S. payments fraud from 2012 to 2016.

One important component of the study is to collect data on checks, ACH, wire transfers, cards, cash withdrawals and deposits, third-party fraud, and related information from a nationally representative sample of commercial banks, savings institutions, and credit unions, from the largest to the smallest. So what exactly is meant by a "nationally representative sample"?

In a nutshell, for our estimates to be representative of national payment volumes, we have to account for all sources of volume. If we include only the largest institutions or leave out some segments, the estimates can be biased, either too large or too small. Even though much of payments volume is concentrated in the largest institutions, it is impossible to know how much so without having a good estimate for all segments of the banking population. Past surveys have shown that the segments can exhibit very different trends from study to study. For example, from 1995 to 2000, total checks at large commercial banks fell, while total checks at credit unions and savings institutions grew. (Read more about that in this report from the Federal Reserve Board of Governors.) Without the information from credit unions, the decline in checks would have appeared larger than it actually was.

Study participants are selected from among U.S. commercial banks, savings institutions, and credit unions. According to reports filed with the Federal Reserve in 2015, there were approximately 10,600 of these depository institutions (DI) in the United States that met the criteria (see the table). Using Call Report data filed with the Federal Reserve, a sample frame of slightly under 3,800 institutions was determined to be representative of the entire population of U.S. financial institutions. Each institution type is further grouped according to deposit size.

Institution Type Deposit Size (Maximum)* No. of U.S. Institutions No. Invited to Participate in Study
Commercial Banks  
50
50
$10,900,000,000
264
264
$ 799,500,000
247
237
$ 388,000,000
337
237
$ 232,000,000
618
308
$ 139,754,000
872
289
$ 83,909,000
1,190
444
$ 41,980,000
1,382
356
Subtotal  
4,960
2,185
Savings Institutions  
25
24
$ 1,650,000,000
48
48
$ 497,000,000
102
102
$ 195,000,000
132
104
$ 100,500,000
155
116
$ 46,300,000
292
96
Subtotal  
754
490
Credit Unions  
25
25
$ 730,000,000
47
46
$ 365,000,000
137
126
$ 185,000,000
174
143
$ 105,500,000
240
147
$ 58,000,000
399
167
$ 26,680,000
690
201
$11,190,000
3,144
242
Subtotal  
4,856
1,097
Total  
10,570
3,772

*For commercial banks and savings institutions, this is the sum of public checkable deposits (or checking account balances) and money market deposit accounts. For credit unions, this reflects public checkable deposits only.

Source: Table adapted from Geoffrey Gerdes and Xuemei Liu. "Improving Response Quality with Planned Missing Data: An Application to a Survey of Banks," in The Econometrics of Complex Survey Data: Theory and Applications (Advances in Econometrics, volume 39), ed. Kim P. Huynh, David T. Jacho-Chavez, and Gautam Tripathi. Available April 1, 2019.

As the table shows, financial institutions in each category with the lowest maximum deposit size comprise approximately 46 percent of the total number of U.S. institutions. Of this group, consisting of more than 4,800 DIs, just under 700 were invited to participate in the study, or approximately 18 percent of the total sample.

Take, for example, credit unions with a maximum deposit size of $11.2 million. In 2016, there were approximately 3,100 institutions in this category, and 242 were invited to participate in the study to represent that segment. Similarly, 96 savings institutions with a maximum deposit size of $46.3 million were selected to represent the overall segment of just under 300 institutions.

Grouping institutions in this way improves the quality of results, as the institutions within each category share many similar characteristics. The smaller institutions have a unique voice and experience that the larger DIs cannot represent. To develop a true and accurate national picture of the payments landscape, it is important that all voices be heard.

I hope your takeaway from this post is that the contributions of all financial institutions—large and small—are important to the accuracy and representativeness of the data that the Federal Reserve Payment Study reports. And although study participants may sometimes think their institutions are small fish in a big pond, their survey contributions serve as the voice of their peers, and in the collective, that whisper becomes a mighty voice.

