This action might not be possible to undo. Are you sure you want to continue?
Despite the stringent legislation and increased enforcement aimed at combating financial crime, fraud using cash machines remains a public concern. The problem of ATM frauds is happening on a global scale and its ramifications have been felt in Australia as well. This paper highlights the stratagems of this financial crime. The abusive use of the ATMs with its intelligent methods used by perpetrators with some global reported cases will be illustrated in the paper. In addition, protection tools and techniques for banks, financial institutions and customers to mitigate this crime will be discussed. Most interestingly, security protection by biometrics and their exceptions will be illustrated in this paper. This is an informative article to educate readers to be aware of fraudulent crimes perpetrated using ATMs.
Keywords Automated Teller Machine (ATM), fraud, Lebanese Loop, skimming, counterfeit, Personal Identification Number (PIN), biometrics
Automated Teller Machine or ATM is widely used now these days. It makes financial transaction of cardholders’ easier. People do not need to carry a lot of money with them all the time because there are available electronic machines to facilitate transactions whenever and wherever they want. However, the used of ATM can bring problems towards the cardholders and financial institutions when skimmers take advantage of unsuspected cardholders. Financial crimes, especially ATM fraud and Identity fraud are the serious issues at this era. They are continuously on the increased. Financial crimes have big impact to the economy of the nations. In one year the financial crime cost the economy about $60 million US, and this did not include the identity fraud which was $625 million US annually (Cato, 2007). It is very interesting to discover why ATMs fraud is becoming more targeted and the different attacks toward ATM cardholders. ATM and the facilitation “The traditional ATM was just a cash machine, and the reason why that will not survive is that cash is being targeted for extinction, with a specific focus from contactless payments”(Kitten, 2007). Therefore, financial institutions are trying to improve the payment method through ATM facility. Kitten (2007) wrote about the advantage of ATM beside cash withdrawal that “That might be depositing checks, accepting payments, paying bills, offering advertising, dispensing tickets, topping up contactless payment devices or even downloading back statements to PDAs … but it won’t be dispensing cash.” These are the reasons why ATM is becoming more targeted from financial skimmers.
STRATAGEM OF ATM CARD
The Strategy of ATM fraud is getting more complicated and a technical assault. Many unsuspicious customers are victimized from skimmers without advanced warning. Basically, criminals have common ways to take the money and obtain personal details from customers by the low/ high technological methods. The methods that criminals usually execute in abusive action are shown below: Lebanese Loop This technique is well known in criminal financial fraud reported. Lebanese loop is a sort of skimming method in which “a plastic envelope is made up that fits the hole in the machine perfectly” (Mikkelson, 2006). When the card is inserted, the machine will not be able to read the card even the PIN numbers is keyed in correctly many times. At this stage, the skimmer will pretend to be an innocent assistant and try to help the victim by asking that person to put the PIN numbers again or try to help him/her taking the card back. Eventually, the victim will give up and walk off without card along. The skimmers will wait until they are sure that that person will not come back in a certain period, and then they start to pull the plastic envelope out and take the card away with the memorized PIN numbers. The case below is one of such example claimed by Mikkelson (2006); which
happened to a lady in HSBC at Hanover Square on Saint George Street where the ATM machine rejected to return her ATM card. “A lady approached me and told me that this had happened to her the other day and what I needed to do was key my pin number in and then press cancel twice. I did this and of course no card was returned. I left the machine thinking that it had swallowed my card. But when I returned to HSBC the following morning, my card wasn't there”. Recently, the Lebanese loop was introduced with the latest accessory which is a “thin, clear, rigid plastic 'sleeve' and/or x-ray film cut to the size of the slot machine” (Cottrell, 2007) in order to block the machine not to be read data from the magnetic strip from the back of the card. Thus, the machine will require customers to re-pin the PIN numbers again and again. At the time, the skimmer will come along and offer the customer a help (Mikkelson, 2006). Another material of Lebanese loop, the obstructed material can be made from a length of tape which is inserted into the card slot so that the card can be trapped and refuse to return to the customers (North East Fraud Forum, n.d.). In the end, the criminals will continue their duty as a kind assistant as described at above. To protect customer from Lebanese loop attack; therefore, checking the ATM machine before the card is inserted is an appropriate way to execute. According to the (Mikkelson, 2006) suggested this technique that “The way to avoid this is to run your finger along the card slot before you put your card in. The sleeve has a couple of tiny prongs that the thieves need to get the sleeve out of the slot, and you'll be able to feel them”.
