Professional Documents
Culture Documents
ATM
ATM
Devinaga Rasiah
Lecturer, multimedia university (Malacca Campus), Malaysia
E-mail: devinaga.rasiah@mmu.edu.my
Abstract
The aim of this study is to investigate risk management, security and controls in the
context of Automated teller machines (ATMs). In doing so, it adopts a non-technical
approach by investigating the interrelationship and effect of risk management and controls
in setting Automated Teller Machine security goals. The literature explores and discusses
the risk management and different controls of ATMs. To reduce the risk of fraudulent
activity, several controls can be integrated into the ATM processing environment.
However, the controls should not be considered a cure-all.
Keywords: ATMs, data security, risk, fraud, electronic banking, and controls.
ATM
An automated teller machine (also known as an ATM or Cash Machine), is a computerized device that
provides the customers of a financial institution with the ability to perform financial transactions
without the need for a human clerk or bank teller.
Crime at ATM’s has become a nationwide issue that faces not only customers, but also bank
operators. Security measures at banks can play a critical, contributory role in preventing attacks on
customers. These measures are of paramount importance when considering vulnerabilities and
causation in civil litigation and banks must meet certain standards in order to ensure a safe and secure
banking environment for their customers.
The Automated Teller machine is a terminal provided by bank or other financial institutions
which enables the customer to withdraw cash to make a balance enquiry, to order a statement, to make
a money transfer, or deposit cash. The ATMs are basically self-service banking terminals and are
aimed at providing fast and convenient service to customers.
Some of the new generations of ATMs are able to cash a check to the penny, dispense
traveller’s cheques and postage stamps, perform stock transfers, print discount coupons, issue phone
cards, and even sell concert tickets. Customers are grateful for these ATM features but they are also
very concerned with ATM crime and safety.
Background Studies
ATMs are generally designed for through-the –wall operations as well for use in lobbies. The Banker’s
magazine, September (1983), indicated that the ATMs provided convenient bank access to customers
accounts 24 hours a day, seven days a week including public holidays. The lobby machines which are
installed in the banking lobbies are only operational during banking hours. James Essinger (1987)
indicated that “ATM machines allow banks customers who have been issued with a card and a six digit
secret number known as a PIN number (Personal identification number) to perform their own banking
162 European Journal of Economics, Finance And Administrative Sciences - Issue 21(2010)
transactions”. The plastic card contains a magnetic stripe or a chip that contains a unique card number
and some security information, such as an expiration date and card validation code (CVC).
Kalakota and Whinston, (1996) mentioned that the financial services industry has been through
'structural and operational changes since the mid-1990s, and innovative use of new information
technology, electronic commerce. Hamelink, (2000) indicated that these associated cost reductions are
driving ongoing changes in banking New technology brings benefits and risks and new challenges for
human governance of the developments.
RCBC (2007), mentioned that authentication of the user is provided by the customer entering a
personal identification number (PIN). Miranda F, Cosa R and Barriuso (2006), highlighted that
customers transacting on these ATMs are guided by instructions displayed o the video screens. These
ATMs normally dispense two or more denominations of paper money. Customer’s advice slips are
automatically printed and dispensed except for balance enquires. All deposits have to be accounted for
by the bank staff, before they are credited to customers’ accounts.
Marcia Crosland of NCR Corp. (2010) indicated that aside from revenue generation and cost
savings, ATMs are becoming the face of many financial institutions. For many consumers, ATMs are
becoming the only interaction they have with their banks. In addition, ATMs are also becoming a
competitive mark for many banks. Therefore, it is imperative to ensure that the customer's experience
with the ATM is safe and secure.
Mike Fenton (2000), mentioned that over the past three decades consumers have come to
depend on and trust the ATM to conveniently meet their banking needs. In recent years there has been
a proliferation of ATM frauds across the globe. Managing the risk associated with ATM fraud as well
as diminishing its impact are important issues that face financial institutions as fraud techniques have
become more advanced with increased occurrences.
Diebold Inco. (2002) indicated that the ATM is only one of many electronic funds transfer
(EFT) devices that are vulnerable to fraud attacks. Card theft, or the theft of card data, is the primary
objective for potential thieves because the card contains all relevant account information needed to
access an account.
Recent global ATM consumer research indicates that one of the most important issues for
consumers when using an ATM was personal safety and security. As financial institutions use the
migration of cash transactions to self-service terminals as a primary method of increasing branch
efficiencies, the ATM experience must be as safe and accommodating as possible for consumers.
