the risk management blog

ATM Fraud – An Internal Viewpoint

byLowers & Associates | February 04, 2013

Defined as the intentional act of trickery to unlawfully obtain funds from an ATM, most people associate ATM fraud with external crime, where the card or card number and associated PIN are illegally obtained by outside individuals, gangs, or even more sophisticated organized crime syndicates. Considered a form of identity theft by the Federal Trade Commission (FTC), while identity theft had been holding relatively steady for the last few years, the FTC cites a 20 percent increase in ATM fraud in 2011 alone.

From the onset of the proliferation in the use of ATMs, less sophisticated (but equally effective) methods of ATM fraud include such means as card trapping, skimming, and keypad overlays.  Trapping, as the name implies, is where the customer’s card is somehow trapped by the perpetrator only to be retrieved later. Skimming is where the perpetrator has put a device over the card slot of an ATM, which reads the magnetic strip as the user unknowingly passes his card through it.  These devices require the use of a miniature camera (inconspicuously attached to the ATM) to read the user’s PIN at the same time.

Lastly, where a hidden camera is not or cannot be employed, a keypad overlay can be used to match up with the buttons of the legitimate keypad below it [pressing them when operated], but records for or transmits to (wirelessly) the perpetrator the keylog of the PIN entries.  Collectively, the device(s) illicitly installed on an ATM is/are known as a “skimmer” and the process is known as “skimming”.

4 Most Common Types of ATM Cyber Fraud

Today, the criminals have gotten a bit more technologically sophisticated, with the most common types of ATM “cyber fraud” being:

  • Cassette Manipulation Fraud – Where the ATM is programmatically altered to dispense multiples of the withdrawal amount with a single cash withdrawal transaction.
  • Surcharge Fraud – The programmatic setting of the ATM surcharge to zero on the attacker’s card.
  • Confidentiality Compromise – Where the perpetrator gains unauthorized access to ATM system logs and the confidential information stored therein that can then be exploited.
  • Software Compromise Fraud – The catch all for all other ATM fraud that involves the exploitation of software vulnerabilities so as to manipulate the ATM operation itself.

Despite the variety of ways and means that such fraud can be affected, the fact of the matter is that ATM fraud is perpetrated externally, internally, and in some cases by way of some combination of the two.  In short, criminals have found that ATM fraud can be committed at lower personal risk, can often be very lucrative, and can usually be carried out without the need for physical force or a weapon.

While the scope of the problem is enormous, as we read/hear about it almost every day in the media, the total cost of ATM fraud in the U.S. is difficult to clearly establish, due in large part to organizations being very guarded about releasing such information as well as the varying forms in which this type of crime can occur.

What we do know is that fraud committed from the inside can be every bit as devastating as external ATM fraud.  Fraud committed by the actual person replenishing or servicing the machine can be as simple as pilfering small amounts at a time or more complex with a carefully orchestrated shell game, whereby larger amounts of funds in the machine are siphoned off undetected.

In this scenario, the fraudster carefully keeps the residual cash returned to the processing facility in line with the machine dispense totals by sharing (the same or another machine) ATM funds, which goes undetected by those responsible for balancing.  A two-person team for dual control, actually performing ATM replenishment, may reduce the opportunity for loss, but may not be practical from a cost standpoint.  One ATM servicer alone can have access to over one hundred machines, allowing for an opportunity to steal in excess of a million dollars, undetected for years.  These crimes are often times uncovered through mere accident with a fraudster getting out of his or her routine, causing an out-of-balance situation identified at the processing facility and a resulting investigation.

Reducing the Potential for ATM Fraud

Some fundamental controls that should be in place to mitigate ATM losses include proper registering, issuance and return, inventorying, and storage of access devices, along with completion and accountability of servicing documentation.  These fundamental controls are very important; however, they may provide little resistance to the loss in the example above.

As an ATM service provider, there are some additional measures that can be implemented to reduce the potential for ATM fraud occurring, or at least from growing out of control:

  • Rotate the ATM servicers, so that no one person handles the cash exclusively for a machine over a specified point.
  • Develop an ATM cash audit program where the servicers’ machines are randomly inspected onsite and balanced by a designated two-person audit team at a specified interval.  Greater emphasis and frequency should be with ‟cash-add″ serviced machines.

The latter approach is only as effective as the program implementation.  From a practical standpoint, only a small number of the total machines serviced may be audited.  However, a significant benefit of deterrence can come from creating awareness with the servicer that any of their machines may be subject to a cash audit at any time.

Preventive measures are typically stifled with cost constraints, particularly where the needs and sense of urgency can be somewhat ambiguous to certain people.  However, when a devastating situation unfolds, the need for adequate internal controls becomes quite obvious.  While any preventive approach is an expensive one, the cost of not doing enough may be far greater in the long run.

The need for the financial services industry as a whole to embrace and apply universal fundamental cash handling standards is imperative. Financial institutions doing business with the various vendors should be able to have confidence that these standards are being followed.  There should be absolute transparency with the vendors, so the financial institution can see that the appropriate controls are in place and consistently followed, as well as have the ability to have a full audit of all customer inventories, not just their own, whenever requested.

Lowers & Associates (L&A), an international risk management firm, with extensive experience in the cash handling industry, knows and understands the “best practices” used today. L&A has various programs with the leading CIT carriers and insurers to both conduct surveys to evaluate internal controls compliance, as well as perform full inventory cash and coin audits.




Lowers & Associates provides comprehensive enterprise risk management solutions to organizations operating in high-risk, highly-regulated environments and organizations that value risk mitigation.
View all posts by Lowers & Associates >