ATM security will take center stage next month in Scottsdale, Ariz., at the ATM Industry Association’s Security in the Americas conference, formerly known as ATMIA West.
Lana Harmelink, ATMIA’s international director of operations, said the event will focus on security and ATM threats, such as identity theft, card skimming and ram raids, that affect the industry throughout the world. The goal of the conference is to help financial institutions and independent deployers develop best-practice strategies to combat the fraud, she said.
"Part of what we’re trying to do is show what’s happening and where it’s happening, as well as the evolution of it all," Harmelink said. "Also, we’re trying to give a picture about how crime is migrating in the Americas."
As the rest of the world moves to comply with EMVCo.’s EMV (Europay, MasterCard, Visa) standard for chip and PIN, countries like the United States that continue to use magnetic stripes will be more vulnerable to fraud. Martin Lewis, who serves on the executive board of ATMIA’s Global ATM Security Alliance and manages ATM fraud control for United Kingdom payment association APACS, will host a presentation Friday, Sept. 15, about chip and PIN/EMV success in the U.K. Lewis will discuss how fraud has migrated since the U.K.’s conversion to the smart card.
Physical attacks garner attention across the globe
EMV is only part of the fraud-migration story, says Anna Istnick, Diebold Inc.’s senior product market manager. Ram raids, also known as smash-and-grabs, have taken the global lead, now accounting for more ATM-related attacks than any other type of crime.
"One of the most common crimes is brute-force attack. Physical raids in Australia and the U.K. and in the U.S., too, have taken the lead. We seem to see more brute force and ram raids than anything else," Istnick said. "We were just talking with some guys in Australia where the criminals drive their cars into the mall and take the ATM out of the food court, and they have a whole group of them that fight off police and others to get the ATMs. They have a system, and that system will get replicated in other parts of the world."
Understanding the system will help the industry fight fraud-migration, Istnick said, but it’s only part of the solution. Understanding the root cause of the fraud is the other, and that’s proved more challenging than deciphering the system, she said.
"Why are people taking cars and ramming into things? Or, in South Africa, why are they using explosives? It’s just hard times. That’s all I can think of. It’s just a reflection of desperation," she said.
Istnick will participate in a panel discussion that addresses the industry’s "biggest threats" Thursday, Sept. 14.
Istnick said the panel will explore ways the industry can expose global fraud trends, as well as figure out ways the industry can do a better job of sharing information.
"Globally, skimming would still be No. 1," she said. "But in North America, brute force attacks are now No. 1, and I’d say that’s happened over the last 18 months. In Asia Pacific, dispenser attacks would be No. 1. In Latin America and Canada together, card skimming is No.1, and secondary in the U.S. and AP (Asia Pacific). When you think about global fraud and what’s happening at the ATM, it’s the whole ATM perimeter that you have to protect —you need to worry about your entire environment, not just the card-reader or just the ATM itself."
Istnick said the industry has been pushed to think outside the ATM box.
"We’re really looking at helping the security assessment at the ATM perimeter, like vestibules that lock, more protective glass, cameras," she said. "And we’re even looking out and thinking outside the box, to solutions we use in remote-teller situations, where the money comes through a vat system (so the money is not kept at the ATM). It’s still getting money at the ATM; it’s just that the money is stored differently."
|
CONFERENCE EXHIBITORS
- 3SI
- ATMIA
- Cash Connect
- Columbus Data Services
- CSSI (Creative Strategic Solutions Inc.)
- DPL
- Elan Financial Services/Genpass
- Kaba Mas
- Palm Desert National Bank
- Pi Systems International
- Pulse EFT Association
- RBS Lynk
- Switch Commerce
- The Accel/Exchange Network
- NCR EasyPoint LLC (Tidel EasyPoint ATM)
- USA Payment Systems
- WRG Services Inc.
|
The conference’s focus on physical ATM attacks stems from a May conference sponsored and hosted by ATMIA and California-based Palm Desert National Bank in New York.
Jim Tingey, senior vice president of administration for PDNB’s Electronic Banking Division, will serve on Thursday’s panel with Istnick. Tingey was one of the catalysts for the New York conference.
Tying it all together
Security concerns are garnering more attention in the industry, says Peter Kulik, who manages electronic-funds-transfer products for Cincinnati-based Fifth Third Processing Solutions.
"Security is something that’s more at the forefront than it was 12 months ago," he said, "because fraud has been continuing to escalate. And that escalation has been more public — the media has latched onto it."
So the ATM industry is paying attention, Kulik said.
Kulik finds identity theft an interesting topic. In his Friday session about identity-theft prevention, Kulik will draw a connection between identity theft and ATM-related fraud when he explains, "Why identity theft matters for ATM deployers."
"Most ATM deployers don’t think about identity theft," he said. "And they don’t think about the impact of identity theft on the ATM business or what they can do to combat identity theft."
Kulik’s presentation will tie the ATM with identity theft from the transaction-authorization side.
"It costs all of us monetarily when a consumer falls victim to identity theft," Kulik said. "It also hurts consumer confidence. So, how can an ATM deployer work with the processor to turn down a transaction? When the acquirers aren’t liable for fraud, how can we combat fraud? Those are the types of questions the industry should be asking itself."
Mike Urban also plans to draw a connection between card fraud and the ATM during his Friday seminar, "Solving the Problem of Phishing and Internet Fraud."
"Compromised cards and PINs are used to perform fraud at the ATM, so it all ties together, even if the point of compromise is somewhere else," he said. "The ATM has become a target for criminals."
Urban has been expanding his well-known phishing presentation to include new types of phishing attacks, including those that use VoIP, and provide deployers with a list of 14 best practices for reducing phishing-threat levels.
Urban said ATMIA’s focus on security is a sign of changing industry times.
"I think ATMIA is reaching out to debit issuers and understands that ATM fraud is really only one aspect of card fraud," he said. "People often say there was ATM fraud on a card, but it wasn’t really the ATM that caused the fraud. Instead, it’s the issuer approving a transaction without having all the information needed to authorize the transaction, or the card has been compromised and the issuer has a hard time knowing whether or not that card came from the customer or not."
As the industry works to communicate and share more information with other parties involved in ATM transactions, fraud trends will more readily be identified and addressed, Urban says.
A new name, new agenda
To keep the focus on security, ATMIA is moving away from its East and West conference designation. Its annual fall conference will continue, but the annual focus is expected to stay on security. Harmelink said the shift will not stop the organization’s participation in additional security conferences.
Harmelink said industry leaders and strategists from every aspect of the ATM industry are invited, and an estimated 350 attendees are expected.
For conference-registration information and specials, contact Amber Howell.
