IBA Bulletin ,Volume 1(9)2006
1-Background: -
The dawn of Twenty first century saw lots of technological developments in the banking industry in India. This pace of technological developments is continuing unabated. The technology has made it possible for a customer to transact business on line, any time from any location.
The need to visit bank premises for cash withdrawal or for depositing cheques/instruments is no more necessary, as these transactions can be undertaken through Automatic Teller Machines which are installed at different prominent and convenient locations by banks. ATMs have now become part of modern life. Millions of ATM transactions are successfully carried out every day around the globe. It is also possible to use ATMs installed by other banks under arrangement.
The whole object of implementation of technology is to provide convenience to customers, a sine-qua-non for better customer service. Well, if the technology is used in right perspective with sufficient amount of controls and care it is a boon, otherwise it is a bane as banks may be caught in fraud traps.
2-What is an ATM?
Automated Teller Machine is an electronic machine, which is linked to the accounts and records of a banking institution. It enables customers to carry out banking transactions without visiting bank premises. ATMs are virtual banks, which allows the user to withdraw cash, pay bills, balance inquiries, cash deposits etc. The machine is operated with the help of an access device, which is a card, code (Personal Identification Number), or through other means of access to a customer’s account, or any combination thereof. Some ATM cards are also debit cards, which can be used for making purchases. Customers’ account is charged immediately on purchases.
3-Technology and frauds:
Banks in India have tasted the fruits of technology in the near recent past, and some of them are still in the process of experimentation. Introduction of technology has created two sets of employees; those who have technological background and knowledge and those who do not have technological knowledge but have working knowledge. Such employees have learnt to handle day today operations. These employees are merely showpieces as they raise their hands as and when the system crashes during the working hours. Due to paucity of technologically trained staff, the banks have out sourced technological services and have entered in to maintenance / service contracts. Generally the branches rely heavily on the service provider for support. The representative of the service provider mingles with the staff and many times helps the branch even in day today routine banking operations. Thus the staff of service provider has access to the records maintained in the system. Even minor modifications by the representative of the service provider in the programming can create financial havoc, and by the time it comes to notice the irreparable damage might have been done. The involvement of the service provider in day today banking operations exposes the bank to risk. Unauthorised change / modification in the system is a crime which may ultimately result in to fraud. Banks have to be cautious in this regard.
1-Background: -
The dawn of Twenty first century saw lots of technological developments in the banking industry in India. This pace of technological developments is continuing unabated. The technology has made it possible for a customer to transact business on line, any time from any location.
The need to visit bank premises for cash withdrawal or for depositing cheques/instruments is no more necessary, as these transactions can be undertaken through Automatic Teller Machines which are installed at different prominent and convenient locations by banks. ATMs have now become part of modern life. Millions of ATM transactions are successfully carried out every day around the globe. It is also possible to use ATMs installed by other banks under arrangement.
The whole object of implementation of technology is to provide convenience to customers, a sine-qua-non for better customer service. Well, if the technology is used in right perspective with sufficient amount of controls and care it is a boon, otherwise it is a bane as banks may be caught in fraud traps.
2-What is an ATM?
Automated Teller Machine is an electronic machine, which is linked to the accounts and records of a banking institution. It enables customers to carry out banking transactions without visiting bank premises. ATMs are virtual banks, which allows the user to withdraw cash, pay bills, balance inquiries, cash deposits etc. The machine is operated with the help of an access device, which is a card, code (Personal Identification Number), or through other means of access to a customer’s account, or any combination thereof. Some ATM cards are also debit cards, which can be used for making purchases. Customers’ account is charged immediately on purchases.
