[Dave Birch] I’ve been thinking about ATMs this morning because of the news that

the man credited with being the inventor of the world’s first hole-in-the-wall cash dispenser has died in hospital following a short illness. John Shepherd-Barron… died at Inverness’s Raigmore Hospital on Saturday, at the age of 84.

[From BBC News – Inventor of cash machine, John Shepherd-Barron, dies]

It’s astonishing, really, how quickly the ATM permeated society. Today it is taken for granted. But will it be around for long? There are some signs that the days of the ATM are waning.

SIGNS are emerging that Australia is moving towards a cashless society, with the number of consumers making ATM cash withdrawals dropping to the lowest point in more than six years.

[From Cash transactions on their way out | The Australian]

I shouldn’t think the ATM manufacturers are throwing themselves off of buildings just yet. So long as people continue to use cash, the ATM is here to stay, and despite the best efforts of e-payment fanatics such as yours truly, they’re going to be here for some time. But that wasn’t what I was thinking about, because I’m in the middle of doing some work on trends in security technology for one of our UK customers, so what I was thinking was that ATMs will remain a focus for attack: the bad guys know that there is where the money is too.

Last time I looked at the statistics, the no.1 country for fraud committed on UK-issued payment cards was Canada. Now that the UK has migrated to chip and Canada is migrating to chip, will this change? I’m told, by a reliable source, that in Canada the authorities are currently discovering around 40 compromised POS terminals every day, so it is clear to me that the bad guys are absolutely on top of the situation. They are not trying to compromise chip cards at all, simply to steal the PINs and magnetic stripe details. This is less and less effective on UK cards, since the introduction of ICVV, so the criminals are reorganising their supply chain for compromised card details and sourcing cards from other markets to be used in other markets, just like any other global business. As noted some time back

there’s just no near-term business case for payments companies to adopt EMV technology in the US based on reduction in fraud

[From Javelin Strategy and Research » Payment card security and EMV: ooh boy, get ready for misinterpretation]

James is, as usual, correct. If my (UK) card details are stolen and used to create a counterfeit magnetic stripe card that is used in a (US) ATM, then the loss falls on the (UK) card issuer. So what’s the incentive to change? Of course, the dynamics will shift as chip migration spreads. In Latin America, where Brazil and Mexico are migrating to chip, there’s already evidence of fraud being displaced to surrounding countries: what if, eventually, all of the world’s fraud will end up in the US, at which point non-US issuers will simply start declining all US ATM transactions!!

In Europe, the picture is much better. The detailed European ATM fraud figures for 2009 were published by EAST and they show a drop of a third in ATM-related fraud losses (down to EUR312m). International losess due to skimming fell by 43%, largely because of EMV roll-out at ATMs and the introduction of ICVV (so that card details stolen at POS cannot be used to create counterfeit magnetic stripe cards to be used in ATMs in non-EMV countries). Note, however, that…

Despite this drop in losses, overall ATM related fraud attacks rose 8% with a total of 13,269 incidents reported. This rise has been led by a 209% increase in the number of cases of card trapping while the total number of skimming incidents reported decreased by 1% over the same period. EAST first reported an increase in card trapping incidents at the end of the first six month period in 2009 and the figures for the second six months have shown a further increase. Assuming the PIN has been compromised, a captured EMV card can be fraudulently used at EMV compliant ATMs and other payment terminals, until it is blocked by the issuing bank.

[From Welcome to EAST]

Other good news…

Physical attacks on European ATMs, have fallen by 2% when compared with 2008 (down from 2,520 to 2,468 incidents), primarily due to a decrease in the number of reported ram raids and ATM burglaries. Despite this drop in incidents, overall losses rose 7% to €28 million (up from €26 million in 2008). Attacks on staff involved in the cash replenishment and servicing of ATMs rose by 40% (from 365 to 510 incidents) although the number is still well below the 1,950 cases reported in 2007.

[From Welcome to EAST]

In some markets, I’d be prepared to guess (I don’t have any actual figures to hand) that one of the growth areas for ATM crime is insider attacks.

A Bank of America IT worker has been charged with hacking the firm’s cash machine systems, enabling him to make withdrawals at ATMs without the transactions getting logged, according to IDG.

[From Finextra: BofA IT worker charged with ATM hack]

Of course, some people still rob them the old way (the “physical attacks” referred to above).

Independent retailers in Northern Ireland have called for the creation of an ATM crime task force after a gang used a mechanical digger with a telescopic arm to rip out a cash machine from a petrol station in County Antrim – the 18th such incident of its kind in recent months.

[From Finextra: Northern Irish ATM digger-jackers hoist 18th machine ]

We can stop ATM crime: we just need to get rid of ATMs to do it, and that’s no disrespect to the memory of John Shepherd-Barron.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: