ATM Fraud and how to protecting your money against it

Protecting your money in the bank during this holiday season

ATM Fraud and how bank clients can protect themselves against fraud

The issue

On 14th Oct 2015, Centenary Bank’s managing director Fabian Kasi issued a statement in respect to the 25 complaints received by the bank from her customers over inconsistencies in their account balances in the bank. This was after a system upgrade.

The bank decided to block all customer ATM PINs and requested the customers that want to withdraw over the ATM platform to first reset their ATM PINs. This exercise is currently at all their 63 branches. The bank also instituted cash withdrawal limits to Ugx. 100,000.

Fast forward to today, years have passed but the fraud schemes have remained the same.

In this Christmas season, the fraudsters are increasing. As you learn how to protect yourself and stay safe online, the fraudsters learn how to beat your security and get a share of your money.

The basics

In Uganda, there are two popular types of ATMs. NCR and Diebold, with NCR accounting for over 70% of all ATMs as they were the first in the market. Diebold is coming more aggressive with new breed ATMs. We are seeing new developments in banking sector especially an intelligence ATM – and unmanned branches. At Shell Ntinda Standard Chartered has opened a 24/7 branch which is not staffed at all. It is a true definition of digital banking with two ATMs that can perform key banking services like accepting deposits and withdrawals. There is also a computer and seat, where you can seat, log on into your bank account and transact online in a secure manner.

Of course, there may be some people still afraid of banking via the Internet. But convenience in banking mean that you must change to the new ways or spend a lot of time in the banking halls. Few people have that time. To day, Stanchart is positioning as the leading digital bank in the country. And all banks are following suit. This is the new normal. Mobile penetration in Uganda passed the 50% mark long ago, meaning that of the 40 million Ugandans; over 20 million have a mobile phone. This will only increase.

Internet penetration too is increasing at a faster rate as it becomes a basic need instead of a luxury. And so is Internet and mobile banking. Now that every bank has some strategy of dominating others in these, the winner will be the bank with the best and most user-friendly and convenient applications. Other things like security are a must haves. Below we explore common ATM frauds and how to fix them.

How does ATM fraud happen?

  1. Card Skimming

Remains the number one threat globally but one that is on the wane thanks to deployment of anti-skimming solutions, Europay, Mastercard and Visa (EMV) technology and contactless ATM functionality. Essentially, skimming refers to the stealing of the electronic card data, enabling the criminal to counterfeit the card. Consumers experience a normal ATM transaction and are usually unable to notice a problem until their account is defrauded.

How to fix it?

It’s that small, metallic square you’ll see on new cards. That’s a computer chip, and it’s what sets apart the new generation of cards.

 

“If someone copies a mag stripe, they can easily replicate that data over and over again because it doesn’t change,” says Dave Witts, president of U.S. payment systems for Creditcall, a payment gateway and EMV software developer.

Unlike magnetic-stripe cards, every time an EMV card is used for payment, the card chip creates a unique transaction code that cannot be used again.

If a hacker stole the chip information from one specific point of sale, typical card duplication would never work “because the stolen transaction number created in that instance wouldn’t be usable again and the card would just get denied,” Witts says.

 

Magnetic stripe

A stripe of magnetic information that is affixed to the back of a plastic credit or debit card. It can be black, brown or silver in color. It is the common type of card in the United States today. Often, it’s called a “magnetic swipe” card, because the card is activated by swiping it through a device that can read the data in the stripe. The credit card’s magnetic stripe contains three tracks of data. Each track is about one-tenth of an inch wide. The first and second tracks in the magnetic stripe are encoded with information about the cardholder’s account, such as their credit card number, full name, the card’s expiration date and the country code. Additional information can be stored in the third track. With the new generation of credit cards, such as chip cards, no magnetic stripe is needed. Also called magnetic strip or magstripe.

