"Forensic Audit and Fraud Detection in

ATM Frauds: Challenges and Solutions"

- CA NSHANK JINDAL (M. No. 541653)

Keywords
ATM Frauds, ATM Security, Card Skimming, Shoulder surfing

Abstract

The growth of technology brought by the advent of Automated Teller Machines (ATMs) that occupies
an important position in the internet banking and-banking portfolio. It has given the relaxed life to
consumers allowing them to financial information; access the cash at “Anytime Anywhere Anyplace”
without any problem. It offers a real convenience to those who are on the run in their everyday life, but at
the same time, it also carries a big element of risk. Whatever benefits accruable to parties are almost lost
through frauds perpetrated through card-related transactions on ATMs. This paper presents brief information
related to type of ATMs frauds [i.e. Card Trapping, Cash Trapping/False Presentation, Social
Engineering/Phishing, Malware, Operational Fraud (Dispenser Manipulation, Fraudulent Issuance &
Fraudulent Placements), Physical Attack, Card Skimming & Shoulder surfing] and its security [i.e. Track
ATM Fraud Elsewhere, Leverage on Technological Improvements, Address Human Resource Issues,
Rethink What Constitutes Physical Security, Stock Management & Cyber Security, etc.] that provided
a solution of still enjoying the dividends of ATM cards and its attendant vulnerabilities.

Introduction

ATM uses have an important role in the e-banking in the India as well as in the world. The service of
ATM has provided their customers an excellent life permiting their user to access cash and other necessary
financial information. The concept of ATM is based on banking Anytime, Anywhere and Anyplace. It
provides a genuine expediency to those persons who cannot travels or run daily life while carrying
money. The crime related to ATM fraud is increasing with time and no one can show leniency in
money related crime.
ATM is a terminal deployed by bank or other financial institutions or organizations, which enables the
customers to make a balance enquiry, to make a money transfer, to deposit cash, to withdraw cash and
other financial queries. The aim of ATM is to provide fast and convenient services to his customers
and are basically self services banking terminals.
ATMs have given a lot of relief in the financial sectors. Now a days no one has time to stand in line in the
bank for cash withdrawal in front of clark. Even to customers, a major problem of financial transactions is
too solved by Automated Teller Machines that costumers can take.
ATM card is a regular card that is used at any ATM to withdraw/ deposit money, check account
balance and money/ funds transfers.
Authentication methods for ATM cards have little changed since a their introduction in the 1960’s.
 Typically, this authentication design involves a trusted hardware device called as ATM card or token.
Every users have a personal identification number (PIN) which is usually the means to verify the
identity of the user. However, due to the limitations of such design, an intruder in possession of user’s
device can discover the user’s PIN with brute force attack. In card cases, a typical four digit PIN, one
in every 10,000 users will have the same number .

India’s First ATM Fraud - The Chennai City Police have busted an international gang involved in
cyber crime, with the arrest of Deepak Prem Manwani (22), who was caught red-handed while
breaking into an ATM in the city in June last. The dimensions of the city cops’ achievement can be
gauged from the fact that they have netted a man who is on the wanted list of the formidable FBI
(Federal Bureau of Investigation, United States). At the time of his arrest, he has `7.5 lakh knocked
off from two ATMs in the city (T Nagar and Abiramipuram). Earlier he had walked away with
`50,000 from an ATM in Mumbai. While investigating Manwani’s case, the Chennai police stumbled
upon a cyber crime involving scores of persons across the globe.

ATM Fraud Trends – Cyber Expert, Mike Urban, Senior Director of Fraud Solutions at Fair Isaac says
that, the reason behind ATM frauds is simple because criminals like cards and PINs. If any criminal trace
the data behind magnetic stripe and PIN, then it is a free gift for criminal to withdraw the money from
that account. There is no barrier, no making an authentic card to be used at a retails. While this crime
is much harder to perpetrate, criminals prefer this over other types of crimes like credit card fraud, such
as signature-based fraud.

The front and back side of the ATM card shown in the figure (1).
Front side includes-
 Customer name
 Card number
 Validity of card
 Visa Flag/ Maestro and 3D hologram

The back side of the card includes

 Signature Panel
 Magnetic stripe
 Contact

Figure (1): Shows front and back side of an ATM card .

 Types of cards

Bank cards available to a customer in India can be classified on the basis of their usage and payment by
the card holder. There are three types of cards in India:

 Debit cards
 Credit cards
 Prepaid cards

The Usages of Debit Cards- The debit cards are used to purchase goods (shopping) withdraw cash
from an ATM and services at Point of Sale (POS)/E-commerce (online purchase) both domestically and
internationally (provided it is enabled for international use). So, this card can be used only for domestic
fund transfer from one person to another.

