EMERGING CHALLENGES: AUTOMATED TELLER MACHINE (ATM) FRAUDS

Updated: Oct 25

Shreya Sharma, DRASInt Risk Alliance Private Limited


Introduction

An Automated Teller Machine (ATM) is an electronic banking outlet that allows customers to complete basic transactions without the aid of a branch representative or teller. ATMs are very convenient, allowing consumers to perform quick self-service transactions such as deposits, cash withdrawals, bill payments and transfers between accounts. With due advancements and digital developments, people nowadays are mostly dependent on ATM for their financial purposes. In the recent years, the use ATMs has developed all over India. There are many economical / financial expert evaluates on the growth of ATM usage, especially in urban areas. Now, in the urban areas, people who are living in a busy scheduled life, usually avoid the bank unless it is necessary. Let us discuss the useful nature and services provided by the ATM.


Quick Cash Withdrawal


Just as the name suggests and is well known to all, just insert your ATM Card into the machine, punch the confidential code and then the needed amount in numeric form and you get the cash in your hands. Also, ATM provides money with a 24 x 7 service. All you need is a bank account to get a debit card cum ATM Card issued to you.


Account Balance Inquiry


You can check your account balance at the ATM. Also, there is a facility to get a mini statement of your bank account. Although, nowadays smart phones provides a good service in terms of banking by easy transfers and providing bank account related information.


Deposit Cash/ Cheques


Now, there is no need to go the bank to deposit cash or cheques. ATMs provide a service to deposit cash and cheques easily. One can also request for a new cheque book through the ATM services.


ATM Frauds


Over the past two decades, consumers across the globe depend and trust the ATM to conveniently meet their banking needs. The banks had introduced ATMs approximately 25 years ago, since then the fraudsters are also trying to illegally tap into the system for meeting their ulterior motives. In recent years there has been a proliferation of ATM frauds across the globe. ATM Fraud is described as a fraudulent activity where the criminal uses the ATM Card of another person to withdraw money instantly from that account. Fraudsters nowadays have developed every other means to intercept both the data on the card’s magnetic strip as well as the user’s Personal Identification Number (PIN). Talking in terms of numbers, as early as in 2002 New York Times in one of its reports stated that more than 21,000 American bank accounts were skimmed by a single group engaged in acquiring ATM information illegally (Cybercrime - ATM fraud _ Britannica, n.d.). In August 2005, Gartner estimated that about 3 million US consumers were affected by ATM card fraud in the previous year, with annual losses of $ 2.75 billion (Debold, 2018).


Most, ATM frauds happen due to the negligence of customers in using the ATM (Dubey, n.d.). Many banks have not sufficiently educated the customers on the basic usage of cards, resulting in ignorant card holders either losing their cards in the machine, or in rare cases panic- stricken customers breaking the glass door to exit the ATM enclosure after a late night transactions. The number of ATM frauds in India is more through gullible clients disclosing their confidential PIN to others, rather than by sophisticated crimes like skimming. We all must have seen and came across a situation where customers provide their PIN to their known and trusted ones. Most ATM frauds in India, thus, happen due to this negligence resulting into a fraud. As the Indian ATM market is growing exponentially, this provides an opportunity to the fraudster to go for advanced techniques like dispenser trapping, spoofed email etc. Hence, ATM frauds and security have emerged as leading topics of interest among owners and operators of ATMs. Minimising losses, mitigating risks and maintaining consumer confidence in the ATM channel are logical priorities for banks and others who deploy ATMs.


Categorization of ATM Frauds


Let us discuss the various ways of ATM frauds which are popular by nature and generally practised by fraudsters (Issues, 2019).


Card Fraud


The most vulnerable component of ATM Fraud is the ATM Card which includes every necessary detail of the customer. Once compromised, the data it contains can lead to many other types of ATM Fraud. Customer’s PIN often obtained through casual observation, data from a magnetic strip can reproduce or clone ATM cards using inexpensive, commercially available equipment.


Operational Fraud


Typically, this type of fraud is perpetrated from within. Employers who are responsible for ATM management compromise the sensitive information to fraudsters. Or worse, even the employees with unfettered access to ATMs and related customer information can use that access to commit economic crimes that are difficult to detect.


