Constant vigilance must always be the mantra of the fraud manager—you never know when or where the next threat will arise. Case in point: We’re now seeing an abrupt rise in the incidence of card compromises resulting from attacks on bank ATMs. This trend became evident in the third quarter of 2009 and picked up considerable velocity over the first half of 2010.
The trend indicates a considerable shift in fraudster focus away from the large-scale card compromises and data breaches that dominated press headlines in recent years. These reached their peak in 2008 and have since diminished.
This downward shift may reflect the fact that increasing awareness of these crimes—touching off loud public and legislative outcries—has caused companies handling payment card and cardholder data to install standards-compliant point-of-sale (POS) equipment and/or adopt more secure database management practices. It’s also likely that all the press coverage made this type of opportunity too “hot” for many criminals. Bank ATMs began to look relatively more attractive, being out of the spotlight and, in many cases, under-protected.
While the number of cards compromised per bank ATM incident is generally less than what’s involved in incidents of institutional database hacking, the damage to card issuers can nevertheless be quite severe. Cardholders often react very negatively when the point of compromise (POC) is their bank, since they expect and trust financial services providers to keep their accounts and sensitive data secure. Moreover demand deposit and current accounts may be a hub for other accounts and service relationships. Compromised cards and PINs are highly valued by fraudsters as potential gateways to multiple sources of funds. The overall sense of violation for the customer and aggregate losses for the bank can be substantial.
Why are bank ATMs vulnerable to renewed attention from fraudsters? One reason is that the devices and methods fraudsters use to skim card data and capture PINs have become increasingly sophisticated, efficient and, in some cases, less risky for perpetrators. Another reason is criminals are targeting methods that provide them with fast and anonymous cash, such as access to an account through an ATM.
FICO has just published a new Insights white paper that examines these bank ATM vulnerabilities and the proactive best practices banks can take to minimize risk. It also looks at best practices for isolating and containing the damage when card compromises do occur, as well as how new technology-based banking services, such as mobile transaction notifications and inquiries, are strengthening defenses by enabling cardholders to participate in fraud detection.
To bring down the rising rate of bank ATM card compromises, financial institutions must implement all best practices for proactive and reactive defense. While we’ve highlighted a number of these practices in our Insights paper, I welcome you to share your own ideas and experiences here on our blog.