The industry has grave difficulty in measuring ATM fraud given the lack of a national
classification, the secrecy surrounding such frauds, and the unfortunate fact that one cannot know the
true cost of fraud until one is hit with it. Even low-cost solutions, such as customer awareness,
challenge banks that fear scaring customers away from the ATM, or worse, into the doors of a
competitor.
Frauds at ATMs
Diebold Inco. (2002), indicated that fraud at the ATM although more difficult than at a POS, has
recently become more widespread. Recent occurrences of ATM fraud range from techniques such as
shoulder surfing and card skimming to highly advanced techniques involving software tampering
and/or hardware modifications to divert, or trap the dispensed currency.
Recent Global ATM consumer research indicates that one of the most important issues for
consumers when using an ATM was personal safety and security*. As financial institutions use the
migration of cash transactions to self service terminals as a primary method of increasing branch
efficiencies, the ATM experience must be as safe and accommodating as possible for consumers.
The magazine (1991), published that the UK consumer Association reported a case pf phantom
withdrawals. In 1989, 570 pounds was wrongly deducted from John Allans’ Bank of Scotland account.
A total of 8 cash withdrawals were carried out, three of them when he was away with his card in
Andorra. Complaining to the bank was fruitless and later Mr Allan was going to sue the bank of
Scotland. The day before the case was due to come to court, the bank reached an out –of court
settlement with him. The magazine concludes that this case marks a breakthrough because the bank
acknowledged that money can get debited to a account without the use of the card plus the PIN.
This risk exists in each product and service offered. The level of transaction risk is affected by
the structure of the institution’s processing environment, including the types of services offered and the
complexity of the processes and supporting technology.
ISACA (2007), highlighted that the key to controlling transaction risk lies in adapting effective
polices, procedures, and controls to meet the new risk exposures introduced by e-banking. Basic
internal controls including segregation of duties, dual controls, and reconcilements remain important.
Information security controls, in particular, become more significant requiring additional processes,
tools, expertise, and testing. Institutions should determine the appropriate level of security controls
based on their assessment of the sensitivity of the information to the customer and to the institution and
on the institution’s established risk tolerance level.
There are three basic types of ATM attacks:
• Attempts to steal a customer‘s bank card information;
• Computer and Network attacks against ATM‘s to gather bank card information;
• Physical attacks against the ATM.
The other most common cash dispenser fraud has become known as the "Lebanese loop"
because criminals of Lebanese origin apparently first used it. This has many variations but usually
involves the cash machine being tampered with so that your card is not returned to you and is then
removed by the criminals: alternatively if you get your card back a device has recorded the details of
your magnetic stripe. The crooks have also captured your PIN number though some variation of
shoulder surfing. It is this problem that has led to banks putting posters and other warnings on ATMs
advising customers to visually inspect the machine to see if it has been altered or tampered with.
Types of
Errors
So far the ATMs have been the most widely spread application of electronic banking. There are various
types of errors which can occur due to mechanical failure at the ATM terminal leading to the following
problems:-
• ATM dispenses less cash to the customer but the account is debited correctly.
• The customer’s account is debited twice but the cash is only dispensed once by the ATM.
• The customer’s account is debited but the cash is not dispensed by the ATM.
Normally errors can occur at any time, even when the ATM accepts cash and cheques deposits.
There have also been cases of phantom withdrawals and the card-holder denying being responsible for
those cash withdrawals, although the computer records showed that a genuine transaction had taken
place.
Reputational Risks
This is considerably heightened for banks using the Internet. For example the Internet allows for the
rapid dissemination of information which means that any incident, either good or bad, is common
knowledge within a short space of time. The speed of the Internet considerably cuts the optimal
response times for both banks and regulators to any incident.
Any problems encountered by one firm in this new environment may affect the business of
another, as it may affect confidence in the Internet as a whole. There is therefore a risk that one rogue
e-bank could cause significant problems for all banks providing services via the Internet. This is a new
type of systemic risk and is causing concern to e-banking providers. Overall, the Internet puts an
emphasis on reputational risks. Banks need to be sure those customers’ rights and information needs
are adequately safeguarded and provided for.
165 European Journal of Economics, Finance And Administrative Sciences - Issue 21(2010)
Management Risk
Analysis
Management risk analysis identifies the nature of risk involved in detail. This evaluation helps the
financial institution to decide whether it is necessary to have controls to overcome losses which may
arise from various risks associated with the ATMs. A plan is normally formulated as to how these
ATM risks are going to be identified, what methods are going to be used to overcome these
risks/threats, and, if a fraud or a misuse should occur, how much loss is expected and how Bank is
going to recover.
