Lessons From ATM Cash-Out Scheme in JapanVigorous Fraud Detection, Transaction Anomaly Monitoring Needed
A Japanese ATM cash-out scheme that stole $19 million from South Africa's Standard Bank in less than three hours illustrates why devising better ways to mitigate the risks posed by such schemes must be a priority for financial institutions in those markets - including the U.S. - that still rely on magnetic stripe debit cards.
See Also: Ransomware: The Look at Future Trends
More vigorous fraud detection and transaction anomaly monitoring might have helped detect the Japanese heist sooner. But as long as ATMs continue to accept magnetic-stripe cards, cash-outs will pose a risk. In the U.S., most ATMs are not expected to begin accepting chip cards until the end of 2016.
"We should be concerned. The fraud activity isn't isolated to Japan. It could happen any place," says one executive with a leading U.S. card issuer, who asked not to be named. "Most issuers don't have numerous rules surrounding ATM activity because it is relatively small volume compared to the amount of spend. It is likely a few of these accounts cued someone and the pattern was noticed as being a trend."
But by the time the pattern was noticed, $19 million was already gone, Standard Bank told Reuters.
Standard Bank did not respond to Information Security Media Group's request for comment. But according to news reports from Reuters and others, the cash-out scheme is believed to be linked to a sophisticated criminal group that has extensive knowledge about how ATM transactions are accepted and transmitted in Japan.
Approximately 1,600 counterfeit mag-stripe debit cards cloned from card data stolen from Standard Bank accounts were used between the hours of 5 a.m. and 8 a.m. on Sunday, May, 15, at 1,400 ATMs located in 7-Eleven convenient stores in Japan, Reuters reports. Those ATMs are owned and operated by Seven Bank, only one of two banks in Japan that accepts cards from other countries, CNN Money reports.
Seven Bank and its parent company, 7-Eleven, did not respond to ISMG's requests for comment.
The well-organized scheme in Japan likely involved criminals with in-depth knowledge of the Japanese banking system, security experts say. The attacks targeted off-premises ATMs, which often have less surveillance than branch ATMs, and occurred after bank business hours in both Japan and South Africa.
"I strongly suspect there was some inside involvement with this organized fraud ring, i.e., current or former bank employees who were familiar with the hours ATM activity is monitored, what rules are set up to raise red flags, how long it would take the bank to notice and shut down fraudulent activity, and associated bank procedures," says Shirley Inscoe, a financial fraud analyst at consultancy Aite. "Off-premises ATMs are often targeted by fraud rings. It is easy to add hardware and cameras, and visual inspections of the machines happen far less often than with on-premises machines. It is a best practice for consumers never to use these machines, but consumers often opt for convenience over security."
A Global Trend?
Experts for years have warned of upticks in ATM cash-outs. For example, back in late 2013, federal authorities announced arrests linked to a $45 million ATM cash-out and prepaid card scheme that targeted banks throughout the world in late 2012 and early 2013 (see New Arrests in $45 Million ATM Cash-Out ).
As more markets ramp up migration to EMV cards, which help prevent counterfeiting, fraudsters will work overtime to ensure they can get as much bang for their cash-out buck before the mag-stripe completely disappears (see ATM Cash-Out: Why Banks Are at Risk and Why We Can Expect More ATM Cash-Outs).
"Cash-outs continue because it's the most direct route to stealing cash," says financial fraud expert Avivah Litan, an analyst at the consultancy Gartner. "It's much more direct than selling goods bought with stolen cards or taking over online bank accounts. With ATM cash-outs, the cash simply spews out of the ATM - a criminal's dream come true."
But the recent Japanese cash-out scheme appears to have been more sophisticated and targeted than most because it involved only 7-Eleven ATMs in one country using counterfeit cards stolen from only one bank, Litan adds.
"It is rather surprising that the thieves got away with this, given that Standard Bank is relatively sophisticated and has advanced fraud detection systems," she says. "I am guessing the criminals identified a very particular security weakness in Standard's fraud-detection system related to foreign magnetic-stripe cards used at foreign, low-tech ATMs. Certainly these less-sophisticated ATMs have less of their own fraud controls, for example, against skimming. And they also typically don't have the ability to detect abnormal access activity at the ATM itself."
But the executive at the card issuer who asked not to be named says Standard Bank deserves credit for detecting the scheme in less than three hours. Had counterfeit cards from numerous banks been used, he says, detection would have been even more difficult.
How Should Banks Prepare?
Monitoring for anomalous activity, such as detecting foreign cards being used multiple times at multiple ATMs over a short period of time, is essential to the fight against cash-out schemes, says Gray Taylor, a payments expert who is executive director of Conexxus, a convenience store and petroleum industry technology association.
"U.S. and E.U. [European Union] banks have put in the neural technology to track anomalies like this," he says. "That is why, sometimes frustratingly, you get declined when you try to use your card in a new country or city. Simple parameter-driven sentinels would have seen the spike in foreign transactions from one country and notified Standard Bank to shut down and verify."
More video surveillance at ATMs is also needed to fight fraud, Taylor adds. "Most off-premises ATMs do not have dedicated video. The U.S. Secret Service has noted this is also a cause for third-party ATM fraud in the U.S. - the video has the ATM off in the distance, and perps can't be identified."
Owen Wild, global director of security solutions at ATM manufacturer NCR, says banks and credit unions also must have multilayered defenses in place to detect the more sophisticated types of cash-out schemes.
"The combination of data, analytics, rules and real-time monitoring will enable financial institutions to monitor both the cards and the terminals on which the transactions are initiated for the likelihood of suspicious behavior," Wild says. "But in order for the maximum level of security of the transaction, full and complete implementation of the EMV standards is required through the processing chain."
Some larger U.S. banks are already considering additional out-of-band authentication that can help to verify the authenticity of ATM transactions to reduce risks associated with cash-outs, says John Gunn, a vice president at VASCO Data Security.
"We are already seeing large banks moving to integrate ATM security measures into their mobile banking applications," he says. "It is easy for fraudsters to buy stolen cards to make unauthorized withdrawals. But it's nearly impossible to commit theft if they must also have the intended victim's mobile phone physically at the ATM at the same time. You can expect to see banks leverage customers' mobile phones to reduce fraud across all channels in the future."