In the recent past there has been a rise in the number of banking frauds related to ATM card transactions and fraudsters are using new techniques to rob customers of their savings. India’s largest bank, State Bank of India, said it had blocked close to 6 lakhs debit cards following a malware-related security breach in a non-SBI ATM network. Several other banks, such as Axis Bank, HDFC Bank and ICICI Bank, too have admitted being hit by similar cyber attacks — forcing Indian banks to either replace or request users to change the security codes of as many as 3.2 million debit cards.
Various types of the ATM frauds:
• Card Skimming
Skimming refers to the stealing of the electronic card data, enabling the criminal to counterfeit the card. Consumers experience a normal ATM transaction and are usually unable to notice a problem until their account is defrauded.
Here, the installation by a criminal of a foreign device on an ATM to capture data from the magnetic strip of a customer’s card. The card details and PIN are captured at the ATM and used to produce counterfeit cards for subsequent cash withdrawals.
The installation by a criminal of a foreign device on an ATM to capture data from a customer’s card. This is typically achieved via a wiretap, sniffing the functionality of the card reader, or connection to a magnetic read head within the card reader. The defining characteristic of an eavesdropping device is the use of the legitimate card reading functionality of the card reader to capture the customer’s card data.
• Cash shimming:
The installation by a criminal of a foreign device on an ATM to capture data from the chip of a customer’s card. The defining characteristic of a card shimming device is, therefore, the targeting of the data contained on the chip on the customer’s card, typically by placement of the foreign device between the customer’s card and the contacts of the card reader. The placement of a card shimming device by a fraudster enables a number of possible attacks such as capturing magnetic strip equivalent data, relay and other man in the middle attack.
• Card Trapping:
Trapping is the stealing of the physical card itself through a device fixed to the ATM. In a pre-EMV or chip-and-signature environment, the PIN does not need to be compromised. Again, contactless capability can help. The card is the physically captured at the ATM, and PIN is compromised. Later the card is lost in each attack.
• ATM malware/ cash out attack/ jackpotting:
Malware that takes control of the ATM cash dispense functions, thereby allowing the criminals to take out cash.
• ATM attack cash/pin data compromise:
Malware that intercepts card and PIN data at the ATM, further allowing the criminals to copy this to create counterfeit cards.
• Keypad jamming:
The fraudster jams the ‘Enter’ and ‘Cancel’ buttons with glue or by inserting a pin or blade at the buttons’ edge. A customer trying to press the ‘Enter/OK’ button after entering the PIN, does not succeed, and thinks the machine is not working. An attempt to ‘Cancel’ the transaction fails as well. In many cases, the customer leaves — and is quickly replaced at the machine by the fraudster. A transaction is active for around 30 seconds (20 seconds in some cases), and he is able to remove the glue or pin from the ‘Enter’ button to go ahead with the withdrawal. The loss to the cardholder is, however, limited by the ceiling on withdrawals, and the fact that only one transaction is possible without swiping the card again and re-entering the PIN.
Solution to these ATM frauds is use of Smart Credit Cards.
Smart credit cards operate in the same way as their magnetic counterparts, the only difference being that an electronic chip is embedded in the card. These smart chips add extra security to the card. Smart credit cards contain 32-kilobyte microprocessors, which is capable of generating 72 quadrillion or more possible encryption keys and thus making it practically impossible to fraudulently decode information in the chip. The smart chip has made credit cards a lot more secure; however, the technology is still being run alongside the magnetic strip technology due to a slow uptake of smart card reading terminals in the world market. Smart cards have evolved significantly over the past decade and offer several advantages compared to a general-purpose magnetic stripe card.
The advantages are listed below:
• Stores many times more information than a magnetic stripe card.
• Reliable and harder to tamper with than a magnetic stripe card.
• Performs multiple functions in a wide range of industries.
• Compatible with portable electronic devices such as phones and personal digital assistants (PDAs), and with PCs.
• Stores highly sensitive data such as signing or encryption keys in a highly secure manner