Introduction:
There is a global
surge in financial, electronic (ATM) fraud and this ugly phenomenon is
increasingly becoming very sophisticated. In their bid to swindle unsuspecting
victims, Criminals are upping their ante, in many occasions, deploying a mix of
social engineering and reverse-engineering to circumvent security/safety
measures deployed by financial institutions. Interestingly, insiders- bank staffers
(Management, Cashiers, IT guys, Security Officers) are sometimes complicit in
growing financial/electronic frauds. As will be gleaned from the ensuing part
of this treatise, despite a global notoriety for 419 and fraud buoyed by bad Press,
the Nigerian elements of this ignoble trade are pretty much dilettantes. This
essay is an attempt to x-ray the escalating trend in financial, electronic (ATM)
fraud and to proffer solutions to forestall such incidents.
A Global Perspective
According to EAST (European ATM Security Team), the
banks of 22 European countries lost between them €485 million in 2008 due to
fraudulent ATM transactions. A report by
the United State’s Crime Complaint Centre, says Credit/debit card fraud account
for an average of $223. In 2008 fraudsters stole $9 million within minutes from
the RBS (Royal Bank of Scotland) WorldPay incident. In 2004, hackers came very
close to pulling off a $440 million heist at the Sumitomo Mitsui Bank in
London. They were said to have used hi-tech equipments including USB memory sticks
to install key logger software’s on various workstations in the bank. The
Japanese National Police Agency (NPA) asserts that some ¥48 million
(approximately $518,000) was transmitted electronically from the accounts of 63
internet banking users without them even knowing of it during the period
between June and December 2012.
The Nigerian Experience
Just recently,
the Nigerian Deposit and Insurance Corporation (NDIC) released a report which
opined that Nigerian Banks lost about N17.9
billion naira in 2012 to a mix of fraudulent transactions, an increase of
43.7%. To lend credence to this, the Nigeria Police Special Fraud Unit (SFU) is
said to have declared over 50 bankers wanted for bank fraud in the last one
year. Earlier this year, an Abuja High Court sentenced one Emeka Okafor to nine
years imprisonment for forgery and issuance of cloned cheques worth about N4 million. Lately, an undergraduate, one
Akinluyi Akintunde (a.k.a Cindy) was allegedly arrested on the verge of cashing
a $6.9m scam. Among other culprits, the EFCC was also said to have arrested two
undergraduates for an alleged N2.05bn
fraud. These blokes were said to have used Oracle’s ‘flexicube’ software to access
the bank’s database and fraudulently transferred various sums of money.
Factors, Flaws That Enhance Electronic Fraud
Cybercriminals and Offline
gangs are increasingly using skimming and trapping devices to steal Credit/Debit
Card details of individuals without such individuals knowing. ATM Skimming
involves installing a card reader and a miniature camera on the Automatic
Teller Machine. The card reader reads the information on the magnetic stripe on
the back of your card, and the camera watches what you enter for a PIN and
transmits the information wirelessly to the criminals.
Many of today’s
teller facilities are pretty vulnerable as a lot of them utilize Operating
Systems like Microsoft Windows and use Internet Protocol networks as their
communication mechanism which exposes their systems to high risks due to the inherent
vulnerabilities of these platforms to malwares, viruses, worms, Trojan horses.
Another factor that enhances electronic fraud includes a growing
phenomenon of Bring Your Own Device (BYOD)
and DDoS attacks. There are
inherent risks associated with the proliferation of mobile devices in the work
place. In today's cyber world, banks are not immune from an increasing trend in
distributed-denial-of-service (DDoS) attacks. A DDoS attack are attacks
engineered by fraudsters or hackers to temporarily or permanently make a Server
or computer network unavailable to its prospective users.
A report from KPMG disclosed that every FTSE 350 Firm is a UK National
Security Threat. The report opines that companies on the London Stock Exchange
pose a serious risk to the UK’s national security because they are leaking data
that can be used by a range of cyber attackers, including state-sponsored
cyber-spies. According to Martin Jordan, head of cyber response at KPMG,
"our research has shown that companies do not have full control of their
web presence at a time when cyber security has been turned upside down". The
report cites that each firm leaked an average of 41 usernames and 44 email addresses.
