Japan ATM Cash-Out Scheme: Lessons for IndiaVigorous Fraud Detection, Transaction Anomaly Monitoring Needed
A Japanese ATM cash-out scheme that stole $19 million from South Africa's Standard Bank in less than three hours comes as a wakeup call for India - a market that still has a large number of magnetic stripe cards and unsophisticated ATMs. (See: ATM Security: Fundamental Changes Overdue)
More vigorous fraud detection and transaction anomaly monitoring might have helped detect the Japanese heist sooner. But as long as ATMs continue to accept magnetic-stripe cards, cash-outs will pose a risk. (See: Alert: Indian ATMs face New Attacks)
Although the Reserve Bank of India has mandated that all cards issued after January of this year should be EMV chip and pin cards, migration of existing magnetic-stripe cards won't happen before the end of 2018.
"Most of the debit cards in India are mag-stripe only even today," says Dr. Onkar Nath, ex-CISO Central Bank of India and security strategist based in Mumbai. "Not just that, some of the chip-based cards in India still have mag-stripes on them, and all International credit cards are chip-based together with mag-stripe. This is not the first incident of card cloning, and many cases have been reported in india, too."
Current statistics from RBI indicate that India does around 700 million ATM transactions and 112 million POS transactions completed over 2 Lakhs ATM. "If a similar incident happens in India, ramifications would be really very alarming," warns Mumbai-based Nitin Bhatnagar, Cyber Security Researcher and Head of Business Development, SISA Information Security. (see: ATM Security: The Fundamental Flaws)
Standard Bank did not respond to Information Security Media Group's request for comment. But according to news reports from Reuters and others, the cash-out scheme is believed to be linked to a sophisticated criminal group that has extensive knowledge about how ATM transactions are accepted and transmitted in Japan.
Approximately 1,600 counterfeit mag-stripe debit cards cloned from card data stolen from Standard Bank accounts were used between the hours of 5 a.m. and 8 a.m. on Sunday, May, 15, at 1,400 ATMs located in 7-Eleven convenient stores in Japan, Reuters reports. Those ATMs are owned and operated by Seven Bank, only one of two banks in Japan that accepts cards from other countries, CNN Money reports.
By the time the pattern was noticed, $19 million was already gone, Standard Bank told Reuters.
Seven Bank and its parent company, 7-Eleven, did not respond to ISMG's requests for comment.
The well-organized scheme in Japan likely involved criminals with in-depth knowledge of the Japanese banking system, security experts say. The attacks targeted off-premises ATMs, which often have less surveillance than branch ATMs, and occurred after bank business hours in both Japan and South Africa.
"I strongly suspect there was some inside involvement with this organized fraud ring, i.e., current or former bank employees who were familiar with the hours ATM activity is monitored, what rules are set up to raise red flags, how long it would take the bank to notice and shut down fraudulent activity, and associated bank procedures," says Shirley Inscoe, a financial fraud analyst at consultancy Aite. "Off-premises ATMs are often targeted by fraud rings. It is easy to add hardware and cameras, and visual inspections of the machines happen far less often than with on-premises machines. It is a best practice for consumers never to use these machines, but consumers often opt for convenience over security."
A Global Trend?
Experts for years have warned of upticks in ATM cash-outs. For example, back in late 2013, federal authorities announced arrests linked to a $45 million ATM cash-out and prepaid card scheme that targeted banks throughout the world in late 2012 and early 2013 (see New Arrests in $45 Million ATM Cash-Out).
As more markets ramp up migration to EMV cards, which help prevent counterfeiting, fraudsters will work overtime to ensure they can get as much bang for their cash-out buck before the mag-stripe completely disappears (see ATM Cash-Out: Why Banks Are at Risk and Why We Can Expect More ATM Cash-Outs).
"Cash-outs continue because it's the most direct route to stealing cash," says financial fraud expert Avivah Litan, an analyst at the consultancy Gartner. "It's much more direct than selling goods bought with stolen cards or taking over online bank accounts. With ATM cash-outs, the cash simply spews out of the ATM - a criminal's dream come true."
Criminals use the information to manufacture counterfeit debit cards that can be used to withdraw cash at an ATM or make a purchase in a store or online. "Such organized financial crimes don't see any boundaries, and attackers are always working hard to find the weakest link within the system to exploit," says Bhatnagar of SISA. "Interestingly, many of the ATM incidents involve some of the long-established techniques, and banks haven't been doing much to mitigate such risks."
Are Indian Banks Prepared?
India is already witnessing ATM skimming frauds, as well as cash-out schemes using cloned cards, which are common and are getting more sophisticated day by day. Moving completely to chip-based cards will not put an end to such fraud incidents, warn experts. Banks need to couple the move with better monitoring and detection methods to counter the risk.
Yet, many of the banks in India do not have ATM transaction anomaly monitoring in place. "Monitoring and detecting anomaly transactions, for instance, consecutive withdrawals using the same card at locations that are far apart, is a very crucial aspect," says Prakash Joshi, COO - Electronic Payments and Services, a third-party service provider that deploys and operates ATMs for banks in India. "Unfortunately, banks in India do not use such transaction detection systems, as it requires huge investment."
Owen Wild, global director of security solutions at ATM manufacturer NCR, says banks and credit unions also must have multilayered defenses in place to detect the more sophisticated types of cash-out schemes. The combination of data, analytics, rules and real-time monitoring will enable financial institutions to monitor both the cards and the terminals on which the transactions are initiated for the likelihood of suspicious behavior, Wild says.
"In order to conquer ATM frauds, banks should have designated operation time for offsite ATMs, use of biometric security for authentication, 24/7 ATM logging and monitoring to curb this threatening crime," recommends Bhatnagar.
As banks in India still largely outsource many of their financial services, they are exposed to various risks. "Banks should ensure stringent audit coverage for service providers," says Nath.
Indian CISOs can look at some of the best practices followed by their global counterparts, say experts. For example, U.S. and E.U. banks have put in the neural technology to track anomalies. Some larger U.S. banks are already considering additional out-of-band authentication that can help to verify the authenticity of ATM transactions.
Executive Editor Tracy Kitten contributed to this report.