 

How hackers use the information

1: Selling information on the black market
Once a cybercriminal, or a group, has a mass of stolen information they have to move quickly in order to make a profit and that often starts by going to an illegal online marketplace.

2: Counterfeiting cards
In this scenario, all a crook needs to access and spend your money is the information stored in the magnetic strip on your debit or credit card.

This information, also known as track data, is transferred to any card with a magnetic strip using equipment that only costs fraudsters about $100.

Since counterfeit cards will only work as long as the hacked account has not been flagged, frozen or closed due to suspected fraud, criminals have to move quickly to get what they can from the card before it no longer works.

3: Performing online commerce transactions
One example of a card-not-present fraud is the use of e-commerce sites such as eBay and Craigslist to make online transactions that result in a clean profit for the cybercriminals.

“Let’s say I’m a criminal, I have a stolen credit card, go to eBay, find an iPad and buy it with that card,” Tjiputra said. “I then have it shipped to my assistant’s home address and at the same time I put another advertisement on eBay selling that iPad for what appears to be a very attractive lower-than-market-value price, like $250.”

4: Opening new accounts
Exact card and bank account numbers are temporarily useful, but the more personal information a fraudster can get about you, the deeper and more inconspicuous damage they can do.

“Personal information is the holy grail,” Tjiputra said. “Social Security number and date of birth can get you anything — car loan, house mortgage, credit cards, you name it. Cellphone numbers, addresses and account passwords are even more helpful when all added together.”

Fraudsters know it, too. Nearly half of all 2013 data thefts did not involve payment card information, according to Trustwave’s report.

In addition to lines of credit and loans, criminals can also open utility accounts, such as  electricity, cellphones or satellite TV, using your information without you, or anyone else, even knowing.

By putting their own addresses and contact information on the new accounts, cyber criminals can get away with spending the fraudulent lines of credit and using the services until the next time to check your credit report.

“It’s much more difficult to detect this type of fraud when the fraudsters have all the correct account application answers,” Wooten said. “Having access to a full user profile makes it that much easier to pretend you are someone else and take advantage of them.”

  1. Card trapping

Trapping is the stealing of the physical card itself through a device fixed to the ATM. In a pre-EMV or chip-and-signature environment, the PIN does not need to be compromised.

 

Qn: Don’t ATMs have apparatus to detect early warning signs on accounts

There must be a trigger that something wrong is going on. A customer must complain or the system must go down.

Technically, bank’s work is to keep people’s money and allow access whenever they need it. A customer must be able to monitor their bank account balances, by checking often on their bank statements. So, when they find a problem, they report to the bank.

Otherwise, the bank may not have a mechanism to detect whether the reduction of the customers bank balance is due to fraud or genuine customer transactions. That is why, customers are advised to keep monitoring their bank accounts through reviewing their statements. The more money you’ve in the bank, the more you should review and notify the bank in case you notice a change.

Qn: How do customers protect themselves?

Through awareness training. They must read about ATM security. Keeping your PIN secret is critical. It is your personal responsibility to do the right thing. Keep reading about how to be secure on line and on mobile.

Qn: Are there red flags that someone is tempering with your account

  • Fake readers
  • Prying eyes, shoulder surfing – people are close to you in the ATM
  • Card skimmers
  • Long transaction times – the ATM takes long to reply. Report a long transaction time.
  • ATM off, when you start transacting – make sure you call customer help line instantly and visit the branch to fix it asap. Report a fraud and ask them to stop all money withdrawals from your account explaining what happened, when, the ATM location it happened and all specific details. Also go make a police report on the matter.
  • People volunteering to help you at the ATM. Remember, trust no one even a bank staff unless they are behind the counter.

 

 

 

 

 

 

 

Ifis Updates

Subscribe to our newsletter

You will be able to get all our weekly updates through the email you submit.

Newsletter

Subscribe to Newletter

Subscribe to our newsletter and stay updated with the latest in cybersecurity and digital forensics.