/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsPratima Harigunani
This scene can be an average Indian's dream-come true. You are sitting next to the dapper star-cum-quiz master ShahRukh Khan, with a swank-flat-reclined computer staring at you on KBC. You have alighted many rungs of the money ladder with panache and pace. And next on SRK's serve is another hefty question.
What is the full form of ATM?
Your options are:
a) Automated Teller Machine b) Always Thoda Money c) Apunka Travel Money d) A Thug's Mint
Before you grin from ear to ear, and leap to freeze the 'so-thought' right answer, would you care to confront some more questions:
Do you know that even if your ATM is showing the 'out-of-order’ message, there are chances that someone can fleece both the bank and your ATM wallet through an offline transaction?
Do you know that even ATM server wires can be tapped and used for withdrawals?
Do you know that the chances of you blissfully walking into a fake ATM and punching in your PIN ( personal identification number)?
Do you know that you should never swipe your card when there are more than one card readers in a machine?
Or do you know that the seemingly innocuous pamphlet holders near the ATM machine might actually be harbouring secret cameras?
Tempted to give a second glance to option D?
Well, the questions do not end here. But they do start from a common glacier : ATM Frauds.
While many stakeholders, be it banks, customers, online cops, security research agencies, and media, have kept the decibels high on the mushrooming threats of new-world banking (read phishing), there is a rather silent buccaneer sneaking around in the seemingly safe kiosk you walk in every day – the ATM robber.
And here's his small sketch.
The bandits are around
Early this month, three British nationals were arrested in Ahmedabad for allegedly withdrawing Rs 2.75 lakh by using counterfeit credit cards from NRI accounts from ATMs of the Bank of India, Centurion Bank and HSBC Bank, after their arrival in Ahmedabad from London.
According to a research conducted by the Indiaforensic Research Foundation, Indian Banks would have lost estimated amount of Rs.1105 crores to the frauds but which may not have been noticed by the bankers due to the lack of professional knowledge to detect the frauds in the technology environment. Frauds exposed in the technology domain like ATM/debit card frauds or the credit card frauds are just the tip of the iceberg. There would be still many fraud schemes that might not have surfaced, as per the foundation estimates.
Mayur Sharad Joshi, CEO, Indiaforensic Consultancy Services, warns that ATM frauds are no more dwarfs, be it their scope, propensity or technical dexterity.
From already known methods like shoulder-surfing, card skimming, use of counterfeit cards, ATM frauds are in the rise. The interesting bit here is the fact that technology is playing the main fertilizer here.
A huge menu-card
Here's a list of the new dishes that have got ATM thieves salivating. They are simple, smart and can be quite a spoonful when it comes to the booty.
Wire-tapping
This genre of ATM fraud draws its strength from two areas: inherent technical flaws and insider knowledge. Every ATM has a server that operates as a link between the machine and the bank. By just placing a transistor among the server wires, not only can the digital signals between the server and the ATM be captured, but also the last transaction signal details. The result: the hackster can repeat (and thus withdraw the given money of) the previous transaction without even the need of having a customer's PIN details. He just needs to sneak around for jumbo withdrawals. To top it, all this is possible in a parallel mode, in multiple kiosks.
Joshi from Indiaforensic further explains, "This fraud only necessitates access and knowledge of the wiring system. It could be anyone, the repair person, the technical contractor, or even the bank's employee."
Offline Transactions
So, the only sigh you utter, when your nearest ATM kiosk displays 'out-of-order' is "Gosh, I will have to drive/wait more"? Well, your sighs (and even your bank's) could be multiplied, if someone takes the offline route.
Joshi reveals the details, "When the connectivity between the server and the ATM is lost, a person can still execute some number of cash withdrawals. The number of transactions would be limited to the amount in the ATM's cache at that point in time. Since, the server is down, these transactions would not be visible to the bank. All one needs, is the right timing and the knowledge of when a particular ATM server is down. It's not hard to guess that the first person privy to such information could be the bank's employee again."