↑ Magnetic Trapped tape
← Card insert panel
Figure1. An inserted tape inside the card slot
A counterfeit slot machine This method is described an act of crime in which the original card slot is covered with the forged and similar one. The spurious card slot will skim the ATM card number and card details from the magnetic strips on the back of the card ("ATM Camera", n.d.) and the skimmer who usually sits inside the car in the nearby car park will receive the data from the equipment they installed on the front of the ATM machine ("ATM Scam", 2006). Mckinnon (2007) claimed from Patton’s concept in the Knight Ridder Tribune Business News that “Thieves then sell the information they gather, which can either be temporarily stored on the scanner or sent by signal to a device nearby, or they encode duplicate cards.” The new duplicated card can be a plain white cards, plastic cards or telephone cards which are able to encode a data on them (North East Fraud Forum, n.d.). Also, the issue about ATM Advice - How to protect your card details (n.d.) in North East Fraud Forum website described how the forged ATM card works after the data is captured. “Numbering each one they then have a book, which lists the numbers and the correct pin number for that card. These will then be taken either within the next hour or in the early hours of the next morning to a cash point and each one fed in with the relevant pin number and the maximum amount of cash is taken out. They could possibly have up to 40 cards in their possession with a possible £300.00 for each card £12,000.00 - not bad for a few hours work”.
The counterfeit slot machine is hard to notice due to the colour, shape, and material is designed to imitate the genuine one. However, if any part of the machine is convex and look unusual, it can assume that the machine is being counterfeited. Leaflet holder captured This technique is committed by embedding a minute wireless camera inside the leaflet box close to the keypad and screen. The hidden camera will capture and monitor when customers key their PIN. The effective camera can transfer the films and photos to the nearby receiver up to 200 meters ("ATM Camera", n.d.). This technique is real performed in Bradesco, a Brazilian bank in South America where the criminal wanted to steal information and money from the bank customers ("ATM Camera", n.d.).
Figure2. The angled view of the wireless camera in the leaflet box
Hidden Camera in the Fake Top Panel This method is very similar to leaflet holder capture, but the position is different. The minute and thin camera which is around 7cm high ("ATM Camera", n.d.) will be hidden inside the fake panel embedded at the top of the ATM casing, and it is hard to be seen from people as the color and texture are very similar to the real one. The camera is used to film the PIN entry on the keypad ("ATM Camera", n.d.). “There is a transmitter inside this device possibly the same type as found in the plug in door bell chimes this will transmit the images of the customer entering their pin number to someone sitting in a car up to 150 yards away monitoring a laptop computer” (North East Fraud Forum, n.d.). This technique has been found in Hong Kong (January 2004) where the camera was hidden inside the ATM machine of the Hang Send Bank branch in Tsuen Wan, for example ("ATM Camera", n.d.). Shoulder surfing Obviously, card-skimming is accomplished through a low-tech method as shoulder surfing; a simple technique which skimmers usually stand behind the victim and try to look over the victim’s shoulder to view the PIN or they might listen to the sound of keystroke PIN pad and memorize it in order to commit the card fraud or card theft (Bidwell, 2002). Obviously, there is easy way to notice the skimmers that there is only the suspicious person will stand too close or stand in the angle position on besides of the person who is taking the money out of the machine. Captured plastic skimmer Another obvious card skimming device called keystroke captured skimmer. It is a thin and transparent plastic with the microchips recorded device underneath; which is overlay on the top of the ATM keypad and looks like a normal plastic covered. The texture of the keypad will be smooth and greasy. In fact, it is used to capture the keystroke when customers press the PIN numbers (Richard, n.d.). This plastic misleads customers that it is a new used keypad or it is used to cover the dust or cover the printed number keypad not to fade too early. In
addition, some ATM machines are covered with the fake keypad covered which is similar to the real one; however, this makes the keypad a bit higher than usual.
