Embed Size (px)
Citation preview
California Bankers Association
“New Risks in ATM Security”
Helping Financial Institutions Understand and Mitigate The Threat
June 16, 2010
Tracie GerstenbergNational Account Manager ADT Security Services
ATMs—Expanding Banking Customer Services
Retail Banking Research Limited estimates1.7M global ATMs
Over 450,000 ATMs throughout North America; over 250,000 FI-managed
The ATM Industry Association projects a new ATM installed every 6 minutes
Approximately 55% of U.S. population aged 25-49 use ATMs 8x a month
Many institutions manage a network of ATMs that represent 24/7 service convenience to their customers
ATM Skimming Results in $M FI Losses per Day;Becoming the Preferred “Bank Job”
• 60% of all ATM transactions today are cash transactions
• There are 49 billion annual worldwide ATM cash withdrawals
• Skimmers target high-transaction volume ATMs, major makes and models, urban and suburban, predominantly on-site
• 2008 Bank ATMs accounted for 75% of ATM Points of Compromise (POC); off- premise ATMs are now less than 30%.
(ATMIA, 2009 Report)
What Are The Financial Implications?Willie Sutton (1901-1980), when asked why he chose to rob banks as a career, is purported to have said, “Because that’s where the money is.” Today the question is: How much money is there in cybercrime? There is a fierce debate on this issue (see 27 March 2009 HSNW). Typically, the number of $1 trillion is mentioned — as in “cybercrime now generates $1 trillion a year for cybercriminals” -often accompanied by the comment that cybercrime now brings in more money than the drug trade. (HSNW / Homeland Security Newswire)
A single “Skimming Device” placed on an ATM typically costs banks about $33,000 in losses. Federal Bureau of Investigation, ASIS, Security Management Magazine, July 2009, “FBI Details Cyber Sting”
The US Secret Service estimates that annual losses from ATM skimming total about $1 billion each year, or $350,000 a day. https://www.evabankonline.com/pdfs/Skimming_Payment-Card_Fraud.pdf
ATM Skimming—Risks, Financial Losses and Pain Points to Financial InstitutionsReputation Risk to the bank’s brand— more damaging than the growing financial losses linked to
skimming Feb. 2009 survey by Harris Interactive—67% of adult ATM users would be likely to switch FIs after one
instance of ATM data compromise
North American ATM market now experiencing accelerated incidences of ATM skimming penetration. $1B in ATM skimming losses and rising—more than 3M victims reported in 2008; cash loss average of
$1000 per incident (Gartner Research)
Public Identity Issues—Great emphasis placed on “Information Privacy” Strong monetary and criminal penalties are in force for FIs failing to adequately protect consumer
information.
Significant “soft costs” incurred by FI Risk-Security staffs to investigate, document and report complex skimming incidences throughout ATM networks.
Law enforcement projects ATM skimming to be fastest-growing cyber crimes among FIs.
Skimming In the National Media
Skimming In The National Media
Skimming Is Reported Every Day
Skimming Makes Community HeadlinesNORTHEAST-MIDWESTThieves Use Device To Steal From ATM Customers-- WKRC-TV (Cincinnati)—3/26/10Skimming: Scary times for ATM users-- Monroe (Mich.) News—3/20/10Identity theft scam used area casinos-- WIVB-TV (Buffalo, N.Y.)—3/16/10Cops: Trio Scammed Cash Out of ATMs With Rigged Cards-- Long Island (N.Y.) Press –3/8/10Cops have image of Goshen ATM suspect-- Times Herald-Record (Middletown, N.Y.)—3/6/10 SOUTHEASTATM ‘skimmer’ found at Daytona bank-- Orlando (Fla.) Sentinel—3/29/10Thieves Use Device To Steal From ATM Customers-- Daytona Beach (Fla.) News Journal—3/29/10ATM thievery in Alexandria-- Washington Post—3/23/10Gardens Police Try To ID ATM Skimmers-- WPBF-TV 25 (West Palm Beach, Fla.)—3/12/10 WESTCredit card skimming scam suspected in Berkeley-- San Francisco Chronicle—3/31/10Utah police arrest suspected ATM skimmers; may be related to Reno-Sparks cases-- The Reno (Nev.) Gazette-Journal—3/24/10Police try to prevent credit-card skimming-- The Columbian (Clark County, Wash.)—3/4/10Two Men Charged For Stealing Credit Card Data Throughout East Bay-- KTUV San Francisco—3/3/10 CANADASkimming device found on Stratford ATM-- The Beacon (Ontario) Herald –3/25/10Two jailed after routine stop finds ATM fraud gear-- CTV Toronto—3/19/10More charges laid in alleged ATM-skimming operation-- Winnipeg Free Press—3/11/10
Criminals Advancing Technology
How Does It Happen?
