Introduction:
The old financial method of commerce was without the use of physical cash. Thus, an entire transaction consisted only of exchange of goods popularly called “trade by barter”.
As commerce and business transaction became more complex, the use of monetary instruments as a unit of exchange replaced the barter system and money in various denominations was used as the sole purchasing power.
However, as the volume of commerce and business transaction increased, huge monetary sums were required for some form of transactions which made paper and metal based currency become more cumbersome and it heralded the use of “plastic money” in the form of credit cards, debit cards. Apparently, this has resulted in the increasing use of Automated Teller Machine (ATM) all over the world.
The use of ATM is not only safe but is also convenient. This safety and convenience, unfortunately, has an evil side as well that do not originate from the use of plastic money but rather by the misuse of the same.
Over the years, consumers have come to depend on and trust the Automatic Teller Machine (ATM) to conveniently meet their banking needs. But in recent time there have been a proliferation of ATM frauds in the country even and across the globe. Managing the risk associated with ATM fraud as well as diminishing its impact is an important issue that face financial institutions as fraud techniques have become more advanced with increased occurrences. The ATM is only one of many Electronic Funds Transfer (EFT) devices that are vulnerable to fraud attacks.
This evil side is reflected in the form of “ATM frauds” that is a global problem. The use of plastic money is increasing day by day for payment of shopping bills, electricity bills, school fees, phone bills, insurance premium, traveling bills and even petrol bills. The convenience and safety that credit cards carry with its use has been instrumental in increasing both credit card volumes and usage.
The world at large is struggling to increase the convenience and safety on the one hand and to reduce its misuse on the other. An effective remedy for prevention of ATM frauds, however, cannot be provided unless we understand the true nature of the problem.
ATM fraud is not the sole problem of banks alone. It is a big threat and it requires a coordinated and cooperative action on the part of the bank, customers and the law enforcement machinery. The ATM frauds not only cause financial loss to banks but they also undermine customers’ confidence in the use of ATMs. This would deter a greater use of ATM for monetary transactions.
It is therefore in the interest of banks to prevent ATM frauds. There is thus a need to take precautionary and insurance measures that give greater “protection” to the ATMs, particularly those located in less secure areas.
Definition of ATM:
Automated Teller Machine (otherwise known as ATM) is a computerized electronic machine that allows a bank customer to deposit, withdraw, or transfer funds automatically when an account holder inserts a bank card and it is used for making these financial transactions from a bank account and performs basic banking functions (such as handling check deposits or issuing cash withdrawals) – called also automated teller machine, automatic teller, automatic teller machine.
An ATM is a machine built into the wall of a bank or other building, which allows people to take out money from their bank account by using a special card.
What is ATM Fraud?
ATM fraud refers to fraud with the use of an ATM card whereby the perpetrator of the crime uses the card to immediately withdraw funds from a consumer account using PIN based transactions at the ATM. For instance, a perpetrator who manages to get an ATM pin number will use the ATM card at any automatic teller machine (ATM) to withdraw money from an innocent user’s bank account. Through ATM fraud, a perpetrator can even access the line of credit that is attached to an account. The common method adopted to get an ATM card by such perpetrator is to steal a customer’s card. However the new technique adopted is to trap the card inside the ATM’s card reader with a device called a lebanese loop. When the customer gets frustrated by not getting the card back and walks away from the machine, the perpetrator of the crime will remove the card and withdraw cash from the customer’s account. See https://definitions.uslegal.com/a/atm-fraud/
ATM Fraud Trends:
The reason that criminals target ATMs is simple. “Criminals like cards and PINs. It is much easier to cash them out, rather than to hire a mule or repackager with stolen credit cards,” says fraud expert Mike Urban, Senior Director of Fraud Solutions at Fair Isaac.
If the magnetic stripe data and pin is available, it is easy money for the criminal to get the cash out of the ATM. “There is no fence, no making an authentic card to use at a retailer,” he says. While this crime is much harder to perpetrate, criminals prefer this over other types of credit card fraud, such as signature-based fraud.
Common types of ATM attacks and fraud:
ATM attacks and fraud continue to make headlines, despite the fact that the technology running ATM networks is becoming more secure and consumers are perhaps more vigilant than ever.
But what do we mean exactly when we talk about ATM fraud? Far from being a simple smash-and-grab problem, ATM owners have to be vigilant against different types of threats to ensure they are protecting themselves and their customers.
Card Skimming:
Remains the number one threat globally but one that is on the wane thanks to deployment of anti-skimming solutions, EMV technology and contactless ATM functionality. Essentially, skimming refers to the stealing of the electronic card data, enabling the criminal to counterfeit the card. Consumers experience a normal ATM transaction and are usually unable to notice a problem until their account is defrauded.
Card Trapping:
Trapping is the stealing of the physical card itself through a device fixed to the ATM. In a pre-EMV or chip-and-signature environment, the PIN does not need to be compromised. Again, contactless capability can help. For example, NCR helped launch the world’s first tap and pin ATM with ANZ using Selfserv 23 and EMV contactless technology.
