Improved security features, processes to curb ATM skimming

Improved security features, processes to curb ATM skimming

Summary: Financial industry's move toward chip-based technology for ATM cards and enhancing security processes will help prevent 2012 from being the "year of ATM skimming", say industry insiders.

SHARE:

It is too "premature" to christen 2012 as "the year of ATM skimming", as banks are reinforcing security by migrating to more secure, chip-based ATM cards as well as strengthening security processes and stepping up customer education initiatives. Automated teller machines vendors are constantly introducing anti-ATM skimming measures, too, say insiders.

Monetary Authority of Singapore (MAS) Director and Special Advisor Tony Chew had noted in February that payments card fraud was one of the top threats faced by banks currently. He also predicted that 2012 will be the year of ATM skimming, not unlike the spate of unauthorized cash withdrawals that afflicted customers of local bank DBS that same month.

While acknowledging that ATM skimming is always a real risk for banks and their customers, Aliza Shima Mohammad Kasim, industry analyst of ICT practice at Frost & Sullivan, said the declaration of 2012 to be the year of skimming is "premature".

She explained that ATM skimming is done by the perpetrator installing a device over the card slot of an ATM, which then reads the information stored on the ATM card's magnetic strip when users insert it into the machine. Such a device is often used in conjunction with a camera discreetly attached to the machine to capture the user's PIN (personal identification number).

To mitigate this threat, banks can upgrade the ATM card to a chip-based version as it will give card skimmers a "difficult time" in decrypting the information, the analyst noted. Already, banks are in the process of migrating to such cards, she added.

The Monetary Authority of Singapore (MAS), for one, told ZDNet Asia that it had been working with financial institutions on a comprehensive payments card security enhancement roadmap since 2010. Part of this roadmap involved migrating credit and debit cards to the global EMV standards, which is based on chip card technology, to enhance the cards' security function, the spokesperson said.

Jaroslaw Knapik, senior analyst of financial services technology at Ovum, also noted it will not be so easy for people to conduct ATM skimming given that vendors such as NCR and Wincor-Nixdorf are constantly updating their technologies to cope with such crimes. In fact, these vendors may be compelled to improve their embedded security features in light of what happened with the DBS ATMs, he said.

The vulnerability lies in older, less protected ATMs though, which is why manufacturers should upgrade their older machines, Knapik pointed out.

"Multi-step" security to curb ATM skimming
For banks, they must consider a "multi-step security concept" that uses the most advanced technology devices to prevent anti-skimming and associated software, as well as review and strengthen existing processes, urged Ricardos Khoury, regional vice president and head of Asia-Pacific banking division at Wincor-Nixdorf.

The company, for example, has invested in new intelligent anti-skimming devices that helps monitor the entire ATM card slot environment for illegally mounted intrusion mechanisms, he said. The device is embedded in the ATM and is not visible, so if a skimming attack occurs, the company is notified and the machine can be put out of service, he explained.

Standard Chartered revealed that its branches perform checks on ATMs on a daily basis for unauthorized skimming devices, and also have a dedicated team that monitors and identifies any suspicious transactions on a 24-hour basis.

"A call back to the customer will be conducted with [any] suspicious cash withdrawal, and free SMS notifications for our customers' credit card transactions, fund transfers and cash withdrawals are offered," the bank's spokesperson said. "These act as an additional layer of defense against fraudulent activities."

Beyond enhancing and monitoring technology, Kasim noted that most ATM skimming incidents occur due to customer negligence allowing perpetrators to take advantage of people's carelessness, and this emphasized the need for customer education.

"If customer are attentive and vigilant, [such as] reporting immediately upon observing a foreign device attached to the ATM reader, the problems of ATM skimming will be eliminated," she said.

This is why a UOB spokesperson reiterated that it is actively educating customers by recommending they take precautionary steps such as being observant, keep their PINs confidential, and reporting any concerns to the bank immediately.

Topics: Networking, CXO, Data Management, Mobility, Security

Ellyne Phneah

About Ellyne Phneah

Elly grew up on the adrenaline of crime fiction and it spurred her interest in cybercrime, privacy and the terror on the dark side of IT. At ZDNet Asia, she has made it her mission to warn readers of upcoming security threats, while also covering other tech issues.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • The media has been overly simplistic in its reporting of preventative measures - concentrating on physical / device prophylactics and all but ignoring transaction data pattern/based surveillance. This is where banks do (or should) review transaction behavior in real time for any unusual changes of customer behavior and/or withdrawal pattern correlations between customers which will quickly indicate an attack is occurring. Fraudsters will find a way of cracking EMV chips eventually and will seek out other weak points such as POS machines. So transaction pattern surveillance must be added to this picture and banks should be responsible to build such a capability wherever they have not done so already.
    Rohanross
  • Hi Rohanross, thanks for your comment. You made a good point that patterns and analytics should be used to detect ATM fraudsters and I will definitely keep this issue in mind.
    ellyne.phneah
  • The days of ATM fraud and online banking fraud are over.
    Picture this scenario:
    1. A thief has stolen your online banking user ID and the piece of paper on which you wrote your password. (He also did the same for your share trading account, as it was lying around)
    2. While he was doing that, he stole your ATM card, and the piece of paper on which you wrote your PIN code.
    3. Not content with that, his spy camera recorded your last login
    4. Just to be thorough, his network snooper captured every keystroke you entered.
    Does this mean he can access your accounts? Of course not. Please see the fraudproof ATM and online securities trading application at http://www.designsim.com.au for the full story.
    SteelPlatez