ATM Scam: Another Case of Universal Access?
On Monday, the Winnipeg, Canada Police Service issued a news release about a scam at a hospital-owned ATM. The scam led to the theft of up to CAN $2 million over what may have been a 10-year period. Constable Jason Michalyshen and Heidi Klaschka, the Misericordia Health Centre's director of communications, confirmed that no cardholders had been compromised, and no skimming device had been discovered.
The fraud, which had gone undetected for years, was uncovered by the hospital during an internal investigation. In April, the hospital turned the matter over to police, and decided to outsource the management of the ATM to an unnamed third-party.
It's surprising how common, simple steps to enhance security are often overlooked.
The police are looking into the possibility that the machine was compromised by someone responsible for replenishing its cash, as well as its servicing and maintenance.
Klascha says the hospital incurred the financial loss, which is expected to be covered, at least in part, by the hospital's insurance. No cardholders who have used the machine have cause for concern, she adds. "It's strictly a theft of funds related to our ATM machine."
Beyond those bare-bone facts, neither the hospital nor the police could confirm any details, such as the model of the ATM or how an external forensics audit was able to link the loss of funds to the hospital's machine.
It's a curious case. In my opinion, one of two scenarios is likely to blame. In fact, one of my scenarios resembles the problem we're now seeing with pay-at-the-pump terminals, where universal keys remain the industry standard for terminal access. It's surprising how common, simple steps to enhance security are often overlooked.
Scenario 1: It sounds like the hospital was replenishing the terminal with its own funds, so there were no controls in place from a vault cash provider. Michalyshen says simply, "Accounts associated with that machine may have been manipulated over a number of years."
If the machine was replenished by the hospital and cash used to fill the machine was taken from various hospital accounts, it would have been relatively easy for someone to embezzle.
Scenario 2: The machine was recoded, so that the cash cassette that holds $20 bills kicked into gear when what should have been drawn from was the cash cassette that holds $10 bills. Thus, the ATM recorded a $40 transaction when $80 was actually dispensed.
Where internal players are involved, this sort of scam is easy to pull off. Here's why: It does not have to be constant. The machine's coding can be changed for any length of time - getting in and changing the code is easy. And if a passerby happens upon the terminal while it's dispensing double the amount requested and deducted, the user is not likely to report the incident.
I suspect this was an internal scam, so recoding was managed well, with the perpetrator watching the terminal closely to ensure no passersby happened to use the machine while it was over-dispensing. The recoding would likely have taken place at night, when foot traffic is low.
This recoding scenario was common five to 10 years ago at off-premises retail ATMs. Why? Because retailers were replenishing their own ATMs, so to keep the code easy to remember, they just used the standard manufacturer's code - which oftentimes was a 1234567 combination. Any employee who knew the code could easily pull off the scam.
Manufacturers catering to the off-premises space have since addressed the issue, so new ATMs that hit the market don't rely on universal codes. But legacy terminals still used in the field are vulnerable, and it's up to the ATM's owner to recode the machine for access.
What's so ridiculous about the universal coding issue is that it remains common practice at pay-at-the-pump terminals, where technicians access machines with universal keys. A recent case of skimming devices found on nearly 200 gas terminals in Utah proved universal keys to be the weak link.
I guess I've become a little hardened on this issue because I've written about it for so long. But I just don't see how this type of mismanagement continues. I'll be anxious to see how the ATM fraud case in Winnipeg, Canada, unfolds. My scenarios could be completely off. But if the manufacturer's code was in fact the weak point for the hospital scam, I hope other off-premises ATM deployers, such as retailers and hotels, learn from the lesson.