Banks need holistic ATM security mindset

The security regime for automated teller machines (ATMs) should be constantly monitored and reviewed but, more importantly, there should be a holistic strategy that encompasses people and processes, observers urged.

Last Friday, Singapore's DBS Bank was hit with 400 cases of unauthorized withdrawals amounting to an estimated compensation of S$500,000 (US$387,627) due to two affected ATMs.

Commenting on this security lapse, Edison Yu, industry manager for Asia-Pacific ICT practice at Frost & Sullivan, said ATM security must be viewed as an ongoing process and not as a one-off deployment scenario. This means systems must be constantly monitored and upgraded to ensure proper and adequate protection against criminals, he noted.

He pointed out that ATMs traditionally adopt physical surveillance such as CCTV (closed circuit television) and software protection methods to prevent thefts. However, technological advancements have made it easy for criminals to tamper with security software using card skimming methods, while CCTVs often act more as a deterrent and is a reactive measure when fraud or theft has been committed, the analyst said.

Moving forward, Yu suggested that banks should adopt a layered defense approach that is more dynamic and intelligent.

Elaborating, he said security system for ATMs should be more "human-centric" by encompassing tools such as biometrics which are unique to the individual user. At the backend, the systems should be more intelligent in that they can monitor and spot for irregularities in ongoing transactions, he added.

Holistic approach required
But it's not just the technology that should be reviewed and updated. Gerard Tan, risk & control partner at PricewaterhouseCoopers (PwC) Singapore remarked that the weakest link in securing ATM transactions is the user.

Vulnerabilities will still exist so long as customers cannot tell the difference between a tampered and untampered ATM machine, do not conceal their PIN while keying it in, or not changing their PIN often, regardless of what technology is employed, he added.

NCR, the manufacturer of DBS' ATM network, concurred. A company spokesperson said the financial industry needs a coordinated response to fraud that supports technology innovation with a combination of people and processes to secure the ATM against evolving threats.

"The industry must adopt a holistic security strategy that protects the ATM channel at all potential points of compromise," he said.

"Financial institutions must also follow the guidelines and regulations and ensure steady engagement toward customer education on thefts and basics do's and don'ts while executing a transaction."

The spokesperson added that NCR collaborates with law enforcement agencies and ATM operators to share best practices and raise awareness about new ATM crimes that occur worldwide, so that consumers can protect themselves with the knowledge.

Real-time verification helpful
With regard to the use of biometrics via thumb prints or smart chips, Tan said getting all ATM providers, merchants and e-payment companies to adopt these technologies is a challenge and is not likely to happen soon.

He also noted that customer education had its limitations. For instance, it is unlikely that many people will be persuaded to regularly change their ATM PIN or diligently shield the ATM keypad from prying eyes while using the terminal, he surmised.

Instead, Tan said banks should consider verification measures or other warning messages to be displayed on the ATMs. "These are simple measures but as the advisory is in real-time, it is more likely to induce the right reaction from customers than [those sent via] Web sites or brochures," he added.

DBS appear to have heeded the call. Company CEO Piyush Gupta announced on Thursday that the bank will provide SMS alerts for ATM withdrawals beyond a certain amount or when unusual transaction activity is detected, according to a report by local news network Channel NewsAsia.

A DBS spokesperson also told ZDNet Asia in an e-mail that besides SMS alerts for ATM transactions, the bank has a variety of fraud prevention measures in place.

"We take into consideration numerous factors such as machine type, location and response time to determine which security measures to deploy. Different security measures are put in place for different ATM locations and at different times," the spokesperson stated.