Photo of Nancy-Donahue  By Nancy Donahue, project manager in the Retail Payments Risk Forum  at the Atlanta Fed

 

March 4, 2019 in banks and banking, payments study | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 19, 2019


Acute Audit Appendicitis

My son came home from school the other day and told me that his friend’s kidney had "popped." With great concern and further investigation, I found out that his friend had suffered from appendicitis but had since recovered. Luckily, fifth grade boys and most of the human race can get along fine without an appendix. And, as it turns out, there is another type of appendix people can live without: Appendix Eight—Audit Requirements—in the NACHA Operating Rules. NACHA members recently voted to cut this part out.

But wait—don’t celebrate too soon. The change doesn’t eliminate the requirement to conduct an annual ACH rules compliance audit. Rather, members voted to modify "the Rules to provide financial institutions [FI] and third-party service providers with greater flexibility in conducting annual Rules compliance audits." Specifically, the change—which was effective January 1, 2019—affected the following areas of the NACHA Operating Rules:

  • Article One, Subsection 1.2.2 (Audits of Rules Compliance): Consolidates the core audit requirements described within Appendix Eight under the general obligation of participating DFIs and third-party service providers/senders to conduct an audit.
  • Appendix Eight (Rule Compliance Audit Requirements): Eliminates the current language contained within Appendix Eight; combines relevant provisions with the general audit obligation required under Article One, Subsection 1.2.2.

FIs and ACH payment processors must still conduct, either internally or outsourced, an annual audit of their compliance with the ACH rules each year. They also must retain adequate proof of completion for no less than six years and may, during that term, need to provide proof to NACHA or a regulator. And they will have to adjust their audit methodologies to ensure that they comply with all relevant rules rather than just rely on the former Appendix Eight checklist.

The new audit process necessitates a risk-based approach, which is a strategy regulators have been encouraging in recent years. With so many emerging technologies, products, and services in the payments industry, FIs and ACH payment processors can no longer take a one-size-fits-all approach for compliance. They also no longer have a single access point to ACH—rather, they must consider many access points when auditing for Rules compliance.

These institutions may not have previously had to take into account other areas that touch payments. For example, the risk-based audit doesn’t explore just the deposit operations department; it analyzes how the whole enterprise interacts with ACH systems. Additionally, it may need to include loan operations, online account opening, person-to-person (P2P) products, investment management, and other new digital channels.

Life without Appendix Eight will be an adjustment, but its removal won’t be fatal. I think ACH participants will recover quickly and be even healthier—embracing the new risk-based compliance model will likely strengthen enterprise risk management and promote increased safety and stability in our payment systems.

Photo of Jessica Washington By Jessica Washington, AAP, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

 

February 19, 2019 in ACH, banks and banking, payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 10, 2018


A Look in the Rearview Mirror of Payments for 2018

I'm sure just about everyone else in the payments industry would agree with me that 2018 was yet another exciting year for payments. The year was filled with a host of newsworthy events, but fintech most certainly took center stage in the financial services industry, including payments. Whether the news highlighted an announcement of a new product to increase financial access or discussed the regulatory challenges and associated concerns within the fintech space, it seemed that fintech made its way into the news on a daily basis. Still, for payments, 2018 will be remembered for more than just fintech.

The Retail Payments Risk Forum's last Talk About Payments webinar of 2018 will feature Doug King, Dave Lott, and Jessica Washington sharing their perspectives and memories on the year-in-payments in a round table discussion. Among the topics they will discuss are consumer payment preferences, the changing retail environment, and the state of fraud—and fintech, of course. We encourage financial institutions, retailers, payments processors, law enforcement, academia, and other payments system stakeholders to participate in this webinar. Participants will be able to submit questions during the webinar.

The webinar will be held on Thursday, December 20, from 1 to 2 p.m. (ET). Participation in the webinar is free, but you must register in advance. To register, click on the TAP webinar link. After you complete your registration, you will receive a confirmation email with all the log-in and toll-free call-in information. A recording of the webinar will be available to all registered participants in various formats within a couple of weeks.

We look forward to you joining us on December 20 and sharing your perspectives on the major payment themes of 2018.

