ATM Risk Management and Controls - EuroJournals
ATM Risk Management and Controls - EuroJournals
ATM Risk Management and Controls - EuroJournals
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
European Journal of Economics, Finance <strong>and</strong> Administrative Sciences<br />
ISSN 1450-2275 Issue 21 (2010)<br />
© <strong>EuroJournals</strong>, Inc. 2010<br />
http://www.eurojournals.com<br />
<strong>ATM</strong> <strong>Risk</strong> <strong>Management</strong> <strong>and</strong> <strong>Controls</strong><br />
Devinaga Rasiah<br />
Lecturer, multimedia university (Malacca Campus), Malaysia<br />
E-mail: devinaga.rasiah@mmu.edu.my<br />
Abstract<br />
The aim of this study is to investigate risk management, security <strong>and</strong> controls in the<br />
context of Automated teller machines (<strong>ATM</strong>s). In doing so, it adopts a non-technical<br />
approach by investigating the interrelationship <strong>and</strong> effect of risk management <strong>and</strong> controls<br />
in setting Automated Teller Machine security goals. The literature explores <strong>and</strong> discusses<br />
the risk management <strong>and</strong> different controls of <strong>ATM</strong>s. To reduce the risk of fraudulent<br />
activity, several controls can be integrated into the <strong>ATM</strong> processing environment.<br />
However, the controls should not be considered a cure-all.<br />
Keywords: <strong>ATM</strong>s, data security, risk, fraud, electronic banking, <strong>and</strong> controls.<br />
<strong>ATM</strong><br />
An automated teller machine (also known as an <strong>ATM</strong> or Cash Machine), is a computerized device that<br />
provides the customers of a financial institution with the ability to perform financial transactions<br />
without the need for a human clerk or bank teller.<br />
Crime at <strong>ATM</strong>’s has become a nationwide issue that faces not only customers, but also bank<br />
operators. Security measures at banks can play a critical, contributory role in preventing attacks on<br />
customers. These measures are of paramount importance when considering vulnerabilities <strong>and</strong><br />
causation in civil litigation <strong>and</strong> banks must meet certain st<strong>and</strong>ards in order to ensure a safe <strong>and</strong> secure<br />
banking environment for their customers.<br />
The Automated Teller machine is a terminal provided by bank or other financial institutions<br />
which enables the customer to withdraw cash to make a balance enquiry, to order a statement, to make<br />
a money transfer, or deposit cash. The <strong>ATM</strong>s are basically self-service banking terminals <strong>and</strong> are<br />
aimed at providing fast <strong>and</strong> convenient service to customers.<br />
Some of the new generations of <strong>ATM</strong>s are able to cash a check to the penny, dispense<br />
traveller’s cheques <strong>and</strong> postage stamps, perform stock transfers, print discount coupons, issue phone<br />
cards, <strong>and</strong> even sell concert tickets. Customers are grateful for these <strong>ATM</strong> features but they are also<br />
very concerned with <strong>ATM</strong> crime <strong>and</strong> safety.<br />
Background Studies<br />
<strong>ATM</strong>s are generally designed for through-the –wall operations as well for use in lobbies. The Banker’s<br />
magazine, September (1983), indicated that the <strong>ATM</strong>s provided convenient bank access to customers<br />
accounts 24 hours a day, seven days a week including public holidays. The lobby machines which are<br />
installed in the banking lobbies are only operational during banking hours. James Essinger (1987)<br />
indicated that “<strong>ATM</strong> machines allow banks customers who have been issued with a card <strong>and</strong> a six digit<br />
secret number known as a PIN number (Personal identification number) to perform their own banking
162 European Journal of Economics, Finance <strong>and</strong> Administrative Sciences - Issue 21 (2010)<br />
transactions”. The plastic card contains a magnetic stripe or a chip that contains a unique card number<br />
<strong>and</strong> some security information, such as an expiration date <strong>and</strong> card validation code (CVC).<br />
Kalakota <strong>and</strong> Whinston, (1996) mentioned that the financial services industry has been through<br />
'structural <strong>and</strong> operational changes since the mid-1990s, <strong>and</strong> innovative use of new information<br />
technology, electronic commerce. Hamelink, (2000) indicated that these associated cost reductions are<br />
driving ongoing changes in banking New technology brings benefits <strong>and</strong> risks <strong>and</strong> new challenges for<br />