And, this couldn't get more interesting. It's not only the bank employee or a seasoned fraudster, but even you, the customer, who can take advantage of offline withdrawals, without ever letting your bank know as to when, by whom and for how much was the withdrawal done. An offline transaction, would probably, never get accounted for in your debits, you see.
Cameras and cloners
Hidden micro-cameras under the guise of pamphlet or leaflet boxes have also been reported as a purloiner's way to snoop into a bank account. Not to forget, another trickster's favourite, Card Cloners. These devices work by stealing information via a thin, transparent-plastic overlay on an ATM keypad that captures a user's identification code as it is keyed in. It looks like some sort of key-cover to the customer but the microchips in the device can record every keystroke. Another transparent device inside the card slot captures card data. While the cardholder completes the transaction, a computer attached to the overlay records all the pertinent data to clone the card. Bogus cards can thus be made via the help of card readers and card writers. Hence, customers are advised not to use card slots (and report to security) that have double card readers. These may be mechanisms to scan or capture card information wirelessly while you are happily feeding in your PIN number and account details.
Fake ATMS
Though not very pervasive, it is quite possible that the ATM one walks in could be a malafide one set up by another shrewd burglar to bait you into generously sharing your card information at his whim and luxury.
"One can set up a scheming machine labeled as a certain bank's ATM so that customers can come in, unaware, to slot in their cards. The machines can then, capture the readable information as embossed print from the card. Once, a sufficient number of cards are slotted in, the ATM can easily flash a 'out-of-service' sign and the fraudster can happily run away by the time the miscreant is discovered or a raid happens," says Joshi. Since it's not just banks that own cash machines, individuals can buy them, set them up in gas stations or malls and make money on each transaction.
So is that easy to install a counterfeit ATM? Are there no bank authentication measures? Who better to pose this question to than NCR Corporation that has almost been synonymous when it comes to ATM installations in India.
Deepak Chandnani - managing director, NCR Corporation, India says that according to the RBI mandate, licenses are only issued to banks for deployment of ATMs either at a branch or off-site. "Banks typically outsource associated services to companies like NCR whose core competency lies in the area of ATM manufacturing, maintenance, end-to-end management and security. No individual company/person is authorized to procure an ATM and install it for public use without authorized licensee (the specific bank) sponsoring the same."
He adds that ATM frauds have been more prevalent in mature markets like the US, Europe and Australia and such incidents of fake ATM deployments have indeed been reported in the past. A fake ATM will not connect and perform transactions since to do so it needs to connect with a switch and in order to connect with a switch, each ATM needs to send out unique specific keys in digital form that the switch is programmed to recognize.
Possibilities, nevertheless, cannot be ruled out, as Chandnani candidly points out: "Installation of fake ATMs capable of doing transactions would require the fraudster to obtain such an ATM in the first place; it is technically possible given the availability of spare parts and refurbished machines in the market. Also, a fraudster can potentially modify a genuine ATM itself to suit his agenda. It is very important for banks to ensure that their ATM channels are highly secure and backed by appropriate solutions."
As far as the customer is concerned, precautions are imperative. A customer should ensure that the ATM s/he is using is a genuine one. One should preferably visit only known ATM sites, be aware of how an ATM (and site) looks, to detect if anything is missing and of course, immediately report anything suspicious about a machine to the bank.
From the horse's mouth
So, how vulnerable are ATM hardware and banks to this new breed of fraudsters?
Pramod D Parkhi, director, IT Committee of Cosmos Co-operative Bank that owns around 28 ATMs and shares 7000 others feels that ATM risks are same as those of online banking. "Ultimately, it is all about how is technology being used. Some part of the security pie belongs to the bank and latest advances like camera machines, etc. are being installed. But the customer too, has to be wise and alert enough, specially about protection of ATM cards. They should take care not to lose or forget card/PINs."
He also admits that propensity of employee fraud on ATM crime scene cannot be ignored. "They have all the information. It is possible that the same can be misused. It's here where in-process checks and ethics attain importance."