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


December 10, 2018 in banking regulations, banks and banking, crime, cybercrime, emerging payments, fintech, innovation, payments fraud | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 10, 2018


The Case of the Disappearing ATM

The longtime distribution goal of a major soft drink company is to have their product "within an arm's reach of desire." This goal might also be applied to ATMs—the United States has one of the highest concentration of ATMs per adult. In a recent post, I highlighted some of the findings from an ATM locational study conducted by a team of economics professors from the University of North Florida. Among their findings, for example, was that of the approximately 470,000 ATMs and cash dispensers in the United States, about 59 percent have been placed and are operated by independent entrepreneurs. Further, these independently owned ATMs "tend to be located in areas with less population, lower population density, lower median and average income (household and disposable), lower labor force participation rate, less college-educated population, higher unemployment rate, and lower home values."

This finding directly relates to the issue of financial inclusion, an issue that is a concern of the Federal Reserve's. A 2016 study by Accenture pointed "to the ATM as one of the most important channels, which can be leveraged for the provision of basic financial services to the underserved." I think most would agree that the majority of the unbanked and underbanked population is likely to reside in the demographic areas described above. One could conclude that the independent ATM operators are fulfilling a demand of people in these areas for access to cash, their primary method of payment.

Unfortunately for these communities, a number of independent operators are having to shut down and remove their ATMs because their banking relationships are being terminated. These closures started in late 2014, but a larger wave of account closures has been occurring over the last several months. In many cases, the operators are given no reason for the sudden termination. Some operators believe their settlement bank views them as a high-risk business related to money laundering, since the primary product of the ATM is cash. Financial institutions may incorrectly group these operators with money service businesses (MSB), even though state regulators do not consider them to be MSBs. Earlier this year, the U.S. House Financial Services Subcommittee on Financial Institutions and Consumer Credit held a hearing over concerns that this de-risking could be blocking consumers' (and small businesses') access to financial products and services. You can watch the hearing on video (the hearing actually begins at 16:40).

While a financial institution should certainly monitor its customer accounts to ensure compliance with its risk tolerance and compliance policies, we have to ask if the independent ATM operators are being painted with a risk brush that is too broad. The reality is that it is extremely difficult for an ATM operator to funnel "dirty money" through an ATM. First, to gain access to the various ATM networks, the operator has to be sponsored by a financial institution (FI). In the sponsorship process, the FI rigorously reviews the operator's financial stability and other business operations as well as compliance with BSA/AML because the FI sponsor is ultimately responsible for any network violations. Second, the networks handling the transaction are completely independent from the ATM owners. They produce financial reports that show the amount of funds that an ATM dispenses in any given period and generate the settlement transactions. These networks maintain controls that clearly document the funds flowing through the ATM, and a review of the settlement account activity would quickly identify any suspicious activity.

The industry groups representing the independent ATM operators appear to have gained a sympathetic ear from legislators and, to some degree, regulators. But the sympathy hasn't extended to those financial institutions that are accelerating account closures in some areas. We will continue to monitor this issue and report any major developments. Please let us know your thoughts.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 10, 2018 in banks and banking, consumer protection, financial services, money laundering, regulations, regulators, third-party service provider | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 27, 2018


Who Owns Your ATM?

Counting the number of ATMs in the United States has been a challenge since 1996, when independent operators (nonfinancial institutions) started deploying ATMs/cash dispensers. That was when Visa and MasterCard dropped their prohibition against surcharges. But a recent study sponsored by the National ATM Council largely overcame that challenge while also gathering some interesting results about the locational aspects of the independently owned ATMs compared to machines owned by financial institutions (FI).

The study was conducted earlier this year by a team of economics professors from the Department of Economics and Geography in the University of North Florida's Coggin School of Business. The study's primary objective was to determine whether the locations of independently owned ATMs and FI-owned ATMs were different in terms of demographics and socioeconomic status.

Using a database from Infogroup, the team identified 470,135 ATMs operating in 2016. About 41 percent of these were FI-owned, and the rest were independently owned. The majority of the independent ATMs are in retail establishments, with heavy concentrations in convenience stores, pharmacies, and casual dining locations.