Transaction Reversal Fraud:
TRF involves the creation of an error that makes it appear as though the cash had not been dispensed. The account is re-credited the amount ‘withdrawn’ but the criminal pockets the money. It could be a physical grab (similar to cash trapping) or a corruption of the transaction message.
Cash Trapping:
Normally relatively low value, the fraudster will use a device to physically trap the cash that is dispensed and come to collect once the customer has left the ATM location.
Physical Attacks:
This category is related to any attempt to rob the ATM of the cash in the safe. Methods of physical attacks include solid and gas explosives, as well as removing the ATM from the site and then using other methods to gain access to the safe.
Logical Attacks:
Logical attacks are becoming a major and growing attack vector, and one that has the potential to cause large amounts of losses. In this type of attack, external electronic devices, or malicious software in used in the crime. The tools are used to allow the criminal to take physical control of the ATM dispenser to withdraw money, which is often called “cash-out” or “jackpotting,” as the machine starts spitting out bills like a casino gaming machine.
The other version of malware attack on ATMs sees criminals using software to intercept the card and PIN data as customers use the machine. They can then use this to clone cards and commit fraud at point of sale terminals, ATMs and in ‘card-not-present’ scenarios.
Criminals are always looking for ways to get their hands on card data or actual cash, however modern ATMs are designed to prevent attacks occurring, and the ATM industry constantly updates and evolves technology to thwart fraudsters at every possible step.
The good news is that there are solutions and practices that ATM deployers can and should do to protect the ATMs and the consumer who use them.
Ghost ATMs:
There are also the “Ghost ATMs,” where the entire ATM card reader is blocked off and customers can’t perform a transaction. “The customer swipes their card, enters their PIN, and then the fake ATM says it can’t complete the transaction,” Urban explains. There were several of these types of ghost ATMs that popped up on the east coast back four years ago. One arrest was made in those cases, he notes.
Ram Raids:
Criminals continue to target ATMs in various ways, with “ram” raids happening more often in the US. Ram raids are perpetrated when criminals physically break out ATMs from the wall at the institution. In Texas, the number of ram raids has spurred institutions to partner with law enforcement, and a task force has been formed to fight the raiders. “The opportunity that some non-hardened criminals see is an exterior ATM that can be pulled out, loaded with thousands of dollars,” Urban says. So in terms of crimes of opportunity, people feeling desperate will attempt this crime.
PIN ID’s:
One of the other trends Urban sees happening is where criminals are testing systems to identify PINs. One particular technique is where the criminal captures the magnetic stripe data from a retailer. They then go to an online bank site with a script written on several well known PINs, and run it against the site until they get a match.
Automated PIN Changes:
Another trend Urban sees is criminals go through the financial institution’s telephone banking service to change PIN numbers. “They will use the ANI to change the information on the phone they’re calling out from to appear like they are calling from the consumer’s phone,” Urban notes. If they can find the basic information on the card holder, name, card account number, last four digits of the social security number, then they’re trying to take that info and go to the call center and change the PIN number over the phone. Thus, while more time-consuming, the overhead cost is cut to near nothing other than their own work to deceive the bank call center, Urban says. Then with the changed PIN, the criminals drain the account.
The easier it is for the consumer to change their account; those are the financial institutions that will be targeted.
SMS attacks:
“Smishing” is the attack that comes through the Short Message Service (SMS) or text venue, onto a smart phone or a cell phone. Urban has personally seen three examples come through in the last month from institutions that he has no affiliation with, asking him for his account number and pin. Where the criminals are able to get the information from the customer, they then turn and clone the ATM or debit card and use it to withdraw cash.
The bank or credit union, if it is not checking for the CVV value, or the full name or expiration date, and just accepts the card transaction, will be hit with counterfeit cards made from data taken in this type of attack. These “smishing” attacks hit several midwest institutions in 2008.
Malware:
Security researchers say they have found malware code that lets a criminal take control over ATMs. SpiderLabs, the forensics and research arm of TrustWave, found a Trojan family of malware that infected 20 ATMs in Eastern Europe. The researchers warn that the malware may be headed toward US banks and credit unions, as well as other parts of the world. The malware lets criminals take over the ATM to steal data, PINs and cash.
That report from SpiderLabs isn’t the only malware found. Sophos researchers in March say they found a Trojan specifically designed to steal information from Diebold ATM users that had infected several ATMs in Russia. SpiderLabs researchers explain the Trojan collects magnetic stripe data and PINs from the Windows XP-based ATM’s transaction application’s private memory space. Researchers found it came with its own management function that allows the attacker take over the ATM with a custom interface that may controlled by the attacker when they insert a controller card into the ATM card reader. Both research arms say that they expect the Trojans they discovers to evolve and spread, infecting more ATMs. Trustwave recommends that all financial institutions with ATMs perform analysis to identify if this malware or similar malware is present.
Shoulder Surfing:
Shoulder Surfing is the act of direct observation, watching what number that person taps onto the keypad. The criminal usually positions himself in close but not direct proximity to the ATM to covertly watch as the ATM user enters their PIN. Sometimes miniature video cameras that are easily obtained might be installed discretely on the fascia or somewhere close to the PIN Pad, to record the PIN entry information.
