UNCITRAL has canvassed that current models cash dispensers — ATMs and EFTPOS terminals — ‘require the convergence of two items to authorise the transaction. i.e. a plastic card with magnetic stripe containing certain information and the entry by the bank customer of a personal identification number (PIN)’.443
439 Diebold Incorporated, Playing Defense: Trends in ATM Attacks (2007)
<http://www.diebold.com/atmsecurity/files/DBD_WhitePaper_Island.pdf>.
440 Dong-Tsan Lee, 'Re-examining the Security Issues of ATM Systems' (2004) 2004(2) Computer Fraud
& Security 13, 13.
441 Note: In a definition posted by Cory Janssen, ‘[a] brute force attack is a “trial and error” method used
to obtain information, such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organisation’s network security’: Cory Janssen, Brute Force Attack (2013) technopedia <http://www.techopedia.com/definition/18091/brute-force-attack>.
442
Diebold Incorporated, ‘White Paper: ATM Fraud and Security’, above n 348, 5.
102 The natural location of ATMs and EFTPOS machines outside the bank perimeter with most of them unattended (also known as ‘island ATMs’) eliminates the necessity for ‘round the clock’ human involvement and makes ATMs a relatively easy target for various crimes.444 Unrestricted physical access to ATM components outside the safety of the bank — such as to a card reader and PIN pad on the front of the ATM — are vulnerable to compromise by fraudulent devices such as skimmers, false keypads, and so on.445
The involvement of many different people or organisations in the establishment or life cycle activities related to these machines (such as cash or paper-print replenishment, maintenance, booth cleaning, and so on) also makes ATMs and EFTPOS machines more vulnerable to abuse. However, fraudsters have recently not only targeted island ATMs (such as standalone ATMs located in stores or other buildings) as well as ‘through the wall’ ATMs, but also non-island ATMs (that is, ATMs that located in the bank branch).446
There have also been many reports where besides an ATM attack to obtain a consumer’s personal information such as their card number and PIN (which has become the most prevalent and notorious ATM crime),447 criminals are also stealing entire ATMs laden with cash.448 Nonetheless, the latter type of activity is beyond the scope of
444 See Bell, above n 44. See also Diebold Incorporated, ‘White Paper: ATM Fraud and Security’, above
n 348, 1.
445 Pat Telford and Peter Kulik, Ten Immutable Laws of ATM Security (2011) ATM Industry Association
(ATMIA)
<https://www.atmia.com/clientuploads/directory/whitepaper/TenImmutableLawsofATMSecurity2011.pdf >.. See also Bond and Zielinski, above n 328.
446
Diebold Incorporated, ‘White Paper: ATM Fraud and Security’, above n 348, 25.
447
Ibid.
448 Russell G Smith and Peter Grabosky, 'Plastic Card Fraud' (Paper presented at the Conference Crime
against Business, Melbourne, 1998) 6. See also Diebold Incorporated, ‘White Paper: ATM Fraud and Security’, above n 348, 25. In the white paper, Diebold Incorporated stated that physical attacks on an ATM ‘include any type of assault that physically damages the components of the ATM in an attempt to obtain cash’. Targets include: (a) The ATM’s safe’ (by cutting/grinding/drilling/prying the locks, handles and hinges of the safe door, or using a blowtorch or similar device, or explosives); (b) The ATM ‘top hat’ in an attempt to steal ATM components such as the hard drive, or to attach an internet skimmer or download malware (by prying open the door or side panels of the top hat, prying open the fascia, damaging the lock to gain access, picking the lock in order to covertly attach an internal skimmer; (c) ‘The ATM ’presenter and depositor’ in an effort to gain access to the ATM’s cash sources, which include the deposit storage area and the divert bin (by ‘cutting, prying, drilling, torching, and smashing’); (d) ‘The entire ATM, when attempting’ to remove it from its existing location and move it to a location where its safe or vault can be laboriously penetrated and its contents removed (‘by ramming or ram raid — attempting to ram the ATM with a car, truck or heavy machinery; pulling — placing a chain or rope around an ATM and attaching the other end to a vehicle to pull the ATM from its foundation[s]…; lifting — using a forklift or similar equipment to try to lift the ATM from its foundation[s]’).
103 this thesis since it is not fraud and the loss, if any, is not associated with any consumer accounts, and hence will only be borne by the bank.
As most of the ATMs throughout the world share many similarities and standards, ‘ATM fraud is also not confined to particular regions of the world’. Probably the most complex factor is that the fraudsters and victims are ‘often on different continents, and the problems of one region can quickly become the problems of another’.449
Diebold Incorporated concluded several factors that attract ATM fraud globally:
ATM fraud is growing because it produces cash and is considered to be fairly low risk relative to other crimes. The necessary equipment for criminal activity is inexpensive, readily available and expendable. ATM fraud also lends itself to organized crime. The fraud is repeatable, profitable and does not appear likely to end.450
Generally, fraudsters physically attack the ATM in an effort to get cash, whether it is in the safe/vault or in the cash dispenser/depositor slot.451 However, the safe itself is
difficult to compromise because it is made with very strong metal with a special key that makes it difficult for a criminal to penetrate.452 Therefore, instead of targeting cash stored in the safe, according to bank officers interviewed, some fraudsters in Indonesia prefer to target consumer cards that have been ‘swallowed’ by the ATM and retained inside it.453 Apparently, this modus operandi is derived from fraudsters considering it far easier to access consumer cards that have been swallowed and also less likely to attract the attention of bystanders or passers-by. Fraudsters have noticed that there will always be instances where this legitimately occurs, for example, a consumer entering a wrong PIN entry above the bank threshold limit (the number of times the bank permits the consumer to attempt to access their card using an incorrect PIN — consumers typically are only given three consecutive trials to enter the right PIN, otherwise their card will be automatically swallowed by the ATM). Such experiences also make consumers far less likely to suspect a card’s disappearance is due to other than machine malfunction (or their own error), so facilitating other methods of identity theft.
449 Diebold Incorporated, ‘White Paper: ATM Fraud and Security’, above n 348, 1. 450 Ibid 8. See also Mohamad, above n 302, 11. See also Telford and Kulik, above n 445. 451
Diebold Incorporated, ‘White Paper: ATM Fraud and Security’, above n 348, 25.
452 Attacks on safes normally require a quite a bit of effort and special tools, with methods including
drilling, prying, pulling, or using explosive materials. These kinds of efforts — besides being time consuming — also involve greater risk for the fraudster in terms of increased risk of apprehension because of the noise and complications that occur during such operations.
104 In this method, however, fraudsters need to just open the ‘top hat’ of the ATM using a counterfeit key (many ‘top hat’ keys use a universal key, so it can be accessed by different vendors) or by forcing it open.454 As for the universal key, fraudsters can even purchase one on eBay.455 If the top hat is also equipped with an additional padlock, then fraudsters have to break the padlock to gain entry. Once the ATM top hat has been opened, the fraudsters take genuine consumer cards that have been swallowed and reside in a special compartment and use them for purchasing things in shops that do not require a consumer’s PIN.456
There is also a possibility that the fraudster can withdraw cash from an ATM, if they can guess what a card’s PIN is.457
Interestingly, this type of fraud method is still not widely known. The dearth of information concerning this type of fraud probably indicates that this method is either new or less attractive to fraudsters.458 The usage of genuine ATM/debit cards without PIN information will only provide limited financial gain for fraudsters. Apprehension risk is also greater, since fraudsters perform face-to-face transactions at EFTPOS locations. Other than that, consumers also tend to inform their banks regarding their ‘swallowed’ cards immediately, making the period in which perform unauthorised transactions relatively short.