Equipment Fraud


Another concern for operations of ATM Fraud is related to fake ATM Equipment. This ranges from add-on devices such as fake card readers or skimmers to subterfuges involving false fascia’s or even bogus ATMs. The first recorded instance of using fake ATMs dates way back to 1993, when a criminal gang known as the Buckland Boys installed a fake ATM at a shopping mall in Manchester city. Like most fake equipment it was not designed to steal money. Instead, the fake ATM appeared to customers as if it was not working, while stealing card data from everyone who attempted to use it.


Digital Fraud

Fast growing operating system has led to greater connectivity and inter-connectivity of ATMs. Vast network including ATMs, branch system, phone systems, ticketing systems and other infrastructure connected via the World Wide Web are susceptible digitally. Digital attackers include vandals who author viruses or worms intended to exploit the ATMs operating system, criminals and hackers attempting to violate the confidentiality, integrity or authenticity of transaction related data.


ATM Security


With the rise in technological advancements, operations and transactions for banks have now become easy. Banks offer customers with enhanced services by assisting them in net banking besides their ATM Services. With such enhanced services also come unfathomable security risks. Banks are focusing more on securing their customer’s interest from ATM Fraud. Customer awareness among people, a step towards prevention in ATM frauds like ATM card skimming, card jamming, card swapping, card theft, physical attack, ATM take-away, purse-snatching, shoulder surfing, vandalism and jackpotting is contributing immensely towards ATM security.


ATM Theft Techniques


To steal funds from a person’s account, thieves work to access both the victim’s card or card details, and their Personal Identification Number (PIN). The techniques that ATM thieves use to achieve these can be divided into ‘Person- centred’ and ‘Machine-centred’. Let us discuss these techniques in brief:


Person Centered Technique


Distraction Theft: This type of crime is usually performed by at least two people, although some distraction thieves work alone. This process usually involves one person distracting the victim, while the other helps themself to the victim's unattended belongings. Once the ATM User has entered their card details, the thief distracts them before they have removed their card. While the victim is distracted, the thief removes the card from the slot. Common distraction methods include drawing a victim’s attention to money on the floor, requesting local directions, using abrupt and loud word to distract the user, knocking into the victim or spilling food or drink on or near them (Sherrif, 2019).

Shoulder Surfing: It occurs when someone watches over your shoulder to nab valuable and confidential information such as your password, ATM PIN or credit card number, as you into an electronic device. When such snooped information is used for financial gain, the activity becomes identity theft (Symanovich, 2019). The modus operandi involved can be illustrated as the thief standing near the victim, observes them as they enter their PIN. Sometimes, thieves may also enter the PIN into their phone, pretending as though they are sending a text.

Remote Observation: In such technique, the thief might be looking from a nearby vantage point, such as a window, using a camera zoom or binoculars; the thief observes the victim’s entry on the ATM keyboard as they provide the PIN and later uses it for illegal purposes.




Pick- pocketing of User at ATM: An action related to stealing the card from the user. In such cases the thief removes the card from the packet or bag of the user as they leave the ATM.


Machine-centered Techniques


Pinhole Camera: In such technique, the thief mounts a pinhole camera directly onto the ATM so that it can record the PIN as it is entered. This video footage is transmitted to a nearby receiver enabling the PIN to be united later with the stolen card or card details.


Card Trapping: In this technique, the thief fits a device called a ‘Lebanese Loop’ within the card slot of the ATM. The device retains the card after the PIN has been entered. Whilst the victim enters the bank to report the problem the thief removes the device along with the victim’s card.

Card Skimming: ATM skimming is a theft of card information, where a small device, known as a skimmer, is used to steal the information during a legitimate ATM transaction. As the card is swiped at the machine, the skimmer device captures the information stored on the card's magnetic strip. Skimming devices are used by criminals to capture data from the magnetic strips on the back of ATM card. This device contains factory installed card reader, which when removed from the ATM, allows a skimmer to download and gain access to personal data belonging to everyone who is using the ATM machine. An inexpensive, commercially-available skimmer can capture and retain the information from more than 200 ATM card before being re-used. In some severe cases, the boldest of thieves have gone so far as to place signs on ATM instruction cardholders to ‘swipe here first’ before continuing with transactions. In 2018, several people in Kolkata have reported ATM Frauds in which almost 80 customers of leading public or private sector banks allegedly lost over Rs 20 lakh. After investigations, it was concluded that the fraudsters used the card skimming technique to clone cards to withdraw money illegally (ET, 2018).


