Reported global ATM fraud results in losses of $50 billion to $60 billion annually, according to Boston-based Celent Communications. But the actual figure may be as high as $80 billion because many banks don't track or release these numbers, says Anna Istnic, senior product manager for ATM manufacturer Diebold (North Canton, Ohio).
The most recent high-tech effort to curb ATM theft has been the implementation of the Triple DES data encryption standard, which uses three separate 56-bit keys to encrypt and decrypt messages. This basically compounds the number of possible key combinations (72 quadrillion) three times, making it even harder to crack an encrypted message traveling between the ATM and the bank. Most ATMs are now Triple DES compliant, an upgrade that's taken place over the past few years.
While some financial institutions operating older ATMs were forced to replace them as a result of the new security, many older machines were retrofitted in order to comply with the standard. The underlying technology of retrofitted machines for applications other than security, however, largely remained unchanged (see related article, previous page).
A Chip Off the Old Block
Banks also are relying on retrofitting efforts and new ATM configurations to combat card skimming, a scheme that utilizes a device, known as a skimmer, to read and record information from a user's card when it's inserted in the ATM. According to Istnic, skimming is the most frequently used method of illegally obtaining card data.
Skimming attacks have been more prevalent in Europe than in the U.S., but many banks there are starting to adopt chip card technology. The chip cards are much more difficult to skim than the magnetic stripe cards that are prevalent in the U.S., relates Istnic. Because of the presence of chip card technology overseas, Istnic expects criminals to begin to move their skimming operations to the U.S.
Some banks, such as San Francisco-based Wells Fargo ($428 billion in assets), have outfitted their ATMs with sensing devices designed to detect skimmers. If the sensing device detects a skimmer, it shuts down the ATM.
Though not installed for security, another security enhancement offered by Wells Fargo's ATM fleet is Internet Protocol (IP)-based communications, which provides the bank with remote monitoring and digital recording capabilities. ATM manufacturers that provide IP communications features offer banks the option of monitoring the devices themselves or will monitor the devices for the banks for a service fee. In monitoring ATMs, banks or third parties can look for someone attempting to insert a skimmer and keep an eye out for low-tech crimes, which are more prevalent than high-tech crimes, according to Tim Sloane, director of the debit advisory practice for Mercator Advisory Group (Shrewsbury, Mass.).
The typical low-tech scenario involves a criminal tying a heavy chain around an ATM, connecting the other end to a truck and yanking the machine out of the wall. The thief then loads the machine onto the truck to take it to a remote location, where he breaks open the machine and takes the money. Shoulder surfing - reading people's account and PIN information by peering over their shoulders - also is common.
Fighting Low-Tech With Low-Tech
To prevent low-tech crimes, Sloane recommends relatively low-tech precautions, such as mirrors on ATMs (enabling users to see someone behind them), good lighting and visible cameras that view the area immediately surrounding the machine in addition to the machine itself. "Most people don't expect armed guards, but active surveillance can drive off some of this type of crime," he says, adding that surveillance also leads to faster apprehension of criminals. "ATM security is strong when it is implemented properly," Sloane asserts.
Still, ATM crime prevention is a never-ending battle, Diebold's Istnic admits. "If you put up a 10-foot fence, someone will get a 12-foot ladder," she says. "You will never eliminate fraud 100 percent, but you want to take a proactive approach to preventing it."