Figure3. A Captured plastic Cover is designed to mislead customers Other skimmers It might be wrong when people think that ATM fraud can happen with the withdrawal machine only. In fact, there is a risk of ATM fraud happen inside the shops such as restaurants, kiosks, and convenient stores. These point-of-sale outlets may be operated or compromised with the card skimmers or fraudulent employees by installing the counterfeit hand-held card reader to capture the PIN when customers press their identification code on the machine it will capture the data and transmit to another receiver machine nearby (Richard, n.d.). This is hardly notice because most customers seem to trust the point-of-sale system.
AUTOMATED TELLER MACHINE ABUSIVENESS
What will happen with the skimmed data? According to the The Model Criminal Code Officers' Committee, February (2006) explained the about the data skimming that The ‘skimmed’ data is generally stored in the skimmer and then transmitted to a computer. The data can then be downloaded onto another magnetic strip, in most cases a counterfeit credit card which becomes an exact copy of the original. However the skimmed credit card data can be downloaded onto any form of media that has a magnetic strip, including a library card, a security card or even a parking ticket. (p.4) It does not take too long for criminal to get the money out of the bank as long as their can get either or both of ATM card and PIN numbers. Usually, data on the counterfeit card is likely to be withdrawal the cash from the ATMs rather than purchase products at point-of-sales counter due to the fact that it is too obvious and easy to get caught when skimmers buy something with the forged card the (The Model Criminal Code Officers' Committee, February 2006). Thus, the skimmers use their assist equipment helping them to copy the card and use PIN numbers to withdraw all the money from the ATM before it will be deactivated from the real cardholder ("ATM Camera", n.d.). At the same time, these criminals always use the fake card and take the money out in other cities where it is harder to detect from the police (Cato, 2007). After the authorized customers found that their money had been stolen, of course they must deactivate their card and freeze their money from whoever wants to take the money from them. Nevertheless, by the time they realized that there might be something wrong with their card; they probably lost all money in the card. Most interestingly, there has been found that card skimming is processing in a serious commerce in Australia in which the skimmed details are transmitted to the other countries to keep the data onto the forged card and sold them to tourists to spend that money on the card (The Model Criminal Code Officers' Committee, February 2006).
BANKS AND FINANCIAL INSTITUTIONS DEFENSIVE ACTS
Banks and financial institutions are trying to develop intensive ATM fraud countermeasures in order to protect their assets, finance, and customers’ lives and assets. The countermeasure has been divided into two parts of security protection measures: • Banks and financial institutions’ assets protections • Banks and financial institutions’ customers and assets protections Banks and financial institutions’ assets protections The purpose of this part is protecting banks and financial institutions’ properties not to be modified, manipulated and destroyed to make the banks loose their reputation and creditability towards users. These are the methods that being used to protect the properties: 1. Installing a jitter mechanism; the detective sensor to deter skimming with a vibration technology which protects the data on the card not to be read accurately by the fake card reader ("Diebold Launches First-of-ItsKind, Consumer ATM Security Web Site", 2005) 2. Installing vigilant detective systems ("Diebold Launches First-of-Its-Kind, Consumer ATM Security Web Site", 2005).These systems allow all suspicious activities and including suspicious object skimming devices are detected and transferred the signals to alert the authority to stop processing transaction and/or mechanical procedures. 3. Installing the camera surveillance to record all activities within inbounds. 4. Installing deep and recess screen and keypad to shield customers from shoulder surfing ("Diebold Launches First-of-Its-Kind, Consumer ATM Security Web Site", 2005). Banks and financial institutions’ customers and assets protections The objective of this protection is to guard customers from being attacked when they are doing their transactions via ATM in inbound and outbound where the ATM is not located inside the bank office. These are some of the good techniques that being used: 1. 2. 3. 4. 5. Installing consumer awareness mirrors to allow customer to watch out their backs and surrounding behind. Installing various lighting and spotlight options in certain places such as the cash machine and nearby car park where the suspicious person can be hidden (Diebold, n.d.). Installing video surveillance around the premises ("Diebold Launches First-of-Its-Kind, Consumer ATM Security Web Site", 2005). Poster or secured warning sign should be posted around the ATM machine to warn people from all the dangers. Designing a rounded fascia around the slot machine to obstruct skimmer not to affix the card skimming equipment easily (Diebold, n.d.).