How Does It Happen?
How Does It Happen?
How Does It Happen?
How Does It Happen?
Prosecuting Skimming Crimes
ATM SKIMMINGATM SKIMMING
““PRO-ACTIVE TECHNOLOGY”PRO-ACTIVE TECHNOLOGY”
1. DETECTION
• Detecting Skimming, or the theft of Consumer Information, is of paramount concern to all banking executives today.
• Unless these criminal events can be identified in a timely fashion, consumer confidence and brand loyalty is threatened (Unisys Chart)
• Often, without proper detection, the cycle of fraud associated with Skimming extends while dramatically creating adverse financial and reputation impact to institutions.
• Criminals have been enabled to act boldly in the absence of proper Skimming detection technology.
Source: www.unisys.com
Combating Skimming: Four Critical Priorities for the Financial Industry
Combating Skimming: Four Critical Priorities for the Financial Industry
2. MITIGATION
• Mitigating ATM Skimming events is a significant challenge without the proper technology.
• Mitigation requires a balanced approach that effectively negates the Skimming attacks while not impacting ATM performance.
• Mitigation should be seamless in conjunction with Detection in order to protect consumers, their data and business reputation.
Combating Skimming: Four Critical Priorities for the Financial Industry3. SURVEILLANCE• Attaching Skimming devices to ATM’s often takes less than a minute
(Below clip was 45 seconds)
• Suspects place Skimming devices and wireless remote cameras for PIN capture
• Capturing Surveillance images of individuals responsible for or involved with Skimming assists Law Enforcement in identification and apprehension
http://www.youtube.com/watch?v=xrLJjzoVqwE
Combating Skimming: Four Critical Priorities for the Financial Industry
4. NOTIFICATION
• Notification of ATM Skimming activities allows Financial Institutions to take timely, proactive action which can include:
- Alerting Law Enforcement
- Placing ATM’s into inoperative status
- Generating system wide warnings/alerts
• In optimum conditions, Notification is transparent to perpetrators, increasing response time for Law Enforcement and increasing potential for apprehension
• Notification should be a key cornerstone of a bundled solution that includes Detection, Mitigation, and Surveillance
ATMATM SKIMMINGSKIMMING
““Countermeasures & Countermeasures & Considerations”Considerations”
• Law Enforcement and Private Sector Collaboration
• Establish cooperative, crime prevention liaison with your local, state and federal law enforcement agencies
• Team with other regional FIs in communicating skimming events, dates locations and images with law enforcement partners
• Consider working with State and National Financial Associations to build collaborations and maximize resources
Countermeasures: Public-Private Sector Collaboration
Countermeasures: Employee Awareness, Prevention Programs
1. How are you making decisions about deployment of mitigation solutions?
2. Do you have a risk assessment methodology to identify higher risk locations?
3. Are you participating in private sector “associations” or “networks” to exchange, experiences and successful strategies for combating Skimming risk?
4. Are you communicating when and where your being attacked with key contacts in Federal, State and Local law enforcement in a timely fashion?
5. Are you utilizing intelligence (news media etc.) to track publicly reported Skimming activities in your footprint (bank and non-bank attacks)?
Considerations: Key Questions for Financial Institutions
ATM SKIMMINGATM SKIMMING
Q & AQ & A
