There is a global surge in financial, electronic (ATM) fraud and this ugly phenomenon is increasingly becoming very sophisticated. In their bid to swindle unsuspecting victims, Criminals are upping their ante, in many occasions, deploying a mix of social engineering and reverse-engineering to circumvent security/safety measures deployed by financial institutions. Interestingly, insiders- bank staffers (Management, Cashiers, IT guys, Security Officers) are sometimes complicit in growing financial/electronic frauds. As will be gleaned from the ensuing part of this treatise, despite a global notoriety for 419 and fraud buoyed by bad Press, the Nigerian elements of this ignoble trade are pretty much dilettantes. This essay is an attempt to x-ray the escalating trend in financial, electronic (ATM) fraud and to proffer solutions to forestall such incidents.
A Global Perspective
According to EAST (European ATM Security Team), the banks of 22 European countries lost between them €485 million in 2008 due to fraudulent ATM transactions. A report by the United State’s Crime Complaint Centre, says Credit/debit card fraud account for an average of $223. In 2008 fraudsters stole $9 million within minutes from the RBS (Royal Bank of Scotland) WorldPay incident. In 2004, hackers came very close to pulling off a $440 million heist at the Sumitomo Mitsui Bank in London. They were said to have used hi-tech equipments including USB memory sticks to install key logger software’s on various workstations in the bank. The Japanese National Police Agency (NPA) asserts that some ¥48 million (approximately $518,000) was transmitted electronically from the accounts of 63 internet banking users without them even knowing of it during the period between June and December 2012.
The Nigerian Experience
Just recently, the Nigerian Deposit and Insurance Corporation (NDIC) released a report which opined that Nigerian Banks lost about N 17.9 billion naira in 2012 to a mix of fraudulent transactions, an increase of 43.7%. To lend credence to this, the Nigeria Police Special Fraud Unit (SFU) is said to have declared over 50 bankers wanted for bank fraud in the last one year. Earlier this year, an Abuja High Court sentenced one Emeka Okafor to nine years imprisonment for forgery and issuance of cloned cheques worth about N 4 million. Lately, an undergraduate, one Akinluyi Akintunde (a.k.a Cindy) was allegedly arrested on the verge of cashing a $6.9m scam. Among other culprits, the EFCC was also said to have arrested two undergraduates for an alleged N 2.05bn fraud. These blokes were said to have used Oracle’s ‘flexicube’ software to access the bank’s database and fraudulently transferred various sums of money.
Factors, Flaws That Enhance Electronic Fraud
Cybercriminals and Offline gangs are increasingly using skimming and trapping devices to steal Credit/Debit Card details of individuals without such individuals knowing. ATM Skimming involves installing a card reader and a miniature camera on the Automatic Teller Machine. The card reader reads the information on the magnetic stripe on the back of your card, and the camera watches what you enter for a PIN and transmits the information wirelessly to the criminals.
Many of today’s teller facilities are pretty vulnerable as a lot of them utilize Operating Systems like Microsoft Windows and use Internet Protocol networks as their communication mechanism which exposes their systems to high risks due to the inherent vulnerabilities of these platforms to malwares, viruses, worms, Trojan horses.
Another factor that enhances electronic fraud includes a growing phenomenon of Bring Your Own Device (BYOD) and DDoS attacks. There are inherent risks associated with the proliferation of mobile devices in the work place. In today’s cyber world, banks are not immune from an increasing trend in distributed-denial-of-service (DDoS) attacks. A DDoS attack are attacks engineered by fraudsters or hackers to temporarily or permanently make a Server or computer network unavailable to its prospective users.
A report from KPMG disclosed that every FTSE 350 Firm is a UK National Security Threat. The report opines that companies on the London Stock Exchange pose a serious risk to the UK’s national security because they are leaking data that can be used by a range of cyber attackers, including state-sponsored cyber-spies. According to Martin Jordan, head of cyber response at KPMG, “our research has shown that companies do not have full control of their web presence at a time when cyber security has been turned upside down”. The report cites that each firm leaked an average of 41 usernames and 44 email addresses. The foregoing can be used in the spear phishing attacks.
Telltale signs a camera, skimming or trapping device is installed in a typical ATM:
The Card Slot: Under normal conditions, the card slot of an ATM flashes fast bright green light. The non-flashing of this light when no one is currently performing a transaction is a sign of non-availability of service on the machine which should be accompanied by an on-screen “OUT OF SERVICE” message. If you approach an ATM and the card slot light is off, yet the screen reads “INSERT YOUR CARD”, then there is danger! A skimming device may have been installed.
Other areas of an ATM that skimming devices can or are being installed include: the Speaker compartment, ATM Side Board, Keyboard. Look carefully at the keyboard to ensure that no skimming plate is placed over the existing keys. Fraudsters place look-alike keypad cover with detecting film over the keyboard to record your pin as you punch.
Popular Electronic Scams to watch out for
Cash-Out heists: Recently a sophisticated crime syndicate used hacked debit-card data to steal $45 million from thousands of ATM’s in a matter of hours in a well-coordinated ATM withdrawal across 2,904 machines and 40,500 transactions spanning 27 countries. Fraud experts predict these geeks probably penetrated the bank prepaid systems, lifted the limit on those cards, reprogrammed the access codes for the plastic cards, just printed ATM cards and went to ATM machines around the world debiting those prepaid cards that had very high values on them.
Analysts are of the view that this happened because the banks systems were not well protected and there were no adequate controls such as monitoring privileged user access. Setting a big alarm bell when someone lifts the limit on the account, could have forestalled such an incident, monitoring the privileged users and looking for limits being lifted. The banks probably failed to put dual controls around lifting the withdrawal limits.