The foregoing can be used in the spear phishing
attacks.
Telltale signs a camera, skimming or trapping device is
installed in a typical ATM:
The Card Slot:
Under normal conditions, the card slot of an ATM flashes fast bright green
light. The non-flashing of this light when no one is currently performing a
transaction is a sign of non-availability of service on the machine which
should be accompanied by an on-screen “OUT OF SERVICE” message. If you approach
an ATM and the card slot light is off, yet the screen reads “INSERT YOUR CARD”,
then there is danger! A skimming device may have been installed.
Other areas of an ATM that
skimming devices can or are being installed include: the Speaker compartment,
ATM Side Board, Keyboard. Look carefully at the keyboard to ensure that no
skimming plate is placed over the existing keys. Fraudsters place look-alike
keypad cover with detecting film over the keyboard to record your pin as you
punch.
Popular Electronic Scams to watch out for
Cash-Out
heists: Recently a sophisticated crime syndicate used hacked debit-card data to
steal $45 million from thousands of ATM’s in a matter of hours in a
well-coordinated ATM withdrawal across 2,904 machines and 40,500 transactions
spanning 27 countries. Fraud experts predict these geeks probably penetrated
the bank prepaid systems, lifted the limit on those cards, reprogrammed the
access codes for the plastic cards, just printed ATM cards and went to ATM
machines around the world debiting those prepaid cards that had very high
values on them.
Analysts are of the view that
this happened because the banks systems were not well protected and there were
no adequate controls such as monitoring privileged user access. Setting a big
alarm bell when someone lifts the limit on the account, could have forestalled
such an incident, monitoring the privileged users and looking for limits being
lifted. The banks probably failed to put dual controls around lifting the
withdrawal limits.
Online account takeover: occurs when an unauthorized party gains access to an
existing bank account by stealing the access credentials and is followed almost
invariably by the illegal movements of funds. In today's increasingly connected
world, convenience, speed, technology adoption, and payment options allows
people and businesses to conduct online financial activities more easily and
efficiently. Consequently, fraudsters are taking advantage of this mushrooming
attack surface through the increased use of smartphones to access the internet,
malicious malware, socially engineered account takeovers, and other means.
The total number of Account
Takeover attempts reported by financial institutions has more than tripled
since 2009, according to the Financial Services Information Sharing and
Analysis Center. Moreover, global losses from account takeover are expected to
reach $794 million by 2016. Not only are incidents of account takeover on the
rise; they are also increasing in frequency and scope.
Recommendations To Financial Institutions
Security threats are shifting
from the usual bank robberies to sophisticated electronic scams hence deploying
a platoon of gung-ho mobile Police officers or Private Security Operatives will
offer little or no help. One recently came across a popular Nigerian bank bragging
of its capacity to open instant bank accounts via facebook. In a bid to
outshine each other or pass off a trendy facade, financial institutions must
not sacrifice security/safety and due diligence in the altar of trendiness.
Banks should install
anti-skimming devices on their ATM’s. This will prevent skimming devices from
reading the magnetic strip data on the cards. Introduction of EMV Smartcards
(also known as Chip Cards) will also prevent Card Skimming.
Debit/credit cards and online
banking facilities must not be indiscriminately issued to illiterate or elderly
clients since they may not be able to personally utilize them without the help
of a third party. In such cases, there is no guaranty that their PIN numbers
will not fall into wrong hands. Financial institutions and stakeholders must
put in place ongoing public enlightenment campaigns to refresh the minds of
citizens on the dangers out there.
Banks must
completely erase information on their computer hard drives before disposing or
selling them and they must carry out stringent due diligence and background
checks on its entire staff (full, part time and contract staff).
The growing trend of
bring-your-own-device (BYOD) requires
such organization to be abreast with emerging risks associated with this phenomenon.
