Card fraud
In February 2009, a group of criminals used counterfeit ATM cards to steal $9 million from 130 ATMs in 49 cities around the world all within a time period of 30 minutes.
ATM lineup
The big queue at an ATM in Masalli, Azerbaijan.
In an attempt to prevent criminals from shoulder surfing the customer's PINs, some banks draw privacy areas on the floor.
For a low-tech form of fraud, the easiest is to simply steal a customer's card. A later variant of this approach is to trap the card inside of the ATM's card reader with a device often referred to as a Lebanese loop. When the customer gets frustrated by not getting the card back and walks away from the machine, the criminal is able to remove the card and withdraw cash from the customer's account.
Another simple form of fraud involves attempting to get the customer's bank to issue a new card and stealing it from their mail.[75]
Some ATMs may put up warning messages to customers to not use them when it detects possible tampering
The concept and various methods of copying the contents of an ATM card's magnetic stripe on to a duplicate card to access other people's financial information was well known in the hacking communities by late 1990.[76]
In 1996 Andrew Stone, a computer security consultant from Hampshire in the UK, was convicted of stealing more than £1 million (at the time equivalent to US$1.6 million) by pointing high definition video cameras at ATMs from a considerable distance, and by recording the card numbers, expiry dates, etc. from the embossed detail on the ATM cards along with video footage of the PINs being entered. After getting all the information from the videotapes, he was able to produce clone cards which not only allowed him to withdraw the full daily limit for each account, but also allowed him to sidestep withdrawal limits by using multiple copied cards. In court, it was shown that he could withdraw as much as £10,000 per hour by using this method. Stone was sentenced to five years and six months in prison.[77]
By contrast, a newer high-tech modus operandi involves the installation of a magnetic card reader over the real ATM's card slot and the use of a wireless surveillance camera or a modified digital camera to observe the user's PIN. Card data is then cloned onto a second card and the criminal attempts a standard cash withdrawal. The availability of low-cost commodity wireless cameras and card readers has made it a relatively simple form of fraud, with comparatively low risk to the fraudsters.[78]
In an attempt to stop these practices, countermeasures against card cloning have been developed by the banking industry, in particular by the use of smart cards which cannot easily be copied or spoofed by un-authenticated devices, and by attempting to make the outside of their ATMs tamper evident. Older chip-card security systems include the French Carte Bleue, Visa Cash, Mondex, Blue from American Express[79] and EMV '96 or EMV 3.11. The most actively developed form of smart card security in the industry today is known as EMV 2000 or EMV 4.x.
EMV is widely used in the UK (Chip and PIN) and other parts of Europe, but when it is not available in a specific area, ATMs must fallback to using the easy to copy magnetic stripe to perform transactions. This fallback behaviour can be exploited.[80] However the fallback option has been removed by several UK banks, meaning if the chip is not read, the transaction will be declined.
[81]
In February 2009, a group of criminals used counterfeit ATM cards to steal $9 million from 130 ATMs in 49 cities around the world all within a time period of 30 minutes.
ATM lineup
The big queue at an ATM in Masalli, Azerbaijan.
In an attempt to prevent criminals from shoulder surfing the customer's PINs, some banks draw privacy areas on the floor.
For a low-tech form of fraud, the easiest is to simply steal a customer's card. A later variant of this approach is to trap the card inside of the ATM's card reader with a device often referred to as a Lebanese loop. When the customer gets frustrated by not getting the card back and walks away from the machine, the criminal is able to remove the card and withdraw cash from the customer's account.
Another simple form of fraud involves attempting to get the customer's bank to issue a new card and stealing it from their mail.[75]
Some ATMs may put up warning messages to customers to not use them when it detects possible tampering
The concept and various methods of copying the contents of an ATM card's magnetic stripe on to a duplicate card to access other people's financial information was well known in the hacking communities by late 1990.[76]
In 1996 Andrew Stone, a computer security consultant from Hampshire in the UK, was convicted of stealing more than £1 million (at the time equivalent to US$1.6 million) by pointing high definition video cameras at ATMs from a considerable distance, and by recording the card numbers, expiry dates, etc. from the embossed detail on the ATM cards along with video footage of the PINs being entered. After getting all the information from the videotapes, he was able to produce clone cards which not only allowed him to withdraw the full daily limit for each account, but also allowed him to sidestep withdrawal limits by using multiple copied cards. In court, it was shown that he could withdraw as much as £10,000 per hour by using this method. Stone was sentenced to five years and six months in prison.[77]
By contrast, a newer high-tech modus operandi involves the installation of a magnetic card reader over the real ATM's card slot and the use of a wireless surveillance camera or a modified digital camera to observe the user's PIN. Card data is then cloned onto a second card and the criminal attempts a standard cash withdrawal. The availability of low-cost commodity wireless cameras and card readers has made it a relatively simple form of fraud, with comparatively low risk to the fraudsters.[78]
In an attempt to stop these practices, countermeasures against card cloning have been developed by the banking industry, in particular by the use of smart cards which cannot easily be copied or spoofed by un-authenticated devices, and by attempting to make the outside of their ATMs tamper evident. Older chip-card security systems include the French Carte Bleue, Visa Cash, Mondex, Blue from American Express[79] and EMV '96 or EMV 3.11. The most actively developed form of smart card security in the industry today is known as EMV 2000 or EMV 4.x.
EMV is widely used in the UK (Chip and PIN) and other parts of Europe, but when it is not available in a specific area, ATMs must fallback to using the easy to copy magnetic stripe to perform transactions. This fallback behaviour can be exploited.[80] However the fallback option has been removed by several UK banks, meaning if the chip is not read, the transaction will be declined.
[81]