FI owned ATMs Duval Median Household Income 2016 Independently owned ATMs Duval Median Household Income 2016
(Click on the images to enlarge.)

The research team plotted the locations of all the ATMs, overlaying demographic and socioeconomic data they obtained from the U.S. Census Bureau and its American Community Survey. Among the 10 main elements the researchers used were median age, unemployment rate, education level, household income, disposable income, and average home values.

They concluded that the independent ATMs "tend to be located in areas with less population, lower population density, lower median and average income (household and disposable), lower labor force participation rate, less college-educated population, higher unemployment rate and lower home values."

So what does this mean?

Well, it means that the independently owned ATMs are providing a vital service in rural and inner-city areas. Other studies—such as the Federal Reserve's Diary of Consumer Payment Choice—have shown that lower-income households (those earning less than $50,000) use cash as their primary method of payment. Therefore, these independent ATM owners are giving these households access to financial services that would otherwise be limited.

A post from December 2014 highlighted some of the challenges the independent operators were facing. Stand by for a future post that will provide an update on this part of our country's payment ecosystem.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 27, 2018 in banks and banking, financial services | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 18, 2018


Thinking about My Grandmother and Future-Proofing Payments

I often reminisce about times I spent with my grandmother. She passed away when I was only nine years old, but fortunately left me with a host of memories that I cherish. How I loved our trips to Walden Bookstore in the Hickory Ridge Mall whenever she'd visit us in my hometown of Memphis. We'd pick out a book or two and then return home to read them together. I often wonder what she would think about my family's book shopping and reading habits today. Online bookstores, e-readers, and audiobooks downloaded or streamed onto mobile phones would be completely foreign to her as the technology behind these was not even around during her lifetime! How could she ever have known how the world of books would evolve?

And this brings me to the notion of future-proofing payments. Mobile payments just might be the hottest topic when payment professionals get together to discuss the future of payments. It makes sense to think that maybe one day our mobile phones will replace our debit and credit cards and maybe even cash. But to date, the mobile phone has not done for cards and cash what it has done for mp3 players, digital cameras, and portable navigation devices, to list just a few things. Perhaps we need more time for mobile phones to transform payments—or could it be that payments as we know them today will be made over by a technology or device that is not yet widely available or even conceived? Is it possible that the primary payment methods we use today can withstand the test of time and remain our primary methods for many more years? Thinking about my grandmother and books, maybe future-proofing payments is a losing proposition and we should be nimble, ready to adapt to whatever changes come our way.

Join me for the Atlanta Fed's Retail Payments Risk Forum's latest Talk About Payments webinar on Thursday, June 28, from 1 to 2 p.m. (ET), when I will explore the future of mobile payments at the point of sale by first considering the debit card's long rise to prominence. Participation in the webinar is complimentary, but you must register in advance. After completing registration, you will receive a confirmation email with all the log-in and toll-free call-in information.

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 18, 2018 in banks and banking, emerging payments, mobile banking, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 23, 2018


Paying with PlasticMetal

I recently had the opportunity to watch a panel of eight millennials discuss their thoughts on money and payments. (The Pew Research Center defines a millennial as anyone born between 1981 and 1996.) While realizing that a sample size of eight young adults is far from representative, I was completely caught off guard at times by what they had to say based on everything I have read or heard about this generation's banking and payment preferences. None of these people lived with their parents and all of them held full-time jobs. So what did I learn from these eight millennials?

