ATM Fraud on parade

ABIMBOLA TOOKI, in this report, reveals some of the ways by which unsuspecting victims fall prey to ATM fraudsters in Nigeria.

A man walked into the banking hall of one of the new generation banks’ branches in Ikeja, Lagos, looking very angry and livid with rage. Gbam! He banged the desk in front of the customer care lady sitting at one corner of the banking hall and shouted: “What kind of nonsense is this? What kind of useless bank is this? You people are joking if you think my money can just disappear like that. Believe me! I just got a text from you people informing me of a cash withdrawal of N500,000 from my account on an ATM card that I never collected from you. You must return my money right now or I take you to court!” The man was ranting away in fury.
It is at this point I realized that the man had fallen victim of ATM fraudsters. So many other Nigerians have fallen victims the same way but such incidences go unreported.
The coming of ATM technology is to make lives even more comfortable and free of long queues in banking halls. For years, the only purpose of depositing money in banks is to keep it in a safe place or earn very small interest. But now, banking has entered our day-to-day life. The objective of banking has changed, from keeping money in a safe place to using your money in different ways for your comfort and needs anytime and anywhere. By having an ATM, there suppose to be less risk of robbery and employee theft. Unfortunately, that’s what some criminals are banking on.

What ATM Fraudsters Want
All they want is customer access information which includes card details and PIN or access to cash owned by the bank or other customers. The main cause of successful ATM fraud in Nigeria is loopholes left unplugged by stakeholders in the ATM business. These security loopholes are found in ATM Software, ATM Hardware, ATM Implementation/maintenance, Debit/Credit Card and Culture-induced loopholes.

Loopholes in the ATM Software
Operating system vulnerabilities is a major challenge to successful operation of ATM in Nigeria. OS/2 was the ATM de-facto operating system until 2006 due to many observed vulnerabilities. International Business Machines (IBM) discontinued OS/2 in 2006. Investigations show that some banks’ ATM still operate on this system which explains why most ATM fraud cases happen in those banks.
Investigations also revealed that some ATM applications fail to detect transaction reversal fraud. For instance, a criminal requests for N20,000, ATM dispenses N20,000 while the criminal picks only N5,000 from the middle of the pack, not affecting the stack. At time out, ATM times out and send an error message to the bank. ATM retracts the note into the retract bin of the dispenser without counting. Customer account is credited back with value of cash dispensed. The ultimate consequence is that the bank has lost N5,000. Simple.
Standard Windows XP is also vulnerable. According to Benedict Anyalenkeya, head, ATM/POS/Web Service at First City Monument Bank Plc, a special card used by fraudsters grants them access to an ATM machine running Window XP. The card logs all information on the ATM Card Reader and capture card details and PIN numbers of card that have been previously used on the machine. “A Nigerian criminal confessed to using this lately,” Anyalenkeya confirmed.
Some ATM software respond to multiple key requests during transaction. What fraudsters do in this regard is simple. User inserts card and enters PIN. Fraudster, dressed like an engineers shows up saying the machine is bad and advise user to retrieve card. User presses the cancel key continuously till the card is ejected. User leaves while fraudster waits. ATM receives correct response and fraudster collects cash.

Loopholes in the ATM Hardware
Vulnerabilities in the back-end servers housing ATM transaction gives fraudsters access to customer details. Hardware compromise makes it possible to retrieve customers’ PIN. Two Cambridge University researchers found a loophole in hardware manufactured by most ATM manufacturers. When a customer enters his PIN unto the ATM, the PIN and card number is combined into a format (PIN Block), scrambled and passed along the network.
The PIN Block may travel through several networks before it arrives at the acquiring bank network. At each Network (Router), the PIN block is unscrambled and rescrambled with new key on a machine (hardware security module). At these intermediate points, hackers may trick the machine to divulge the PINs.

Physical Access Security Loopholes
Research also revealed that unsecure access creates loopholes, enabling fraudsters to attach the following unto the machines: fake card readers, fake key pad (‘tear rubber’) and false presenters. ATM providers install dummy machines that capture card and PIN. On insertion of the card and inputing PIN, card is seized. When user walks to his bank to complain, perpetrators eject the card and pick the PIN info via a key logger installed on the machine.
Fraudsters can also own and install their machines in public places. According to industry analysts, the era of Central Bank of Nigeria requesting private companies to own ATM in public places could pose some challenges. This is because dummy machines loaded with key loggers and camera can easily capture cards and their PINs.

Loopholes from Poor ATM Implementation
Investigations show that some managers of ATM in some Nigerian banks don’t care to change manufacturers’ default password just like how ATM card users are advised to change their PIN before they start using it. Not changing the manufacturer’s password can lead to insider abuse. The habit of “one key opens all” gives access to USB drive by internal staff. Also, implementation by rookie bank staff/consultants leaves the following questions most times: How many safe keys are supplied?, Does the bank staff know? ,Who keeps the spare safe key? Is the USB drive disabled during implementation? When machine needs maintenance, who provides the changed password to the maintenance team? Is it changed after the exercise?
Poor positioning of the ATM during deployment may also assist criminals in shoulder surfing. ATM PIN pad is designed to ensure user’s body cover the keyboard during use. Some banks place their ATMs very high, this negating the objecting, making it easy for shoulder surfing.
Poorly implemented communication infrastructure can expose the ATM network to data sniffing. T-Connector, if used for ATM network, data could be picked from the connection edge.
Also from switches, networks can be infiltrated through the web via SQL injection on an open port(80), such that no traffic is blocked. This allows the attacker to bypass firewalls, enter, gain admin access to domain controllers and collect card numbers and PINs.

Debit/Credit Card & Pin Loopholes
From the banks, improper encoding of cards on track 2, makes it vulnerable to cloning. Improper education of card users, unsecure card/pin generation process in the banks, improper segregation of duty between card issuer and PIN issuer and debit cards in hands of third party for too long without collection or destruction could lead to fraud.
Poor physical access control to personalised cards can lead to theft of cards, steal wallets and purses. Dumpster diving (discarded receipts), shoulder surfing, POS Terminals (sniffing) and pretending to make call while recording with camera phone are all possible ways of stealing through ATM.

Loopholes Due to Culture
Placing too much trust on third party can lead to ATM fraud. Fake bank employees also exploit the lack of awareness among users to perpetrate fraud. Anyone who dresses like a banker is trusted by everyone to be a banker. Seeking help from well-meaning strangers as well as ATM Error (promo) make users vulnerable.
Strange request for your card number/Pins via email from your bank or e-mail from fake Interswitch, email from mobile provider like user receiving SMS of winning N100,000 in the latest Globacom promo, who wants to be a millionaire and so on are possible ways of falling victims.