The concept of Lobby or Vestibule Banking (Slater, 1991) seems to be the best way for crime deterrence. Many places where ATMs have been located within banks doorway or close to kiosks protecting ATMs machine and customers’ lives while withdrawals are being processed by installing a protective glass around the existing dispenser can reduce the cash and card robbery (Slater, 1991).Intensively, controlling the access area with the customer’s ATM card and PIN can increase customer confidence. Biometrics protection The issue of biometric protections has been discussed continuously. It is one of the effective security methods which have been used in worldwide. (Shah, 2001) mentioned about the idea of biometrics that: “Imagine walking into an ATM without having to worry about remembering passwords and other verification processes. A situation where you are your own password and mode of access where your fingerprints, skin texture, retina pattern or face give you access to your account and let you withdraw money. This is the power of biometrics in financial transactions.”
The concept of biometrics countermeasure is about body identification in which it is becoming very common in security measures. However, ATM security system is not obvious to be seen as such as India (Shah, 2001) where biometric has been applied in used. In addition, biometric security methods are becoming useful to present authorization acts of users. It represents a real identity check from a person by using a part of the physical or behavioral to verify a person for accessibility. Biometric can be divided into physiometric and behavioral techniques (Hendry, 2001) as it is shown in the table below:
Biometrical Types Behavioral
Biometrical Acts Signature verification
Identical Acts The relative speed and the pressured used are drawn. Skill typists
Analytical Awareness It depends on the writing surface, the environment, mood of the users and writing tools. The diversity of keyboard and software used might lead an error. False rejection can happen with the unusual background, cold, and mood of the users. Injury, Aging, out of date device can affect the measurement.
Multilevel voice checking such as tone, pitch, and cadence It captures the pattern of palm lines on the hands It measures the flecks in the iris of the eye.
The used of Iris scan should be concerned for those in wheelchair and short body. Eye disease can destroy the gene or tissues which is impact to the accuracy of the retina scan measurement.
It estimates the characteristic blood vessel patterns on the retina with a lowerpower infrared laser and camera. It captures the minutiae of the fingerprint.
The difficult analysis can be found in those who have heavy smoking addictive, and work in some trade related to the heavy hand used.
Furthermore, the modern technology can create new security measurements to detect and monitor card users’ activities such as anti-fraud software to monitor all spending card and money activities and track the unusual transaction even though the card has been using from one region the another distant country (Richard, n.d.).
Customer Defensive Acts
Customer defensive acts are low-tech methods to secure person from being fraud by ATM machine. There are many certain and simple ways to apply: 1. Cautions and vigilance should be taken when using the cards. If there are suspicious things with the machine, customer must contact the bank and report the issue or ask why the changes with the machine were made (Richard, n.d.).
2. PIN entry should be shielded from prying eyes. Customers should be aware when they key the PIN numbers by standing close to the ATM. Covering PIN keypad and ensuring that the keypad is been blocked from surfing shoulder behind (North East Fraud Forum, n.d.). 3. The environment around should be cleared. Try to avoid using ATM when people stay close to the machine. Ask them to move aside politely if it is possible or find another ATM somewhere else (Mikkelson, 2006). 4. Using ATMs in secluded areas should be prohibited. It is safer for customers to have friends beside if it is necessary. 5. Helpful stranger should beware. Do not trust anyone offering a help especially when the card is stuck inside. Report to the bank and deactivate the card as soon as possible (Mikkelson, 2006). 6. Distantly safety and reported phone call should behave while the card is stuck and the card should not be removed as it can use as an evidence (An Garda Síochána - Ireland's National Police Service, n.d.) 7. Expensive jewelry and valuable things should not be carried ("Diebold Launches First-of-Its-Kind, Consumer ATM Security Web Site", 2005). 8. Counting the money should perform when it is safe to do so ("Diebold Launches First-of-Its-Kind, Consumer ATM Security Web Site", 2005). 9. Writing the PIN on the card or in the wallet should be prohibited. It would be better if the PIN has been memorized as soon as possible (Pentagon Federal Credit Union, 2007). 10. Creating the PIN should be considered thoroughly. Date of birth, social security number, telephone number, account number, street address are all unsafe to use as a PIN (Pentagon Federal Credit Union, 2007). 11. The ATM receipts should not be left at the machine and in the nearby rubbish. Attackers might use the receipt for their own benefit. 12. Reviewing the statement balance should be performed regularly to ensure that everything is accurate (Pentagon Federal Credit Union, 2007). 13. Deactivated the card as soon as it is stolen should be executed as well as destroyed the old card when the new card is available.
The used of ATM is very widely and convenient to users. People use ATM to varieties purposes, but mainly in withdrawal. On the other hand, ATM can bring the serious problems back to the users. When ATM card is becoming popular used, it could be the most targeted attack from the criminals. Skimmers use the advantage of ATM device to gain their own benefit in abusive ways. The techniques are more sophisticated and more intensive as the growth of technology supports those to attack the targets with the smart skimming devices. However, the simple method is still being used to rip off the victims. Therefore, banks and financial institutions are developing the software and security methods to detect, deter, and delay skimmers as well as protecting their properties, reputation and customers. At the same time, customers should beware and protecting themselves from the risks before it will be too late to perform.
REFERENCES An Garda Síochána - Ireland's National Police Service. (n.d.). Crime Prevention Advice ATM (Cash Machine) Fraud. Retrieved September 29, 2007, from http://www.garda.ie/angarda/crimeprev/cadvice_atm.html ATM Camera. (n.d.). Retrieved October 4, 2007, from http://www.snopes.com/fraud/atm/atmcamera.asp ATM Scam. (2006). Bank ATMs converted to steal bank customer IDs Retrieved September 28, 2007, from http://www.utexas.edu/police/alerts/atm_scam/ Bidwell, T. (2002). Hack Proofing Your Identity In the Information Age. Rockland, MA: Syngress Publishing, Inc. Cato, J. (2007). 2 illegals indicted in ATM fraud in Western Pa. Knight Ridder Tribune Business News, 1.
Cottrell, K. (2007). Legislators move to protect ATM users // Bill will criminalize possession of velcro 'traps' used in ID theft scheme. The Business Press, 7. Diebold. (n.d.). White Paper: ATM Fraud and Security. Retrieved October 6, 2007, from http://www.diebold.com/rd/whitepapers/atmfraud&security.pdf Diebold Launches First-of-Its-Kind, Consumer ATM Security Web Site. (2005). PR Newswire, 1. Hendry, M. (2001). Smart Card Security and Applications Second Edition. Norwood, MA: ArtechHouse, Inc. Kitten, T. (2007). Contactless and the ATM?. Retrieved September 29, 2007, from http://www.atmmarketplace.com/article.php?id=8903&prc=19&page=37 Mckinnon, J. M. (2007). Bank card data stolen in Sylvania Township: 'Skimmers' at 2 ATMs used digital devices to glean info. Knight Ridder Tribune Business News, 1. Mikkelson, B. (2006). Lebanese Loop. Retrieved October 3, 2007, from http://www.snopes.com/fraud/atm/lebaneseloop.asp North East Fraud Forum. (n.d.). ATM Advice - How to protect your card details. Retrieved October 4, 2007, from http://www.northeastfraudforum.co.uk/atmfraud.asp Pentagon Federal Credit Union. (2007). Preventing Fraud: Automated Teller Machine (ATM) Fraud Protection Retrieved October 7, 2007, from https://www.penfed.org/productsAndRates/resourceCenter/preventingFraud/atmFraud .asp Richard, C. (n.d.). Guard Your Card: ATM Grows More Sophisticated. Retrieved October 4, 2007, from http://www.csmonitor.com/2003/0721/p15s01-wmcn.html Shah, K. (2001). ATM banking without a PIN. Retrieved September 30, 2007, from http://www.expresscomputeronline.com/20070903/management03.shtml Slater, K. (1991). Information Security In Financial Services. New York: Stockton Press. The Model Criminal Code Officers' Committee. (February 2006). Final Report: Model Criminal Code Chapter3 Credit Card Skimming Offences: Commonwealth of Australia.
Nattakant Utakrit ©2007. The author/s assign Edith Cowan University a non-exclusive license to use this document for personal use provided that the article is used in full and this copyright statement is reproduced. Such documents may be published on the World Wide Web, CD-ROM, in printed form, and on mirror sites on the World Wide Web. The authors also grant a non-exclusive license to ECU to publish this document in full in the Conference Proceedings. Any other usage is prohibited without the express permission of the authors.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.