Banks must put in place well though-out BYOD best practices and policies that
address data loss prevention, application security and exposure liability
management. Possibly, susceptible organizations should disable the USB ports on
their computers to forestall insiders and visitors from infecting their network
with malwares or arbitrarily downloading sensitive/classified information.
Generally, a multi-layered
approach which prioritizes amongst others, a holistic approach to Security (a
synergy between information security, physical security, risk/fraud/anomaly
detection and prevention), behavioral analytics, and avant-garde authentication
processes should be adopted. Furthermore, financial institutions must develop
plans to redress threats, and carry out sporadic vulnerability assessment of
their critical networks.
Clues to ward off electronic/ATM Fraud:
There is a plethora of very
acerbic and distressing tales of bank customers’ losing money through a potpourri
of ATM frauds, cheque cloning et al. By paying attention to details and taking
measures to protect your financial privacy, you can evade been a victim of electronic
(ATM) fraud. It is unfortunate that many ATM’s do not have a CCTV camera within
the vicinity that monitors and records activities within the premises. Here are
some rules of thumb for using ATM’s and to guard against being a victim:
Customer’s must avoid using ATMs once they feel insecure;
they must stand very close to the ATM so as to block the view of possible
intruders and, never to let anyone stand too close to them. Debit/Credit Cards
can be cloned; be careful the type of retail outlet or website you swipe/enter
your card details. There are reported cases of criminals installing fake ATM’s
in and around shopping centers, public locations and also cases of criminals
using WiFi scanners and cracking programs to download transaction data. ATM’s
inside or within Bank premises are safer than a typical one on the street.
Customers must also avoid counting cash at the ATM points; many ATM’s do not
take money back once dispensed; ensure you collect your money before leaving
the scene. Shun using machines located in places that are not properly lit or
protected; Be mindful while using ATM’s at quiet times especially very early in
the morning and late nights because skimmers have been found to take advantage
of those periods. Never rely on the help of a total stranger to help you take
back your ATM card when it gets stuck in an ATM. Contact your bank immediately
if the machine is not within a banking area. Note that your bank will NEVER ask
you your ATM PIN or your online banking password even if they call you on the
phone; beware of phone calls that purport to emanate from your bank. And don’t
forget… never disclose your PIN numbers to third parties! Desist from storing
private & banking details in your mobile phones as these devices can easily
be stolen or get lost. Avoid accessing
your personal online accounts especially banking transactions from public computers
or through public WiFi spots or Cyber Cafes. Remember to shred all unwanted Bank
and Credit Card statements and seldom give out your bank account details/numbers
to people even friends on the guise of using your account to receive money from
another party. It will take a very brilliant solicitor and favorable forensic evidence
to exonerate yourself if your bank account is unwittingly enmeshed in a
fraudulent transaction.
Just recently wify got a SMS purportedly from her
bank telling her that her account number has been changed, a new account number
was assigned to her in the SMS. I told her to verify from her Bank. With the prevalence of Short Code or Bulk SMS, one can send SMS with a
personalized user I.D or phone number claiming to be someone else or
originating from a specific phone number. For example criminals can send you a customized bank transaction SMS
alert purporting to emanate from your bank.
Be
very circumspect if you get an email purporting to emanate from your bank
asking you to update/verify/reactivate your online banking details. Classic
phishing emails has the aforementioned undertone. Your online banking passwords
must be strong enough consisting a mish mash of alphabets, numbers, upper and
lower case letters.
There is a superfluity
of fraudulent online shopping sites these days. Before entering your credit,
debit card details on a website for online transactions, carefully look for
signs like a closed padlock and a web address with ‘’HTTPS’’ (Hyper Text
Transfer Protocol over a Secure Network). Sites with ‘’HTTPS” are safer than
those with ‘’HTTP”. The former (HTTPS) keeps the session cookie encrypted
between logging in and logging out.
Written by:
Don Okereke
First published on www.bellanaija.com as ''Going Cashless? Here Are Tips For Safe Electronic Banking Practice''
Very good tips worthy of note!
ReplyDelete