Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

Consumer Card Controls Could Have Prevented $11.5m ATM Heist

Gordon McKenzie,EMEA MD at Ondot Systems explores how consumer card controls can tackle the challenge of ATM cashouts

Wherever there are users and money there will be cybercrime and fraud. So it is that financial institutions and their customers are increasingly being targeted by global attackers. Most recently, Indian lender Cosmos Bank lost $11.5m after an international criminal network fraudulently withdrew funds from ATMs in 28 countries around the world. That’s despite a warning from the FBI that an “ATM cashout” operation was imminent.

In our 24×7, digital-first society customers increasingly expect to be empowered with greater control over card management.

It’s a move that could have saved this financial institution, and many more like it, millions in losses and brand damage.

Out of control

ATM cashouts typically happen at smaller banks where security controls are less rigorously implemented, there’s less budget to throw at the problem and third-party vulnerabilities may be more obvious, according to the FBI’s warning. Global gangs usually phish or hack their way into back-end systems. Just before the allotted hour, they’ll often remove internal fraud controls such as maximum ATM withdrawal amounts and limits on volume of daily withdrawals, and may also artificially increase customer balances. Forged magstripe cards are then used around the world to withdraw funds in a highly co-ordinated campaign.

This is certainly not the first ATM-based cyber-attack: in 2013 cyber-criminals stole $45m from ATMs, and in 2016 over $12m was taken from cashpoints in Japan using cards cloned from a South African bank. However, the bad news, according to the FBI, is that it “expects the ubiquity of this activity to continue or possibly increase in the near future.” ATMs — unmanned and usually loaded with cash — are also particularly vulnerable to external tampering. Attackers can quite easily attach “skimmers” to the front of the card reader slot to read card info as it’s pushed into the machine, and overlay pads which record the card’s PIN, or motion-activated cameras to record the same information. That provides everything they need to create a clone. It’s no surprise that ATM-maker Diebold Nixdorf has described skimming as a $2bn+ problem globally.

These ATM attacks are also part of a wider pattern of soaring global card fraud. In the UK alone, an estimated £2bn+ was stolen from the bank accounts of cardholders last year, a 38% rise from the previous 12 months. Other figures pointed to steep rises in e-commerce fraud (24%) and fraudulent applications for cards (12%). The bottom line is that as financial institutions and organisations undergo digital transformation to become more competitive, agile and innovative, they’re also exposing their systems to increasingly well resourced and determined cyber-criminals. The vast underground cybercrime economy has effectively democratised access to customer account data, PII, and hacking tools while the anonymising power of the dark web and crypto-currencies have significantly reduced the risk of getting caught. The result? A thriving threat landscape.

Time for change

So what’s the answer? Thousands of financial institutions around the world have already woken up to the possibilities of card control applications. Offering granular control to cardholders through a simple mobile app interface can —amongst other things — empower them to restrict usage of certain transactions. That means in the event of an ATM cashout warning, accounts could be locked down so that even spoofed cards won’t work. If a user needs emergency cash, they can temporarily enable ATM withdrawals, get the money and then disable ATM transactions again. And, while ATM withdrawals are blocked, a user could still enable in-person, e-commerce or other types of transaction.

This granularity extends across a range of scenarios, allowing cardholders to decide where in the world their cards can be used, as well as spending limits, time frames and even merchant categories. It’s all about providing maximum visibility and control over how cards are used, with transaction alerts provide peace of mind when consumers need it most.

Financial institutions can not only reduce fraud rates in this way but also lower call centre costs, improve false decline rates, drive greater use of cards and build closer bonds with their customers. In our always-on, 24×7 world there are opportunities round-the-clock for the bad guys to expose gaps in protection. By handing more control back to the consumer to self-serve, financial institutions are already adding value and supporting digital transformation whilst protecting them and their customers from an escalating fraud epidemic.

The fraud and threat landscape is constantly evolving. That’s why, in order to succeed, our response must be just as innovative.