The risks of electronic banking are all well known. In fact, the updated FFIEC authentication guidance specifically talks about the need to secure both online and electronic banking. It's important to remember that ATMs are also a target of fraudsters. ATM skimming rings are defrauding cardholders to the tune of tens of millions of dollars. This is a global issue affecting customers in the USA, the European Union, Asia, basically anywhere there are ATMs.
Breaking 2-Factor Authentication
In order to access your account from an ATM you are required to use your ATM card [something you have] and enter a PIN [something you know]. Generally, 2-factor authentication is considered a relatively strong security measure against financial fraud. However, crime rings are using various techniques to capture both the card and the PIN, effectively thwarting these measures.
In order to access your account from an ATM you are required to use your ATM card [something you have] and enter a PIN [something you know]. Generally, 2-factor authentication is considered a relatively strong security measure against financial fraud. However, crime rings are using various techniques to capture both the card and the PIN, effectively thwarting these measures.
In the 2011 updated guidance, the FFIEC stresses the importance of not only strong authentication, but also to know your customer. There lies the missing link in combating ATM fraud that fortunately has an eloquent solution.
Since financial institutions utilize "know your customer" capabilities to combat online banking fraud, the same techniques can be used to combat ATM fraud.Similar to online banking, customers have normal patterns of ATM activity, relatively consistent patterns relating to dollar amounts and frequency of ATM cash withdrawals. Since financial institutions utilize "know your customer" capabilities to combat online banking fraud, the same techniques can be used to combat ATM fraud.
Keeping It Simple
Upon detecting unusual and possibly fraudulent ATM activity, the ATM screen could present the user an out-of-wallet challenge question. Making sure the question has a numeric answer means that current ATM key pads used to enter in PIN information would not have to be modified.
Upon detecting unusual and possibly fraudulent ATM activity, the ATM screen could present the user an out-of-wallet challenge question. Making sure the question has a numeric answer means that current ATM key pads used to enter in PIN information would not have to be modified.
Even with limiting the out-of-wallet questions to those with numeric answers, the list of potential questions is quite long:
- What year was your first child born?
- What was the model year of your first car?
- What year were you married?
Obviously not an exhaustive list, but it does illustrate the fact that there is no shortage of such questions.
It's important that the challenge questions are strictly out-of-wallet. If the fraudster did in fact steal the victim's wallet, with their driver's license, then asking the question "what year were you born" would be inappropriate. Asking what year you graduated from high school would also be a weak question.
It's important that the challenge questions are strictly out-of-wallet. If the fraudster did in fact steal the victim's wallet, with their driver's license, then asking the question "what year were you born" would be inappropriate. Asking what year you graduated from high school would also be a weak question.
The fraudster could simply add 17 to the date of birth on the driver's license and answer that question correctly the majority of the time.
The lesson here is the importance of keeping the challenge questions out-of-wallet.
The lesson here is the importance of keeping the challenge questions out-of-wallet.
Eloquent and Effective
Using out-of-wallet questions that are compatible with existing ATM hardware, you can add another layer of security to combat ATM fraud. A low-cost solution that could potentially save customers, and financial institutions, millions of dollars.
To complete the anti-fraud circle, banks can also consider having the ATM machines keep the bank cards when a customer [fraudster] fails to correctly answer the out-of-wallet challenge question. You'd have the card, with fingerprints, as well as photographs of the attempted fraud.
No comments:
Post a Comment