Need for banks to protect users of Automatic Teller Machines from fraud:
Per Ogbuinya, JCA in the case of Agi v. Access Bank Plc (2014) 9 NWLR (Pt.1411) 121 at 131 – 132, page 163, paras B-G stated:
“Before I am done, I must observe that, the process of withdrawing money from the banks by dint of Automated Teller Machine (A.T.M) debit card is a banking procedure invented to ensure prompt access to customers’ funds, decongestion of the banks over trivial transactions and alignment with the international best standards in banking practices. Unfortunately, for the customers, a regrettable one at that, this commendable objective has turned into their albatross in that it has not yielded the desired laudable results. The helpless and unsuspecting customers are constantly being exposed to avoidable frauds and thereby subjecting the banks to litany of litigations. Tons of bank’s customers lose colossal funds, stashed in the bank’s vault for protection, to unscrupulous and faceless swindlers. It is decipherable that new verve ATM debit card is equipped with cameras that capture users. There is crying need for same to state the time of any transactions. Doubtlessly, these will curb or help ameliorate the undetectable frequent ATM debit card frauds to the lowest ebb. It will, in turn, preserve the corporate image of our commercial banks as well as conserve the customers’ precious funds in their custody.”
On who has care and control of Automated Teller Machine Card?
Where a person has custody of an item, it implies that the person in custody is in care and control of it for inspection, preservation and security. See the case of Nigeria Ports Authority Plc v. B.P. Pte Ltd. (2012) 18 NWLR (Pt. 1333) 454. See the case of U.B.N Plc v. Chimaeze (2014) 9 NWLR (Pt. 1411) 166 at 169 SC
Who bears the burden where there is an unauthorized withdrawal of money from a customer’s account?
It is trite law that customer’s monies in the hands of the banker are not in the custody or under the control of the customer and such monies remain the property in the custody and control of the banker, and payable to the customer when a demand is made. Thus, if anything happens to the money thereafter e.g. theft of money or unauthorized withdrawals, it is the banker and not the customer that bears the loss. See the cases of Wema Bank Plc vs Osilaru (2008) 10 NWLR (Pt 1094) 150 and UBA Plc v. Yahuza (2014) LPELR-CA/K/253/2013.
Conclusion:
In the recent past there has been a rise in the number of banking frauds related to ATM card transactions and fraudsters are using new techniques to rob customers of their savings. While banks are doing their bit in making card transactions safer and are working towards protecting customers from being fleeced, banking experts say that customers need to be extra careful as a large number of cases are a result of negligence on part of the card holder.
Thus, the following useful advices have been suggested to ATM Card holders as follows:
- Use ATM’s where you feel the most comfortable,
- Be vigilant and avoid using ATM where suspicious-looking individuals are loitering,
- Have your card ready in your hand before you approach the ATM,
- Do not use the ATM if it appears to be tampered with or damaged,
- Do not accept help from strangers at an ATM, especially when you experience difficulty with the transaction and do not allow anyone to distract you,
- Shield the ATM keypad with your hand to prevent people seeing when you enter your pin.
- Never disclose your PIN to anybody, not even to the bank or police,
- Press cancel key, withdraw your card and proceed to an alternative ATM if you feel the ATM is not functioning correctly,
- Use the help line and/or nearest phone to contact your bank and/or police if your card gets jammed, retained or lost, or if someone interferes with you at an ATM,
- Take your time when transacting and ensure your cash and card are carefully secured in your wallet, handbag or pocket before leaving the ATM,
- Conduct your ATM in transaction in complete privacy, never let anyone see you entering your Personal Identification Number,
- After completion of transaction ensure that welcome screen is displayed on the ATM screen before leaving,
- Ensure your current mobile number is registered with the bank so that you can get alerts from all your transactions,
- Beware of suspicious movements of people around the ATM or strangers trying to engage you in conversation,
- While shopping at a grocery store or supermarket or filing station and you need to insert your card in any POS, do check if the card given back to you by the merchant after completion of the transaction is your card,
- Look for extra for extra devices attached to the ATMs that may be put to capture your data,
- Inform the bank if the ATM card is lost or stolen and immediately report if any unauthorized transaction,
- Check the transaction alert SMS and bank statements regularly.
Further advice is as follows:
- Do not write your PIN on the card, memorize your PIN,
- Do not take help from strangers or handover your card to anyone for using it,
- Do not disclose your PIN to anyone, including bank employees and family members,
- Do not allow the card to go out of your sight when you are making a payment,
- Avoid speaking on the mobile phone while you are transaction
Kingsley Izimah, Esq.
Principal Partner,
Nomos Legal Practice
+234 (0) 806-809-5282
+234 (0) 805-101-9362
For insightful updates in law, follow us on our social media pages via:
LinkedIn at: https://www.linkedin.com/company/nomoslegalpractice
Twitter/X at: https://twitter.com/legalnomos
Facebook page at: https://web.facebook.com/nomoslegalpractice