  • Demand deposit accounts (DDA) with financial institutions are still important. I was surprised that all eight panelists maintain a DDA.
  • Credit card reward programs are strong drivers of payment usage. Six out of the eight panelists stated that credit cards were their preferred method of payment, primarily because of the rewards that their cards offered. One panelist preferred debit cards while another panelist preferred cash. Of the six credit card-preferring millennials, all stated they were purely transactors that pay off their monthly balance, opting not to revolve them.
  • Another strong driver of credit card usage is card design. All of the panelists raved about metal cards. They love how metal cards feel and they love the sound that they make when they drop them on a counter or table to pay. Several expressed that they wanted cards to be even thicker and heavier. In general, the panel thought that paying with a metal card was "cooler" than paying with a mobile phone.
  • Person-to-person (P2P) wallets and applications are used extensively, but primarily for transacting between individuals, not for storing money. All of the panelists use a P2P mobile wallet or application on their phone. However, none maintain a significant balance in their preferred wallet. They opt to transfer their balance to their DDA. A primary reason for not holding funds in a mobile wallet is concern over security. They feel their money is safer with a financial institution.
  • Mobile phones are vital to their livelihood, yet mobile proximity payments have not fully caught on with them. Half of the panel uses their phone at point-of-sale terminals that accept mobile payments; one panelist mentioned the rewards that he receives from his mobile wallet as driving his mobile payment usage. A majority expressed enthusiasm about mobile order-ahead functionality and use it whenever it's available. However, the availability of mobile payments does not drive decisions to shop at specific stores. All use mobile phones for comparison shopping, oftentimes in a physical store.

A key takeaway from synthesizing all of this information is that it's not just mobile phones that pose a major threat to paying with plastic—it's also metal cards. They certainly seem to appeal to the millennials that I heard on stage and drive loyalty from a usage perspective. And while I don't have data to back up this claim, I do think this metal phenomenon spans generations, as I have had people of all ages show off their metal cards to me. Cards as a form factor are here to stay, but could plastic (especially for credit cards) be on its way out?

Photo of Douglas King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 23, 2018 in banks and banking, cards, debit cards, mobile banking | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 19, 2018


Mobile Banking and Payments' Weakest Link: Me

What's the biggest hole in mobile banking security? As my colleague Dave Lott reported in January, bankers say it's consumers' lack of protective behavior when using mobile devices. That means you and me.

In response, financial institutions (FI) have implemented controls including inactivity timeouts and multifactor authentication, as noted in Mobile Banking and Payment Practices of U.S. Financial Institutions, which reported the findings of a 2016 Federal Reserve survey.

Baking these controls into mobile apps makes sense because research on consumer behavior suggests that expecting consumers to independently take steps to protect their accounts and data is not realistic. Take as one example: I co-wrote a paper with Joanna Stavins for the Boston Fed reporting the results of our investigation into consumers' responses to the massive Target data breach. We found that while consumers do react to reports of fraud, their reactions can be short-lived. In addition, consumers' opinions may change, but their behavior may not. In other words, considerations aside from security could take priority. (See also a report on the 2012 South Carolina Department of Revenue breach.)

Debit and credit card data for 40 million cards used in Target stores were stolen in late 2013. The breach was widely reported in the news media and caused many financial institutions to reissue cards. Because it was primarily a debit card breach, one might reasonably expect consumers to take a jaundiced view of debit cards after the breach.

And, indeed, that was the case. The Survey of Consumer Payment Choice was in the field at the time of the Target breach. Some consumers answered questions about the security of debit cards before the breach became public. Others answered after.

Consumers who rated card security after the breach rated debit cards more poorly relative to the average rating of the other payment instruments—cash, paper checks, ACH methods, prepaid cards, and credit cards. So in that sense, they reacted to the news.

One year later, consumers in 2014 rated the security of debit cards more poorly both relative to their ratings of other payment instruments and absolutely (that is, a greater percentage of consumers rated debit cards as risky or very risky). In contrast, compared to 2013, the absolute security ratings of cash improved. There was no change in the security ratings of credit cards.

The more important question: Did consumers change their behavior in response to this massive and widely reported data breach? The answer: not according to this survey data. There was no statistically significant change in consumers' method of payment mix in 2014. Debit cards remained the most popular payment instrument among consumers in 2014, accounting for almost one-third of their payments per month.

What does this mean for financial institutions? Realism about my willingness to take action is well placed. You can't count on me.

Photo of Claire Greene By Claire Greene, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 19, 2018 in account takeovers, banks and banking, cards, debit cards, identity theft, mobile banking, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 12, 2018


Webinars Discuss Mobile Banking and Payments Survey Results

Earlier this year, I wrote a post highlighting some of the Mobile Banking and Payments Survey results that were consolidated from the seven Federal Reserve districts that conducted the survey: Atlanta, Boston, Cleveland, Dallas, Kansas City, Minneapolis, and Richmond. The 706 responding financial institutions gave us valuable information about their current and planned services as well as security features for their mobile banking and mobile payments products. (You can download a copy of the report from the Boston Fed's website.)