The Usages of Credit Cards - The credit cards are used for the purchase of goods and services at Point of Sale
(POS) and E-commerce (online purchase)/ through Interactive Voice Response (IVR)/Recurring
transactions/ Mail Order Telephone Order (MOTO). Credit cards can be used for domestically and
internationally (provided it is enabled for international use). It can be used to withdraw cash from an
ATM and also for transferring funds to bank accounts, credit cards, debit cards, and prepaid cards inside
the country.

The Usages of Prepaid Cards- The usage of prepaid cards depends on who has issued these cards.
These cards issued by the banks can be used to withdraw cash from an ATM, shopping in malls, purchase
of goods and services at Point of Sale (POS)/E-commerce (online purchase) and for domestic fund
transfer from one person to another person. Such prepaid cards are also known as open system prepaid
cards. However, the prepaid cards issued by authorized non-bank entities can be used only for purchase
of goods and services at Point of Sale (POS)/E-commerce (online purchase) and for domestic fund
transfer from one person account to another account. Such prepaid cards are known as semi-closed
system prepaid cards. These cards can be used only nationally.

Types of ATM Frauds

ATM fraud is a Global Problem, approximately every country facing this problem. Crimes at ATM’s
have become a nationwide issue that faces not only customers but also bank operators.

3.1 Card Trapping- A crook installs something to block the cash from dispensing out of an ATM. A
customer will then go inside the bank for help and will return to find the cash stolen by a thief.
 Figure (2): Card trapping device.

Figure (3): Use of trapping device in an ATM ).

Cash Trapping/False Presentation-This fraud involves placement of money traps or false presenters in front
of an ATM dispenser. During the course of an otherwise normal transaction, an ATM dispenses notes
into the trap rather than present the money to the customer. Assuming the ATM has malfunctioned, the
customer leaves. Now, again criminal returns, removes the money trap or false presenter, and then
leaves with cash that was intended for the customer. Cash trapping commonly succeeds with insider
involvement.

Operational Fraud (Dispenser Manipulation, Fraudulent Issuance & Fraudulent Placements),

Dispenser manipulation- In this type of operational fraud case, the ATM is set up to dispense big
denominations as smaller ones, there- by giving out more money than should be dispensed. This is
possible by insider help or remote commandeering.

Fraudulent issuance- Here, a bank employee deliberately issues the card(s) and PIN(s) to wrong
claimants in disregard of the issuance verification procedures.

Fraudulent placements - This is a case where ATM card production requests are made without any
sign of interest from the account owner. This is commonly done by bank employees.

Physical attacks - Physical attacks are usually perpetrated to gain access to the cash and all valuable
ATM components like presenter and depositor, the top hat and the safe, or in some other cases, the
whole ATM. It depends on the fact that which component is targeted.
Because safe contains the cash and it is the first common target. The perpetrator’s efforts focus on the
locks, handles and hinges of the safe. In some cases criminals steal the ATM hard drive by attaching
skimming devices or USB devices to download malware. The presenter and depositor can be subject to
attacks where perpetrators attempt to access an ATM’s cash sources (deposits) therefore they will use
several methods: cutting (using gas cutter), drilling, pulling the safe door, burning devices (torch), using
pry bars, bombs and other explosive devices. Other physical attacks include attempt to remove the
ATM and move it to another location (theft of ATM), ramming the ATM with a car or truck, pulling it
by using a chain and a car, or lifting it by from its foundation with forklift.
 Phishing - It is a common way of crime. Criminals use many types of fraud email to attract bank users by
fake offers or fake websites. Using the technique of resembling, they resemble the original websites of many
academics, financial or institutions and seduce the user by gifts and other awards and ask detail of his
personal information such as account number, PIN number, credit card number or Security
Authentication Key (all personal detail of user). The most common type of phishing e-mail purports to
be a security message requesting user to validate his personal details or security questions. However,
criminals use this technique and find the user details.

How to protect from phishing?

 Always memorize: Never access Internet Banking through any link in an e-mail address.
 Always use official website of bank and Internet Banking Retail Login page for secure internet banking.
Bank sites are secured and a padlock symbol displayed in the original e-web page.
 Use a unique e-PIN so no one can trace it and change it regularly. Never show/give your e-PIN to anyone
– not even to bank employees because bank employees are not always trusted.
 Be very suspicious of any e-mail or phone call received from a business or person that asks for
your personal details like account or credit/debit card information, PIN number, personal ID number,
passport, and unless you have initiated the transaction. Similarly, be careful of any communication
that wants your personal information and asks you to update or confirm it.
 Activate SMS on your mobile number so that whenever any transition happens, a SMS comes on the user
number.
 Continuously check your transactions. Review your order confirmations, credit card and bank
statements as soon as you receive them to make sure you are being charged only for transactions that
you have made. Immediately report any suspicion to bank.