This is the highest risk category that requires the strongest controls since online transactions are
often irrevocable once executed. The bank’s internet systems may be exposed to internal or external
attacks if controls are inadequate. A heightened element of risk is that attacks against internet systems
do not require physical presence at the site being attacked. At times, it is not even clear or detectable as
to when and how attacks are launched from multiple locations in different countries
In view of the proliferation and diversity of cyber attacks, banks should implement two-factor
authentication at login for all types of internet banking systems and for authorising transactions. The
principal objectives of two-factor authentication are to protect the confidentiality of customer account
data and transaction details as well as enhance confidence in internet banking by combating phishing,
key logging, spyware, malware, middleman attacks and other internet-based scams and malevolent
exploits targeted at banks and their customers.
Two factor authentications for system login and transaction authorisation can be based on any
two of the following factors:
• What you know (eg. Personnel Identification Number)
• What you have (eg. One Time Password token)
• Who you are (eg. Biometrics) comprises methods for uniquely recognizing humans
based upon one or more intrinsic physical traits
Risk analysis provides the financial institution with variable information as to how much
investment it should make to enhance the security and controls of its ATM installation.
The EDP Audit Control and Security Newsletter (March 1991) indicated that risk analysis involves 4
steps.
• Reviewing the existing ATM centre environment
• Identifying the critical information processing of ATM applications
• Estimating the value of the ATM assets used by these application that must be
protected
• Quantifying the estimated loss associated with the occurrence of a fraudulent misuse
of cards of unauthorised withdrawals etc.
ATM Risk
Management
ATM risk management is a ongoing process of identifying, monitoring and managing potential risk
exposure considering as ATMs relates to payment systems. The following should be considered:-
• General Supervision
• Transaction Processing
• System administration
ATM Security
Measures
Normally security measures are divided into 2 groups. Firstly to reduce the losses at the ATM and
secondly to find a way to fund or recover these losses.
167 European Journal of Economics, Finance And Administrative Sciences - Issue 21(2010)
b). Encryption
Encryption is an effective technique for protecting the ATM system. This technique is to make
intercepted data useless to the interceptor by making it too difficult or too expensive to decipher. This
means there is little risk if disclosure.
Control
sIn general the process should ensure Confidentiality, Integrity and Availability (CIA). This
requirement should be addressed with controls implemented at different levels of the ATM
implementation, such as General Application controls, business process controls, applications controls
and Platform controls.
Risks/Threats
• Mailed cards being intercepted before reaching the authorised address.
• Uncollected cards not only take up valuable space for storage but also pose a security risk to the
bank through fraudulent use of these cards by bank staff.
168 European Journal of Economics, Finance And Administrative Sciences - Issue 21(2010)
• Retained cards – these ATM cards pose an even greater risk, if they fall into the wrong hands
and are misused.
• Inadequate supervision of embossing of the card.
• Stolen cards not being reported immediately
• Stocks of blank cards could lead to unauthorised cards being issued leading to fraud.
Risks/Threats
There are a number of risks involved in the management of PIN numbers:-
1 There is the integrity of the PIN itself. If control and security is not tight, the method of
selecting PIN or encryption keys may become known and duplicated PINs and mailers be
prepared.
2 The PIN mailers are intercepted during mailing.
3 PINs longer than four digits are security hazards, as holders may be tempted to write down their
number to remember them.
4 Issuing replacement PIN numbers to customers. If the person making the request has stolen the
card or is not authorised to use it, the true owner of the card stands to lose a substantial sum of
money.
Application
Controls
For controls and security purpose the PIN which is in encrypted form is stored in a database file for
security purposes. The PIN mailers are prepared separately. The PIN is only activated upon the use of
the card by the customer at the ATM.
Adequate control should be carried out when PIN is produced for mailing. Mailing of the PI N
is carried out subsequent to card mailing. The PIN is forwarded to the customer in a separate mailer on
a different day.
For security reasons all systems documentation concerning PIN generation/encryption and
decryption keys must be under tight control at all times. Furthermore, extreme care must be taken when
requests for new PINs are made. It is important for security reasons that the request for a new PIN
should be in writing.
169 European Journal of Economics, Finance And Administrative Sciences - Issue 21(2010)
For control purposes confirmation of numbers of PINs generated must be carried out against the
total application approved.
It is recommended that the customer’s PIN should not be displayed on the PIN mailer. For
control and security reasons the PIN mailers should not have direct reference or correlation to the
customer’s account number or identification of the financial institution. The PIN must be scrambled or
encrypted if printed or displayed on terminal screens.