Online account takeover: occurs when an unauthorized party gains access to an existing bank account by stealing the access credentials and is followed almost invariably by the illegal movements of funds. In today’s increasingly connected world, convenience, speed, technology adoption, and payment options allows people and businesses to conduct online financial activities more easily and efficiently. Consequently, fraudsters are taking advantage of this mushrooming attack surface through the increased use of smartphones to access the internet, malicious malware, socially engineered account takeovers, and other means.
The total number of Account Takeover attempts reported by financial institutions has more than tripled since 2009, according to the Financial Services Information Sharing and Analysis Center. Moreover, global losses from account takeover are expected to reach $794 million by 2016. Not only are incidents of account takeover on the rise; they are also increasing in frequency and scope.
Recommendations To Financial Institutions
Security threats are shifting from the usual bank robberies to sophisticated electronic scams hence deploying a platoon of gung-ho mobile Police officers or Private Security Operatives will offer little or no help. One recently came across a popular Nigerian bank bragging of its capacity to open instant bank accounts via facebook. In a bid to outshine each other or pass off a trendy facade, financial institutions must not sacrifice security/safety and due diligence in the altar of trendiness.
Banks should install anti-skimming devices on their ATM’s. This will prevent skimming devices from reading the magnetic strip data on the cards. Introduction of EMV Smartcards (also known as Chip Cards) will also prevent Card Skimming.
Debit/credit cards and online banking facilities must not be indiscriminately issued to illiterate or elderly clients since they may not be able to personally utilize them without the help of a third party. In such cases, there is no guaranty that their PIN numbers will not fall into wrong hands. Financial institutions and stakeholders must put in place ongoing public enlightenment campaigns to refresh the minds of citizens on the dangers out there.
Banks must completely erase information on their computer hard drives before disposing or selling them and they must carry out stringent due diligence and background checks on its entire staff (full, part time and contract staff).
The growing trend of bring-your-own-device (BYOD) requires such organization to be abreast with emerging risks associated with this phenomenon. Banks must put in place well though-out BYOD best practices and policies that address data loss prevention, application security and exposure liability management. Possibly, susceptible organizations should disable the USB ports on their computers to forestall insiders and visitors from infecting their network with malwares or arbitrarily downloading sensitive/classified information.
Generally, a multi-layered approach which prioritizes amongst others, a holistic approach to Security (a synergy between information security, physical security, risk/fraud/anomaly detection and prevention), behavioral analytics, and avant-garde authentication processes should be adopted. Furthermore, financial institutions must develop plans to redress threats, and carry out sporadic vulnerability assessment of their critical networks.
Clues to ward off electronic/ATM Fraud:
There is a plethora of very acerbic and distressing tales of bank customers’ losing money through a potpourri of ATM frauds, cheque cloning et al. By paying attention to details and taking measures to protect your financial privacy, you can evade been a victim of electronic (ATM) fraud. It is unfortunate that many ATM’s do not have a CCTV camera within the vicinity that monitors and records activities within the premises. Here are some rules of thumb for using ATM’s and to guard against being a victim:
Customer’s must avoid using ATMs once they feel insecure; they must stand very close to the ATM so as to block the view of possible intruders and, never to let anyone stand too close to them. Debit/Credit Cards can be cloned; be careful the type of retail outlet or website you swipe/enter your card details. There are reported cases of criminals installing fake ATM’s in and around shopping centers, public locations and also cases of criminals using WiFi scanners and cracking programs to download transaction data. ATM’s inside or within Bank premises are safer than a typical one on the street. Customers must also avoid counting cash at the ATM points; many ATM’s do not take money back once dispensed; ensure you collect your money before leaving the scene. Shun using machines located in places that are not properly lit or protected; Be mindful while using ATM’s at quiet times especially very early in the morning and late nights because skimmers have been found to take advantage of those periods. Never rely on the help of a total stranger to help you take back your ATM card when it gets stuck in an ATM. Contact your bank immediately if the machine is not within a banking area. Note that your bank will NEVER ask you your ATM PIN or your online banking password even if they call you on the phone; beware of phone calls that purport to emanate from your bank. And don’t forget… never disclose your PIN numbers to third parties! Desist from storing private & banking details in your mobile phones as these devices can easily be stolen or get lost. Avoid accessing your personal online accounts especially banking transactions from public computers or through public WiFi spots or Cyber Cafes. Remember to shred all unwanted Bank and Credit Card statements and seldom give out your bank account details/numbers to people even friends on the guise of using your account to receive money from another party. It will take a very brilliant solicitor and favorable forensic evidence to exonerate yourself if your bank account is unwittingly enmeshed in a fraudulent transaction.
Just recently wify got a SMS purportedly from her bank telling her that her account number has been changed, a new account number was assigned to her in the SMS. I told her to verify from her Bank. With the prevalence of Short Code or Bulk SMS, one can send SMS with a personalized user I.D or phone number claiming to be someone else or originating from a specific phone number. For example criminals can send you a customized bank transaction SMS alert purporting to emanate from your bank.
Be very circumspect if you get an email purporting to emanate from your bank asking you to update/verify/reactivate your online banking details. Classic phishing emails has the aforementioned undertone. Your online banking passwords must be strong enough consisting a mish mash of alphabets, numbers, upper and lower case letters.
There is a superfluity of fraudulent online shopping sites these days. Before entering your credit, debit card details on a website for online transactions, carefully look for signs like a closed padlock and a web address with ”HTTPS” (Hyper Text Transfer Protocol over a Secure Network). Sites with ”HTTPS” are safer than those with ”HTTP”. The former (HTTPS) keeps the session cookie encrypted between logging in and logging out.