NCR's Chandnani answers as follows: "ATM transactions are typically very secure. When the user keys in the PIN number on the ATM, the hardware encryptor in the ATM keyboard ensures that the PIN entered by the user is encrypted with other ATM-level and ATM Card-level data inputs using an industry-standard encryption algorithm to generate a unique number which is then checked at the Host (ATM switch) for its veracity."
As to loopholes like wire-tapping (between a server and ATM), keystroke mapping, mini-cameras, clone machines (card-readers and writers), etc. within an ATM, he feels that the risks vary between banks and ATM sites. "Though some like keystroke mapping is not possible in ATMs given the PINpad security features."
Chandnani, however, cautions that while these incidents haven't happened in India, it does not mean that it cannot happen as fraud is migratory in nature and it is recommended to be proactive.
Who bears the brunt – the bank or the customer?
In many foreign countries the banks follow zero-liability policy. Under Federal Reserve regulations, ATM cardholders can be held liable for no more than a minimum stipulated amount if they report a lost or stolen card or an unauthorized transaction within two days. Banks and Financial Institutions have often encouraged customers to use ATMs by offering a "zero liability" policy in cases of theft or fraud. While questions to some banks on this issue failed to elicit response, Cosmos' Parkhi explains that the liability depends on the nature of the frauds. "If it's a reckless, non-informed lost card case, banks would not normally compensate for it. The extent to which a bank can make up depends on exactly what the fraud is."
Biometrics – the savior force?
Biometric machines can recognise account holders' thumbprints or eye-retina or any other biometric, thus eliminating the need for a PIN. Installations of such machines are still few and far between, for instance the ones by Citigroup in Bandra (Mumbai) and Hyderabad and some biometric cards by other leading banks, but these are still, pivoting around the rural and illiterate Indian hinterland.
So, can biometric-based ATMs be an answer to fraud vulnerabilities?
NCR's Chandnani says, "Biometric ATMs are being tested by various banks in India at this point in time. The biometric ATM solution is fingerprint scanning based and is relevant for Indian banks that are looking at expanding reach in literacy deficient areas. Biometric verification in conjunction with the card is a secure means of identifying the customer, but the present method of customer pin and card is also a very secure way of identifying the customer."
Parkhi feels that while the concept is fine, it is not immediately feasible. "Such ATMs would need a huge library of thumbprints or other metric storage."
Technology, be it ATMs or online transactions, has unarguably ensured speedy and convenient banking. But, thanks to the heist community around, it is always a double-edged sword. As Joshi recommends, there's only one shield against fraud threats. "Be alert, specially about forces snooping around and your PIN."
Even banks are moving from a Single Data Encryption Standard (Single DES) to an even more secure Triple DES standard. "Under Triple DES security, the data is scrambled to a level at which even the most powerful computers in the world today cannot decipher," shares NCR's Chandnani.
Also, an ATM or ATM centre can be equipped with Video Surveillance Systems (VSS). He explains, "For instance, NCR's 'NVigil' solution whereby pin-hole cameras could be suitably installed within the confines of an ATM or the lobby to capture the image of the person transacting at the ATM. These surveillance cameras capture the images in a sequential fashion rather than just one picture at a time, so as to give the complete picture. These can be configured to interface with the ATM so that ongoing transaction details, such as date, time, transaction serial number, account number / card number, are captured and embedded on the picture frame. "
Chandnani maintains that a genuine, well maintained ATM is extremely secure. But, as he opines, there are some precautions that a customer can take while s/he visits an ATM.
Only perform transactions yourself and not disclose your PIN or hand the card over to others.
Keep track of your cards when handing it over to others for swiping (especially at shops, petrol stations, restaurants, etc.).
Do not perform transactions where others are able to see the pin you enter. Ensure that the ATM has closed the transaction (and is again displaying the idle loop) before leaving it.
Last, but not the least, keep different and unfamiliar PINs for different accounts."
Hot seat or not, the stakes for the question of ATM security are high, be it for today's technoholic banks or their tech-savvy customers.
© CyberMedia News