Conclusion


Fraud attacks on ATM networks are a worldwide phenomenon. Nowadays common robbery includes stealing the money from ATM machine only. One such supporting case involves a 27 year old man from Haryana’s Mewat district, was wanted-in 33 cases of ATM robbery across India (PTI, 2019). According to the Reserve Bank of India data, Maharashtra informed the highest of ATM fraud cases in 2018-19, with 233 cases. Delhi stood on the second spot with 180 cases, followed by Tamil Nadu with 147 cases of ATM fraud. ATM frauds have evolved from beginning as skimmers to well-structured hacking now, ATM fraudster have changed their methodology. ATM vandalism is also becoming a growing phenomenon in India. In one of the case in Delhi, the goons pretended to be the bank official and removed the whole ATM machine from the ATM shop. The machine had almost Rs. 9 Lakh ( Times Now, 2019). In other case of vandalism in Delhi, the goons used the gas cutters to remove the cash box from the machine. It was reported that three ATMs were uprooted from South East Delhi in a span of just one week, with over Rs 36 lakh gone (Mahender Singh Manral, 2020). Preventive measures are enumerated but not limited to following:


General Preventive measures


There are some of the methods to minimize the risks associated with ATM fraud are given below:


Video Surveillance


It can probably become be the primary method used to increase awareness and deter fraud attempts at the ATM is the installation of closed-circuit television cameras mounted in plain view or near the ATM (mostly at the entrance). Alternatively, cameras can be easily integrated into the fascia of most ATM machines and improved security can be achieved by installing additional site cameras on and around the premises.


Remote Monitoring


Remote diagnostic services provide an automated means to monitor and manage ATM networks. Remote monitoring can communicate important messages that may indicate tempering with machine. Remote diagnostics, monitoring and management provides improved uptime and reduced risk. These services provide dispatch avoidance and enable a group of central support associates to control keyboard and mouse operations of ATMs directly from remote PCs.


Anti-Skimming Measures


There are variety of methods that may be employed to deter card skimming or can be used as anti-skimming solutions (Debold, 2018):


  • Jittering: It is a process that controls and varies the speed of movement of a card as it’s swiped through a card reader, making it difficult to read the card data by the external device.

  • Alert Systems: These systems monitor routine patterns of withdrawals and notify operators or banks in the event of suspicious activity.

  • Chip-based Cards: These are the card house data on microchips instead of magnetic chips, making data more difficult to steal and cards more difficult to reproduce.

  • Foreign-Object Detection: ATMs equipped with type of technology can alert owners, operators, or even in some case the law enforcement in the vent that skimming device is added on the fascia of an ATM.

Awareness and Consumer Education


Deterrence of potential fraud attempts can be achieved by a joint effort involving banks, the consumer and ATM manufacturers/service provider. Banks should stress the importance of awareness at the ATM to their customers and promote vigilance in reporting any irregularities in the appearance and operation of the ATM. Many customers use the same ATMs in their daily or weekly banking routines which make them vulnerable to fraudsters on prowl.


Branches at ATM Locations

  • Must ensure outlining basic safety precautions for using ATMs should be provided by the branches in the ATM enclosure.

  • ATMs should not be located at the corner of a building, as corners create a blind area. An ATM further from corner, preferably near the centre of the building, reduces the element of surprise by an assailant and increase effective reaction time by the user.

  • ATMs should have maximum natural surveillance and visibility from the surrounding areas; thereby increasing the potential for witnesses.

  • ATM location should be void of barriers blocking the line of sight of this ATM. e.g. shrubbery, decorative partitions, dividers, landscaping etc. to prevent would be assailant from hiding.

  • Installation of closed Circuit Television Cameras attached to a time lapse VCR system is a must.

At Bank Level


  • Banks should keep an eye on the cards in circulation-check the logo, uniformity of card number, date of enquiry, their shape and other parameters.

  • One way to find out if an ATM card is counterfeit is to try and peel off the magnetic strip and signature panel on its back. It does not peel off in genuine cards.

  • Banks can procure the anti-fraud software that keeps track of ATM users’ spending habits and flags unusual transactions

  • Banks should implement ATM programming enhancements like masking/ non-printing of card numbers.

  • Banks should educate the customers by advising them regularly of risks associated with using the ATM and how to avoid these risks.

  • Banks should conduct and document periodic security inspection at the ATM location, and make the pertinent information available to its clients.