Malware – Several cyber security and cyber crime researchers say that there are many malware codes
having power to control the ATMs. Spider Labs, the forensics and research arm of TrustWave, found a
Trojan family of malware that infected 20 ATMs in Eastern Europe. The researchers advise that any time
when cyber war starts, then the malware may be also a tool for attack over the banks and credit unions, in the
world. The criminals use malware to take over the ATM to steal data, PINs and cash.

Skimming- Skimming is a technique to access the data of ATM card (account information from credit or
debit card). These informations is stolen by decoding the magnetic strip on the back of ATM card which has
ATM data stored.
Skimming can happen in two ways: At the ATMs kiosk and at the shopping complex, shops or
restaurants. At the ATMs kiosk, criminals use a device and this device is inserted in the ATM card slot.
So, when any user insert his card then this skimming device extract all informations stored in the
magnetic strip of card. This data is then wirelessly transferred to the criminals laptop or other device
and then this information are used to make the cloned card and withdraw cash at overseas ATMs, or online
shopping. In second method, card is swiped in many restaurants and shops. The card is swiped on the
skimmer (to collect data) and then the card or electronic data capture machine to make a genuine change.
But only employees of the shops or restaurants can do so. Skimming through ATMs is more
dangerous.
Shoulder Surfing- Shoulder surfing involves watching a person using an ATM pin pad. Criminals
normally take his position, so he can capture the entries of his / her PIN. Shoulder surfing is also possible
through the installation and use of miniature video cameras aimed to record PIN entry.

Other types of crimes

Ghost ATMs - These ATM are be also called as “Ghost ATMs”. In this type of ATM transaction
cannot, be performed because the ATM card reader is blocked by someone. So when any customer
swipe his card in ATM and enters his PIN number, then ATM is unable to do transaction but card
swiped and PIN number entered is present in the ATM. Criminals use this data and make a transaction
from the ATM.

Ram Raids - Criminals continue to target ATMs in various ways, with “RAM” raids happening more
often in the US. Ram raids are used by criminals who physically break down the ATM from any place
like any institution or public place. In Texas, the number of ram raids has spurred institutions to
cooperate with law enforcement, and a special task force has been formed to fight the raiders criminal.
The opportunity that some non-hardened criminals see is an external ATM that can be pulled out, loaded
with money. “So in terms of crimes of opportunity, people feeling desperate will attempt this crime.”

PIN ID’s - One of the other trends noticed is where criminals are testing systems to identify PINs. It is
also a similar technique where the criminal captures the data by using a magnetic stripe. They then go to
an online bank site with a script written on several well known PINs, and run it against the site until they
get a match.

Automated PIN Changes - Another trend seen is when criminals go through the financial
institution’s telephone banking service to change PIN numbers. By useing the ANI to change the
information on the phone they appear like they are calling from the consumer’s phone. If these type of
criminals find the basic information of a card holder like, user name, card account number, last four
digits of the social security code then they’re trying to take that information and go to the call center
and change the PIN number over the phone. Thus, while more time-consuming, the overhead cost is
cut to near nothing other than their own work to deceive the bank call center. Now, by using this
changed PIN, the criminals create the account.

SMS attacks - “Smishing” is the attack that comes through the Short Message Service (SMS) or text site
on a smart phone or a cell phone. In this technique criminals target the persons and ask for his personal
details such as account number, and PIN. When criminal finds the information makes then he makes
the clone of ATM or debit card and withdraws the money.

Pharming- As similar in nature to e-mail phishing, pharming seeks to obtain personal or private
information (usually financial related) through domain spoofing. This is made by using a spammed
with malicious and mischievous e-mail and request user to visit spoof links or websites which appear
legitimate, pharming ‘poisons’ a DNS server by infusing false information into the DNS server, resulting in
a user’s request being redirected elsewhere. Users browser, however, will show that he is at the correct
website, which makes pharming a bit more serious and more difficult to detect. Phishing attempts to
scam people one at a time with an e-mail while pharming allows the scammers to target large groups
 of people at one time through domain spoofing.

Solutions for safe use of ATM

Track ATM fraud everywhere- The Banking Industry must consider a global view of ATM fraud by
tracking crimes related to ATMs in every part of the world, and proactively develop solutions to
minimize their materialization and the related losses.

Leverage on technological improvements- Deployment of biometric capabilities in ATMs

authentication systems. With biometrics, fraudulent incidents can be minimized, as an added layer of
authentication is introduced that ensures that even with the correct pin information and possession of
another person’s ATM card, the user’s biometric features cannot easily be faked. Migrate to EMV-chip
based card readers as magnetic strip is vulnerable to skimming. Activate E-alerts so as to notify the
account owner of movement on his/her account, especially debits. Consider viable ink stain
technologies that will ruin and make unusable any discarded banknotes.

