When it comes to card fraud, the lack of a cross-border vision by regulators with no real urge to look at a much wider picture when it comes to global financial crime gives criminals a huge advantage. It gives them the opportunity to stay out of reach of justice. For many years, organised criminal groups targetted neighbouring countries, driving or flying from one place to the other, seeking easy hits and vulnerabilities.
Fraudsters either use foreign payment cards skimmed elsewhere, phish for data on the internet or go shopping on one of the many live ‘dump sites’ where a large variety of products are sold as on an auction site. Data from thousands of innocent customers circulates daily on dodgy websites or underground forums. When taken down, they reappear under another name with the same speed. This happens time and again, because there are still no applicable laws in effect today to safeguard customers against such reoccurrences of fraudulent activity.
Automated telling machine (ATM) fraud is not actually a type of fraud, however, it describes the location where that fraud occurs, for example, where the victim withdrew money at an ATM and had their account accessed and defrauded.
Although ATM scams have increased significantly in the UK in the past five years, it accounts for less than 10% of the types of credit card fraud and debit card fraud. Card skimming at ATMs is a growing trend, often perpetrated by organised eastern European criminal gangs.
When perpetrators are eventually arrested, it is frequently revealed that they are foreign nationals who have abused data coming from another country, buying goods in yet another country, so that the local charges are typically minor and risks to the perpetrator minimal. Prosecutors or examining judges do not want to investigate further as local impact is low and in many cases, it doesn’t result in a conviction. There are large differences in approach when taking into account most European Union (EU) countries. This is not only on the law enforcement side, but also in terms of cooperation, the exchange of information, the possibility of convictions and varied data privacy laws.
But the biggest questions still remain unanswered. “What about the money flow? Where are these funds being transferred to?” There are a wide variety of ‘money transfer’ facilities that are not amenable to, and have no interest in, being compliant with anti-money laundering (AML) regulations. Such facilities provide safe havens for fraudulent transactions. Throughout Europe, more and more of these little family-owned money transfer/international phone shops are setting up.
In terms of terrorist funding outfits, there has been a lot of masking of payment transaction scams occurring in the UK in the form of ATM scams and the installation of machines whose only purpose is to steal information. For example, when major petroleum companies started franchising their petrol stations, Sri Lankan nationals became very interested, flooding the market by taking over a vast majority of these stations and using these stations to mask terrorist funding activities. Their reach is far and wide, covering many major cities. Even local village gas stations have been targeted. It was a mix of legal and illegal immigrants all of the same ethnic origin that operated as a network of teams moving swiftly all over the country – working one day in Leeds, moving to Manchester the next day for the next shift, and end up on one of the many gas stations within the orbital M25 motorway around greater London. These groups, who by the time they were discovered had become legal employees, deployed a huge payment terminal scam. In most cases, the owner was involved in the scam, or was forced to join in. This criminal organisation is comprised of different teams working together. The first group consists of technicians altering the POS terminals, a second group takes care of the installation within the gas stations and a third group focuses on the usage of the obtained data.
Some of the engineers are highly skilled and were brought to the UK for that sole purpose of hacking in order to capture account information by using Wi-Fi scanners and cracking programs to download transaction data when the systems fail to be protected by high-level encryption software.
On a large scale, terminals are precisely opened, bypassing security measures installed by the vendors, and equipped with extra hardware. Once this has been done, they are re-installed on the premises, adding recording devices hidden in ceilings capturing both magnetic stripe as well as PIN data.
Due to numerous transactions at rigged allocations, significant amounts of data became available. Analysing unauthorised usage of this stolen data showed a unique spending pattern. Instead of going for a quick win and hitting different countries with massive ATM attacks, the usage was more spread out to other Merchant Category Codes (MCC) with more transactions at a lower value. This way they were able to stay out of the monitoring radar of banks involved and could continue making illegal transactions undetected for longer lengths of time. Eventually, however, the authorities caught on to these spending approaches and began arresting these various small groups all over Europe. To some extent, a more in-depth investigation was carried out to identify the money flow. Disturbingly, it became clear that the end users were Tamil freedom fighters in Sri Lanka.
This criminal confidence scheme emphasised and identified interesting vulnerabilities within the payment and retail chain and shows how organised crime groups with less exposure are able to cause substantial damage.
This scam made it clear to the UK payment card industry, retail and banks that procedures, compliance and back-up plans need to be closely redefined and fine-tuned. And it certainly shows that they need to be prepared for the unexpected.
Enormous amounts of untraceable funds are passing overhead on a daily basis. These entities do not like to be closely examined and, in most cases, have a dubious background or spider web setup – hopping different countries and involving ‘mules’ as front persons. That way it would not appear strangefor individuals to appear in different cities, where they arrive at an ATM and stay there for an hour retrieving €50,000-plus at a time, flying around the region emptying ATMs with anonymous, reloadable cards at different locations.
With the increasing mobile commerce (m-commerce) possibilities related to telecom issues, there will be bigger challenges in safeguarding payment transactions, especially since there will also be an increase in the high tech solutions available that could be used to defraud systems. It will definitely take some time to fully understand the different modus operandi used, but end-to-end encryption of data, as well as secure payment platforms will be a must if we do not want to see it escalate.
Another old-fashioned ATM scam that still reaps profits for criminals is the placement of a deposit receptacle in an ATM vestibule with a sign over the automated machine stating it is out of order. Here, the felon’s goal is to capture cash deposits that were intended for the more secure electronic banking machine. While it may seem obvious that depositing money in this insecure fashion is a bad idea, the comfort and trust that people have when entering a financial institution often allows them to suspend their suspicions as they believe that there is no safer place than a bank.
Criminals who are too impatient to go through the complex process of stealing bank accounts and personal identification numbers will simply steal an entire ATM. Typically, this crime occurs in the overnight hours inside a business, such as a supermarket. The thieves will break in, use the store’s forklift to rip the ATM off the floor and load it onto a waiting truck. As a fully loaded ATM can hold as many as 10,000 bills, the total amount of dollars stolen can be in the tens of thousands.
Striking Back Against the Fraudster
As ATM fraud grows as crime, the Association for Payment Clearing Services (APACS) is working hard with industry and law enforcement to reduce the volume of criminality relating to ATMs. In the meantime, there are some basic points to follow to keep yourself safe from ATM skimming and other ATM scams. For instance, if you suspect a skimming machine has been placed on an ATM machine do not try to remove it. Skimming machines are attached to the cash card entry slot and a separate miniature pinhole camera is hidden overlooking the PIN pad. This enables the criminal to create a counterfeit cash card to withdraw money at ATM using the legitimate PIN. These skimming machines are often highly sophisticated and are made to look as if they are part of the ATM machine itself. The skimming machine may only be placed on an ATM for a short period of time whilst the fraudsters remain nearby. When the fraudsters eventually take the skimming machines off, they will move to another cash card machine and do the same again.
These skimming machines are expensive, and suspects may use violence if they think their precious commodity is likely to be damaged or interfered with. Instead of taking direct action personally, call the police or contact the bank immediately.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.
Politicians have united in urging the Reserve Bank of Australia to lend its backing to the digital currency by officially recognising it.