3-Technology and frauds:
Banks in India have tasted the fruits of technology in the near recent past, and some of them are still in the process of experimentation. Introduction of technology has created two sets of employees; those who have technological background and knowledge and those who do not have technological knowledge but have working knowledge. Such employees have learnt to handle day today operations. These employees are merely showpieces as they raise their hands as and when the system crashes during the working hours. Due to paucity of technologically trained staff, the banks have out sourced technological services and have entered in to maintenance / service contracts. Generally the branches rely heavily on the service provider for support. The representative of the service provider mingles with the staff and many times helps the branch even in day today routine banking operations. Thus the staff of service provider has access to the records maintained in the system. Even minor modifications by the representative of the service provider in the programming can create financial havoc, and by the time it comes to notice the irreparable damage might have been done. The involvement of the service provider in day today banking operations exposes the bank to risk. Unauthorised change / modification in the system is a crime which may ultimately result in to fraud. Banks have to be cautious in this regard.
4-Frauds related to ATMs:
Frauds relating to Automatic Teller Machines may be committed both by outsiders and insiders. It is understandable that as the number of transactions rise, the number of fraud occurrences will rise as well. However, it would not be proper to say that ATMs have become more susceptible to fraud.
Frauds can occur due to the negligence on the part of the cardholder or due to lack of alertness on the part of the bank. If the cardholder does not follow the common precautionary measures as mentioned below, he is exposed to risk.
5-Frauds may occur in a variety of ways:
1. A cheat may go through the discarded receipts or carbons to illegally find out the card number.
2. A dishonest clerk makes an extra imprint from credit card or charge card for his or her personal use.
3. Card Holder may receive a postcard or a letter or telephone call advising that he has been selected by computer through random draw for a free trip or a bargain-priced travel package or a costly gift at a throw away price. For availing the advantage of the gift under the lucky draw, the cardholder has to contact at a particular telephone number. He is asked to furnish credit card number for becoming member of the resort so that he can be billed for the membership fee, or for token price of the gift which is being offered at a throw away price. However, instead of getting the product or services promised the account gets debited.
6-Fraud protection Guidelines: -
6.1-For customers
Common sense is the best guide to using an ATM safely. While using an Automated Teller Machine (ATM) you need to know the following: -
a)-Related to PIN & Card->
1. Protect the secrecy of your Personal Identification Number (PIN). Protect your ATM card as you protect hard cash.
2. Do not keep your Bank ATM Card and personal identification number (PIN) together. Do not write PIN on the card or at a place where it can be discovered.
3. Do not give information regarding your ATM card or PIN over the telephone to anyone even one claiming to be from your bank. Criminals who fraudulently use cards for telephone and online transactions do not have to give a personal identification number (PIN) or signature to the merchant on the phone or online. The charges are simply debited directly to your account. You would not come to know until you get your next bank statement.
4. Neither lend your ATM card to anyone nor reveal PIN to another person. Doing this may tempt that person to conduct transactions using the card or PIN.
5. Before disposing old cards, cut them up through the account number.
6. Carry only those cards that you anticipate you will need.
7. Sign your new cards as soon as you receive them.
8. Keep a record of your card numbers, their expiration dates, and the phone number and address of each bank in a secure place.
9. For protection of ATM and debit cards that involve a Personal Identification Number (PIN), keep your PIN a secret. Do not use your birth date, phone number, house numbers as the PIN.
10. Do memorize the PIN.
11. Change your ATM PIN at least once every 2 months
12. The best protections against card fraud are to know where your cards are at all times and to keep them secure.
b)-Related to withdrawals->
1. Remember not to leave your card at the ATM.
2. Never allow yourself to be distracted while carrying out your transaction.
3. Do not accept assistance from anyone you do not know when using an ATM.
4. Do not display your cash, pocket it as soon as the ATM transaction is completed and count the cash later when you are in the safety of your own car, home, or other secure surrounding.
c)-Related to ATM->
1. If you are using an ATM that requires your card to open the door, do not permit an unknown person to enter with you. Once inside the vestibule, make sure the door is completely closed behind you.
2. Choose an ATM that is well lighted and monitored by a surveillance camera or a security guard.
3. Minimise your time at the ATM. Have your card ready. If you are making a deposit, fill up paying in slip (deposit slip) at home, seal the envelope before you reach the ATM.