3. Platform Controls
Controls to consider should include:-
I. Encryption
II. Algorithm
III. Communication Controls
i. Communication protocols
ii. Encryption protocols etc
Conclusion
Praveen Dalal (2006) indicated that although comprehensive computer insurance cover is available to
Banks for losses relating to ATMs, it is important to note that they vary significantly. By utilizing
careful ATM analysis and the best prevention and reduction methods acceptable levels of ATM risks
can be maintained. One of the benefits that banks experience when using e-banking is increased
customer satisfaction. This due to that customers may access their accounts whenever, from anywhere,
and they get involved more, this creating relationships with banks.
Banks should provide their customers with convenience, meaning offering service through
several distribution channels (ATM, Internet, physical branches) and have more functions available
online. Other benefits are expanded product offerings and extended geographic reach. This means that
banks can offer a wider range and newer services online to even more customers than possible before.
The benefit which is driving most of the banks toward e-banking is the reduction of overall costs. With
e-banking banks can reduce their overall costs in two ways: cost of processing transactions is
minimized and the numbers of branches that are required to service an equivalent number of customers
are reduced. With all these benefits banks can obtain success on the financial market. But e-banking is
a difficult business and banks face a lot of challenges.
171 European Journal of Economics, Finance And Administrative Sciences - Issue 21(2010)
References and
sources
1] ISACA// www.isaca.org/glossary(2007)
2] http://www.atmsecurity.com/monthly-digest/atm-security-monthly-digest/atm-fraud-and-
security-digest-march-2009.html
3] http://www.computerworld.com/securitytopics/security/story
4] http://www.denverpost.com/headlines.
5] http://www.europol.europa.eu
6] http://www.mydigitallife.info/2006/09/25/atm-hacking-and-cracking-to-steal-money-with-atm-
backdoor-default-master-password/
7] http://www.theregister.co.uk/2006/11/18/mp3_player_atm_hack/
8] http://www.wired.com/threatlevel/2009/04/pins/
9] https://www.european-atm-security.eu
10] McGlasson L., ‘ATM Fraud: Growing Threats to Financial Institutions‘ , Bank Info Security ,
http://www.bankinfosecurity.com
11] ATM crime (2009): Overview of the European situation and golden rules on how to avoid it.
12] Robinson G., ‘Bondi banks scam: ATM alert‘, The Sydney Morning Herald , October 2008,
13] Hamelink, C. "The Ethics of Cyberspace," Sage, London, 2000.Ind, N. "Living the Brand,"
Kogan Page, London.
14] Kalakota, R. and A. B. Whinston, "Electronic Commerce: A Manager’s Guide" 2nd Edition,
Addison Wesley, Harlow, 2001.
15] Marcia Crosland, NCR Corp.(2010), Consumer behaviour drives innovation inn ATM
technology. http:/www.atmmarketplace.com.
16] ISACA (2001) , Is Auditing Procedure (Electronic Fund Transfer( EFT). Information Systems
Audit and Control Association.
17] RCBC (2007) Rizal Commercial Banking Corporation. Electronic Banking (e Banking)
Consumer protection Policy.
18] Mike Fenton (2008) by Admin. Banking systems and technology; The Blog. Taking ATM
fraud prevention to the next level.
19] Roy Martin R and Jan Y (1986) Computer and Security Risk Management. A key to security in
Electronic Funds Transfer System Elsevier Science publishers.
20] Praveen Dalal (2006) Preventive measures for ATM Frauds, Computer crime research centre -
Preventive measure for ATM frauds.
21] Diebold Inco. (2002), ATM Fraud Security white paper.
22] James essinger (1987), ATM Networks, Their organisation security and finance, published by
Elservier Int Bulletin Chp 6 Future developments.
23] Alvin AA and James K Loebbecke (1988) , Auditing an integrated approach 4 th edition Chp8
pg 231-269 prentice hall Int. Edition.
24] The EDP Audit, Control and Security Newsletter (1991) EDPACS, Robert Parker- Acss
Control software: What it will and will not do. Vol XVIII No 8.
25] John and Paul H (1987) Accounting and information System, Compliance testing in a computer
environment. Chp16, 3 editions Prentice Hall.
26] Andrew D Chambers (1981), Computer Auditing Insurance, Chp5, Pitman Books Ltd.
27] Campion, Anita & Sarah Halpern. “Automating Microfinance: Experience from Latin America,
Asia, and Africa.” MicroFinance Network, 2001.
28] www.mfnetwork.org/bookmarks/Itemid,26/task,detail/catid,1/navstart,0/mode,0/id,5/search,CG
AP IT Innovations Series
29] www.cgap.org/publications/microfinance_technology.html