Address human resource issues- Train the staff handling card requests and PIN issuances. Establish
clear job descriptions and accountabilities for the staff handling card/PIN requests and issuances. Review
remuneration of front office staff.

Rethink what constitutes Physical security- Engage the firms providing physical security to interest
them into broadening their understanding of security requirements that are adaptive to human behavior.
Use of effective surveillance systems; CCTVs, sensors that detect physical attacks, especially in remote
location

Stock management- Institute effective oversight over card operations, origination, production, storage and
issuance. Consider stock management and tracking systems.

How to protect yourself?

In the case of e-banking and ATM using, security is must because money loss is a big shock for a user.
Only care and security can make a customer safe. Few points for a safe banking:

A- In the case of using an Internet Explorer 7 by customer and the address bar turns RED, then do not
continue, as this is an indication that you are connected with a fake website.
B- User can also confirm that he is connected to the right server not with a fake site by clicking on the gold
padlock icon and then click on “View Certificates” to see you are connected to the right server or not.
C- If user suspects that he is a victim of phishing, pharming or any other cyber crime, then immediately
report the incident to bank.

Tips for a secure use of ATM

 The secure use of ATM is a tough issue for a customer. It depends on following points -
A. Choosing of ATM
B. Using an ATM
C. Managing ATM Use

Choosing an ATM

 If possible, use ATM’s which is used by many users. Otherwise, choose well-lit, well-placed ATM’s
where user feels comfortable.
 Look at the whole ATM area before approaching it. In general avoid using the ATM if there are any
suspicious looking individuals around or if it looks too isolated or unsafe.
 Avoid opening your purse, bag or wallet while in the queue for the ATM. Have your card ready in your
hand before you approach the ATM.
 Notice if anything looks unusual or suspicious about the ATM indicating it might have been altered. If the
ATM appears to have any attachments to the card slot or keypad, do not use it.
 Check for unusual instructions on the display screen and for suspicious blank screens. If you suspect that
the ATM has been tempered with, proceed to another ATM and inform the bank.
 Avoid ATM which has messages or signs fixed to them indicating that the screen directions have been
changed, especially if the message is posted over the card reader.
 Banks and other ATM owners will not put up messages directing you to specific ATMs, nor would they
direct you to use an ATM, which has been altered.

Using an ATM
 Be especially cautious when strangers offer to help you at an ATM, even if your card is stuck or you are
experiencing difficulty with the transaction. You should not allow anyone to distract you while you are at
the ATM.
 Check that other individuals in the queue keep an acceptable distance from you. Be on the lookout for
individuals who might be watching you enter your PIN.
 Stand close to the ATM and shield the keypad with your hand when keying in your PIN (you may wish
to use the knuckle of your middle finger to key in the PIN).
 Follow the instructions on the display screen, and do not key in your PIN until the ATM requests you to
do so.
 If you feel the ATM is not working normally, press the Cancel key and withdraw your card and then
proceed to another ATM, reporting the matter to your financial institution.
 Never force your card into the slot.
 Keep your printed transaction record so that you can compare your ATM receipts to your monthly
statement.
 If your card gets jammed, retained or lost, report this immediately to the bank and/or police using the help line
provided or nearest phone.
 Do not be in a hurry during the transaction, and carefully secure your card & cash in your wallet, handbag
or pocket before leaving the ATM.

Managing ATM Use

 Always memorize PIN and if required to write PIN, then use a disguised writing and always keep it secure
in a safe place. Never carry your PIN number in a written form.
 Never disclose your PIN to anyone, whether to family member, bank staff or police.
 Do not use obvious and guess numbers for PIN like your date of birth.
 Change your PIN from time to time and, if you think it may have been compromised then change it
immediately.
 Set your daily ATM withdrawal limit at your branch at the level you consider reasonable.
 Regularly check your account balance and bank statements and report any discrepancies to your bank
immediately.

Conclusion

ATM safety is a priority work of banks but it cannot be successful without the information and support
of customers. Every ATM fraud case must be registered and investigated by special cell of cyber
experts and police officers. A better awareness can ensure the secure use of ATM.

References

1. http://indiaforensic.com/atmfraud.htm.
2. http://www.bankinfosecurity.in/atm-fraud-7-growing-threats-to-financial-institutions-a-1523/op-1
3. http://www.iob.in/Essential_Card_Details.aspx.
4. https://www.rbi.org.in/Scripts/FAQView.aspx?Id=103.
5. h t t p s : / / w w w . i s a c a . o r g/ c h a p t e rs 2 / k a m p a l a / newsandannouncements/Documents/ATM
%20FRAUD- September%20Presentation.pdf
6. http://resources.infosecinstitute.com/bank-fraud-atm-security/
7. http://www.firstpost.com/investing/mumbai-atms-skimmed-how-to-protect-yourself-from-fraud-906335.html
8. http://www.atmonguard.com/safety/index.htm.