4. Use your free hand to cover the ATM keyboard while you type in your Personal Identification Number (PIN). Prevent others from seeing you enter your PIN by using your body to shield their view.
5. Do not re-enter your PIN if the ATM swallows your card. Contact the bank immediately.
6. Use an ATM only where and when you feel completely comfortable.
7. Pay attention to the machine before using it. If something appears unusual or unfamiliar, use another ATM.
8. Never use an ATM, which looks suspicious.
9. Never use ATMs that have messages or signs fixed to them indicating that the screen directions have been changed, especially if the message is posted over the card reader.
10. Do not insert your ATM card into an obscurely placed ATM machine, or one with a card slot protruding from the face of the machine.
d)-Related to surroundings->
1. When you make a transaction, be aware of your surroundings. Before proceeding with your transaction, look around to guard against surveillance by anyone who may arouse your slightest suspicion.
2. If you suspect something is not quite right, trust your instincts. Use an ATM or a bank branch where you feel more comfortable. If possible, use a machine that is located in a bank location. It may be easier for criminals to tamper with a machine that is in a non-bank location.
3. Report immediately any suspicious activity or crimes to both the bank and police.
4. If you see anything suspicious, immediately cancel your transaction and leave. As soon as possible confirm with your bank that the transaction was indeed canceled.
5. At a drive-up ATM, keep your engine running, lock all your doors, and close all windows except your own.
6. When using an indoor ATM, be sure to lock your car and take your keys with you, do not ever leave your car running.
7. Look out for suspicious activity or if there are suspicious looking individuals in the vicinity near the ATM particularly if it is after sunset. At night, be sure that the facility (including the parking area and walkways) is well lighted. Consider having someone accompany you when you use the facility, especially after sunset. If you observe any problem, go to another ATM.
8. If you notice anything suspicious or if any other problem arises after you have begun an ATM transaction, you may want to cancel the transaction, pocket your card and leave. You might consider using another ATM or coming back later.
e)-Related to Loss/theft of card->
1. Report the loss, theft or unauthorized use of card or PIN to Bank without any loss of time. A stolen ATM/Debit card can be taken to any merchant and used to charge purchases to your "account." All that is needed is a forged signature. This can drain your account.
2. Once you discover the theft, you must report it to the police, close your account, open a new one and get new bankcards.
3. If you find electronic banking transaction is incorrectly reported on a receipt or statement, promptly notify the bank. Failure or delay to promptly notify Bank of the loss, theft, or unauthorised use of card or PIN will keep you exposed to risks.
4. If you notice transactions you did not make, or if your balance has dropped suddenly without activity by you, immediately report the problem to your bank. Some one may have co-opted your account information to commit fraud. Use the special telephone number that many card issuers list on their billing statements. Do not forget to follow up your phone call with a letter.
f)- Related to other miscellaneous activities ->
1. Always request a receipt for your transaction. Compare your records with the account statements you receive. Mark each transaction in the statement of account, but not while at the ATM.
2. Always save your ATM receipts. Do not leave them at the ATM because they may contain important account information.
3. Carefully check ATM or debit card transactions before you enter the PIN or before you sign the receipt; the funds for this item will be fairly quickly transferred out of your account to other account.
4. Do not sign a blank charge or debit slip. Draw a line through blank spaces on charge or debit slips above the total when you sign card receipts so the amount cannot be changed.
5. Tear up carbons and save your receipts to check against your monthly statements.
6. Ensure the card is swiped in your presence.
6.2- Guidelines for Banks: -
Many banks have outsourced maintenance and cash replenishment services for Automatic Teller Machines. Though the outsourcing has been done to concerns of repute, still the chances of banks suffering losses can not be completely eliminated as human element is involved and one can not predict what undergoes in ones mind. Banks have therefore to be vigilant at each and every stage. It is not the reputation of the firm but the intention of its employee that matters.
6.2.1 Related to Cash Replenishment in ATMs: -
The staff of the agency that has been awarded cash Replenishment contract in ATMs opens the machines, removes the cassette (bin) containing left over cash and replaces it with cassette (bin) filled with currency notes. The bank reimburses the service provider as per the contract.
1. At the time of removal of cassette (Bin), if the bank officials do not verify the left over cash, there is a probability of over billing the amount by the agency.
2. The bank has to call for details of residue cash in each ATM on a day today basis and has also to do surprise verification by counting residue cash. If this procedure is not adhered to then the bank is exposed to financial risk.
3. The bank has also to find out the amount of cash withdrawn from each ATM and whether the amount withdrawn and the residue amount in the bin tallies with the amount fed by the agency.
4. Bank should understand that the cash in ATMs is cash in hand hence it should be physically verified at regular intervals.
6.2.2-Related to internal control mechanism: -
Poor control by the bank over unused cards, PINs, returned mail, credit limit increases and changes in addresses can contribute to credit card and ATM card frauds. Delay in payments to merchants and payments from card holders could signal the beginning of problems with a third party service (generally an outside marketing agency)
1. Separate the duties between the card issuing function and issuance of Personal Identification Number (PIN).
2. Have proper control of unissued cards and PIN. Have periodical verification.
3. Act promptly on returned mail and Customer complaints.
4. Have proper control of credit limit increases
5. Change in address should be recorded without any delay and confirmation to be sent.
6. Ensure that there are no unusual delays in receipt of cards and PINs by the customers.
7. Ensure those payment authorization system functions correctly and there no frequent malfunction is reported.
8. Follows “know your customer norms” and do not open Credit card merchant accounts without obtaining any background information on the merchant.
9. Be careful, if Credit card merchant account activity reflects an increase in the number and size of charge slips. Merchant has a sudden or unexplained increase in the level of authorisation requests from a particular merchant location.
10. Credit card merchant account deposits appear to exceed the level of customer activity observed at the merchant’s place of business.
11. Keep a track to find out if member establishment is depositing sales drafts made payable to a business or businesses other than the business named on the account.
12. Have a watch on the account, if member establishment frequently requests telegraphic transfer of funds from the account to other institutions in other parts of the country or to almost immediately after deposits are made.
13. Merchant is engaged in telemarketing activities and is the subject of frequent customer complaints.
14. Though the member establishment has access to EDC (Electronic data capture) equipment but frequently inputs credit card account numbers manually.
7-Suggested Action for bank to save guard itself from risk: -
1. How many persons use ATM at a particular location?
2. What is the average daily withdrawal from a particular ATM.
3. Whether the amount withdrawn meets replenishment?
4. Is there sudden spurt in withdrawals from an ATM at a particular location?
5. Whether cash is withdrawn frequently through an ATM card from different locations.
6. Whether frequent complaints pertaining to insufficient cash are received in respect of an ATM located at a particular place?
7. Whether every day the one particular person replenishes cash in the bins of ATM and removes the bin containing residue cash?
8. Whether non-ATM cardholders visit the place immediately after the ATM was operated by an individual?
9. Review customer complaints, no matter how insignificant they appear to be.
10. Be sure proper controls are in place at all points throughout the card issuing and transaction processing functions
11. Review possible causes of frequent malfunctions of the payment authorisation system and follow up on remedial actions taken by the institution.
12. Conduct on site inspections of merchant’s operations.
13. Monitor the traffic at ATM.
8- Points about ATM Crime
E-mail and Internet-related fraud schemes are being perpetrated with increasing frequency, creativity, and intensity. With the help of latest technology, fraudsters dupe innocent consumers through, ATM and Internet. Knowing the latest trends in the scamming can protect from being duped. While it is difficult to guarantee protection from ATM scammers, there are security tips that lessen the risk. Never use suspicious looking ATM or odd-looking equipment or wires. Always, monitor your accounts regularly to make sure that there is no unusual entry in the account. Although there is no conclusive evidence on the precise methods used in the suspected fraudulent cases reported so far, it is suspected that at least some involve tampering with ATMs. A few of the methods adopted by fraudsters are as under.
8. 1-Phishing :-
Phishing is the center stage in Internet scams. It is the practice of sending emails at random, purporting to come from a genuine company operating on the Internet. In an attempt to trick customers fraudsters’ request disclosing information at a bogus website operated by them. In their emails fraudsters’ usually claim that it is necessary to ‘update’ or ‘verify’ the password and they urge you to click on a link from the email that takes you to the bogus website. Any information entered on the bogus website is captured by the criminals for their own fraudulent purposes. The scammer gets your username and password once you log in to a banking Web site. A key logger then records your information and takes screen shots of your PC activity. ATM Phishing is possible when particulars of card and PIN are divulged over internet this enables cheats to produce counterfeit cards for fraudulent ATM cash withdrawals.
Experts say that phishing scams can be prevented if you install a firewall or frequently run and update antivirus software and do not divulge PIN, card number and the name of issuing institution.
While Phishing remains a high concern, experts also caution consumers against high-risk Internet use. Experts advise consumers to monitor their accounts regularly. Always be wary of e-mails asking you to click on a link or confirm your details. If in doubt, phone the organisation first. Visit your credit card issuer’s web site for their latest advice on secure online shopping with a password.
8.2-Skimming: -
Those scammers, who target ATM users, use the latest technology to their advantage. Fraudsters make counterfeit ATM cards by using a skimmer, which is a card-swipe device that reads the information on a consumer's ATM card. Scammers insert onto an ATM, ready to swipe information from unsuspecting customers. They take a blank card and encode all the information from an ATM card when they swipe. The skimmer catches the PIN (personal identification number) through a small camera mounted on the ATM. The consumer is unaware that without even the card has been stolen they have been scammed. Therefore watch out for unusual devices on ATM machines as cards can be skimmed and reproduced.
8. 3-The "Lebanese Loop”: -
Scammers insert a portable steel loop into an ATM card slot. The scammer usually approaches the victim while at the machine, and poses as the person next in line. Victims are advised to enter their PINs three times and then hit cancel to get the machine to accept the cards. The scammer is able to memorize the PIN for future use and the machine keeps the card because of the excessive number of attempts to enter the correct PIN. Victims leave in frustration because they could not get any money and they have lost their card. Once the loop is taken out of the ATM the scammer has the card and the PIN number for future transactions. This is a relatively new scam that many experts believe will be short-lived due to fast technology upgrades.
8.4-Pretexting: -
This scam involves getting your personal information under false pretenses.For example, someone contacts you claiming to be from the security department of your bank. They ask you to verify personal information over the phone, such as your birth date, or your mother's maiden name. Sometimes the caller may even know a piece of personal information about you that may help to convince you that they are a legitimate bank representative.
The pretext caller then sell your personal information to people who may use it to get credit in your name. Do not, under any circumstances, give any personal or banking information out over the phone, especially if you do not initiate the phone call.
Be discriminating when providing personal information online. Never give out your personal or account information to anyone you do not trust. Make sure you verify a business's legitimacy by visiting its web site. Ask the caller to give his phone number to enable you to respond. Immediately contact bank and inform.
8.5-Spoofing: -
In a "spoofing attack," the attacker creates a misleading context to trick you into making an inappropriate security-relevant decision.For example, criminals have set up bogus automated teller machines, typically in public areas or shopping malls. The machines would accept ATM cards and ask for PIN codes. Once the machine has the PIN, criminals have enough information to steal from the account.
9-Conclusion: -
ATM frauds not only cause financial losses, but may also hamper customers' confidence in using ATMs, which would run counter to the industry's efforts in encouraging greater use of the electronic channels of delivery. It is therefore in the interest of banks to prevent ATM frauds. The nature and extent of precautionary measures to be adopted will, however, depend upon the requirements of the respective banks. ATM fraud is not the sole problem of banks alone, it is a big threat, which requires a coordinated and cooperative action on the part of the bank, customers and the law enforcement machinery.
No comments:
Post a Comment