You can get a more detailed review of the survey findings when the Boston Fed's Payment Strategies Group conducts two webinars on March 21 and March 22.

Attendees will learn about:

  • Current developments in mobile financial services
  • Practices, products, and trends related to consumer mobile banking and payment services
  • Financial Institution perspectives on mobile security, concerns, and mitigation tools

There is no charge for the webinars but you must register. To view both webinars, you must register for both. Select a link below, then click the Register button. After you have registered, you will receive a confirmation email with the access information.

REGISTER for Part I: Consumer Mobile Banking, Wednesday, March 21, 2018 at 2 p.m. (EDT)

REGISTER for Part 2: Consumer Mobile Payments, Thursday, March 22, 2018 at 2 p.m. (EDT)

Feel free to share this post with any of your colleagues who may wish to attend. If you have any questions about the webinars, please email elisa.tavilla@bos.frb.org.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 12, 2018 in banks and banking, mobile banking, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 26, 2018


Explosive News Regarding ATMs

You've probably seen at least one video of a criminal attaching a chain from a truck an ATM to try to pull the ATM out of its mounts. Or maybe you've seen one of someone using a sledgehammer to try to smash an ATM open. Although these types of attacks are destructive, they do not rise to the level of the explosive attacks that have been taking place in Europe, Australia, and South America—and, just recently, in the United States. First reported about 10 years ago in Europe, their frequency has increased dramatically over the last several years.

I learned a bit about these and other ATM dangers at a conference I recently attended in Las Vegas on emerging functionality for ATMs and cash dispensers. One of the most interesting sessions was a presentation on ATM crimes that a U.S. Secret Service agent gave. The agent talked about the two major categories of ATM terminal crimes: logical and physical attacks. Criminals carry out logical attacks using software, skimming devices, or cameras. With software, they aim to gain access to the ATM software or operating system so they can intercept data transmissions or issue commands to dispense currency. With skimming or shimming devices and cameras, they can capture card and PIN data. A recent logical attack "jackpotted" an ATM—that was the first time in the United States that a criminal forced an ATM to dispense all its currency.

Criminals trying to blow up ATMs in Europe have predominately used gas. They pump a combustible gas like oxyacetylene, used in welding, into the ATM enclosure through a drilled hole, currency slot, or other entry point, and then detonate it. This 2015 Bloomberg Businessweek article describes explosive attacks in England in great detail.

Unfortunately, reports indicate that solid explosives such as dynamite, explosive gel, and C4 are becoming more common in Europe and South America. In Brazil, dynamite is the predominant explosive, in part because a large supply of dynamite was stolen from a mining operation. As expected, these attacks are highly destructive, not only to the ATM but also to the surrounding building, which you can see in the photo below (this ATM attack recently took place in Atlanta). Normally these attacks are carried out at ATMs in isolated locations at off-hours. Fortunately, I have not heard of any loss of life or injuries to innocent people from these attacks.

From tweet
Source: WSB-TV

Because the frequency of these attacks is growing, ATM manufacturers and other third parties have developed countermeasures either to detect and thwart the attacks or to reduce the monetary value of a successful attack. For gas attacks, detection sensors installed in the ATM may do several things: trigger an audible—and monitored—alarm, release a gas-suppression system to prevent detonation, open a cover to prevent the gas pressure from building to a level that will detonate, or trigger a currency-staining mechanism that would put an ink stain on the currency in the machine, neutralizing its ability to be used. Additionally, penetration mats may be installed inside the ATM fascia that could detect drilling. Regrettably, attacks with solid explosives are more difficult to mitigate, but the industry has responded with harder enclosures and currency-inking neutralization systems.

We can hope that such attacks will not grow in frequency the United States, but security folks will probably tell us that we are being a bit Pollyannaish. Best be prepared.

Photo of David Lott By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 26, 2018 in ATM fraud, banks and banking, crime, theft | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad