The Expert's View with Philip Alexander

A Simple Plan to Combat ATM Fraud

A Simple Plan to Combat ATM Fraud

The risks of electronic banking are all well known. In fact, the updated FFIEC authentication guidance specifically talks about the need to secure both online and electronic banking. It's important to remember that ATMs are also a target of fraudsters. ATM skimming rings are defrauding cardholders to the tune of tens of millions of dollars. This is a global issue affecting customers in the USA, the European Union, Asia, basically anywhere there are ATMs.

Breaking 2-Factor Authentication

In order to access your account from an ATM you are required to use your ATM card [something you have] and enter a PIN [something you know]. Generally, 2-factor authentication is considered a relatively strong security measure against financial fraud. However, crime rings are using various techniques to capture both the card and the PIN, effectively thwarting these measures.

In the 2011 updated guidance, the FFIEC stresses the importance of not only strong authentication, but also to know your customer. There lies the missing link in combating ATM fraud that fortunately has an eloquent solution.

Similar to online banking, customers have normal patterns of ATM activity, relatively consistent patterns relating to dollar amounts and frequency of ATM cash withdrawals. Since financial institutions utilize "know your customer" capabilities to combat online banking fraud, the same techniques can be used to combat ATM fraud.

Keeping It Simple

Upon detecting unusual and possibly fraudulent ATM activity, the ATM screen could present the user an out-of-wallet challenge question. Making sure the question has a numeric answer means that current ATM key pads used to enter in PIN information would not have to be modified.

Even with limiting the out-of-wallet questions to those with numeric answers, the list of potential questions is quite long:

  • What year was your first child born?
  • What was the model year of your first car?
  • What year were you married?

Obviously not an exhaustive list, but it does illustrate the fact that there is no shortage of such questions.

It's important that the challenge questions are strictly out-of-wallet. If the fraudster did in fact steal the victim's wallet, with their driver's license, then asking the question "what year were you born" would be inappropriate. Asking what year you graduated from high school would also be a weak question. The fraudster could simply add 17 to the date of birth on the driver's license and answer that question correctly the majority of the time.

The lesson here is the importance of keeping the challenge questions out-of-wallet.

Eloquent and Effective

So there you have it. Using out-of-wallet questions that are compatible with existing ATM hardware, you can add another layer of security to combat ATM fraud. A low-cost solution that could potentially save customers, and financial institutions, millions of dollars.

To complete the anti-fraud circle, banks can also consider having the ATM machines keep the bank cards when a customer [fraudster] fails to correctly answer the out-of-wallet challenge question. You'd have the card, with fingerprints, as well as photographs of the attempted fraud.

Don't miss Philip Alexander's new webinar, Vendor's Guide to the FFIEC Authentication Guidance.

Philip Alexander, an information security officer at Wells Fargo Bank, is the author of the books "Data Breach Disclosure Laws: A State-by-State Perspective," "Information Security: A Manager's Guide to Thwarting Data Thieves and Hackers," and "Home and Small Business Guide to Protecting Your Computer Network, Electronic Assets, and Privacy."



About the Author

Philip Alexander

Philip Alexander

Information Security Officer, UMC Health System

Alexander began his career back in the late 1980s while serving in the U.S. military. Since then he has worked in both the public and private sectors in positions including engineer, project manager, security architect, and IT director. He currently works as an information security officer for the UMC Health System.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.