human governance of the developments.<br />
RCBC (2007), mentioned that authentication of the user is provided by the customer entering a<br />
personal identification number (PIN). Mir<strong>and</strong>a F, Cosa R <strong>and</strong> Barriuso (2006), highlighted that<br />
customers transacting on these <strong>ATM</strong>s are guided by instructions displayed o the video screens. These<br />
<strong>ATM</strong>s normally dispense two or more denominations of paper money. Customer’s advice slips are<br />
automatically printed <strong>and</strong> dispensed except for balance enquires. All deposits have to be accounted for<br />
by the bank staff, before they are credited to customers’ accounts.<br />
Marcia Crosl<strong>and</strong> of NCR Corp. (2010) indicated that aside from revenue generation <strong>and</strong> cost<br />
savings, <strong>ATM</strong>s are becoming the face of many financial institutions. For many consumers, <strong>ATM</strong>s are<br />
becoming the only interaction they have with their banks. In addition, <strong>ATM</strong>s are also becoming a<br />
competitive mark for many banks. Therefore, it is imperative to ensure that the customer's experience<br />
with the <strong>ATM</strong> is safe <strong>and</strong> secure.<br />
Mike Fenton (2000), mentioned that over the past three decades consumers have come to<br />
depend on <strong>and</strong> trust the <strong>ATM</strong> to conveniently meet their banking needs. In recent years there has been<br />
a proliferation of <strong>ATM</strong> frauds across the globe. Managing the risk associated with <strong>ATM</strong> fraud as well<br />
as diminishing its impact are important issues that face financial institutions as fraud techniques have<br />
become more advanced with increased occurrences.<br />
Diebold Inco. (2002) indicated that the <strong>ATM</strong> is only one of many electronic funds transfer<br />
(EFT) devices that are vulnerable to fraud attacks. Card theft, or the theft of card data, is the primary<br />
objective for potential thieves because the card contains all relevant account information needed to<br />
access an account.<br />
Recent global <strong>ATM</strong> consumer research indicates that one of the most important issues for<br />
consumers when using an <strong>ATM</strong> was personal safety <strong>and</strong> security. As financial institutions use the<br />
migration of cash transactions to self-service terminals as a primary method of increasing branch<br />
efficiencies, the <strong>ATM</strong> experience must be as safe <strong>and</strong> accommodating as possible for consumers.<br />
The industry has grave difficulty in measuring <strong>ATM</strong> fraud given the lack of a national<br />
classification, the secrecy surrounding such frauds, <strong>and</strong> the unfortunate fact that one cannot know the<br />
true cost of fraud until one is hit with it. Even low-cost solutions, such as customer awareness,<br />
challenge banks that fear scaring customers away from the <strong>ATM</strong>, or worse, into the doors of a<br />
competitor.<br />
<strong>ATM</strong>s Transactions in Malaysia 2000 – 2004<br />
Automated Teller Machines 2000 2001 2001 2003 2004<br />
Number of <strong>ATM</strong>s 3,944 4,161 4,213 5,241 5,565<br />
Volume of cash withdrawals in (million) 146.1 174.9 193.5 215.6 264.3<br />
Value of cash withdrawals (RM billion) 62.0 71.8 77.6 86.3 110.8<br />
Bank Negara Malaysia 2004.Figures in 2000-2002 comprises domestic commercial banks, LIFBs, Islamic banks <strong>and</strong><br />
finance companies. Figures in 2003-2004 include the DFLs. Figures in 2000-2003 represent transactions involving the<br />
domestic commercial banks ,LIFBs <strong>and</strong> finance companies. Figures include Islamic banks transactions.<br />
Number of EFTPOS Terminals MALAYSIA<br />
as at end of period 2004 2005 2006 2007 2008 2009<br />
Unit<br />
International br<strong>and</strong> payment cards 1 n.a. 83,100 93,368 119,490 144,897 160,585<br />
<strong>ATM</strong> card 2 n.a. 20,052 21,592 34,754 67,581 88,808
163 European Journal of Economics, Finance <strong>and</strong> Administrative Sciences - Issue 21 (2010)<br />
E-money 16,642 18,198 28,115 28,771 29,236 30,198<br />
1 MasterCard, Visa, American Express <strong>and</strong> Diners Club<br />
2 Domestic PIN-based debit card scheme<br />
n.a Not available<br />
Note: Data is collected on a quarterly basis<br />
Number of Cards/Users of Payment Instruments<br />
as at end of period 2004 2005 2006 2007 2008 2009<br />
'000<br />
Credit card 6,583.0 7,815.5 8,833.0 9,901.3 10,812.4 10,817.6<br />
Charge card 286.3 244.5 272.1 245.6 285.6 285.2<br />
Debit card 1 10,237.2 15,676.7 18,861.4 21,887.3 24,436.6 30,847.6<br />
E-money 34,174.1 44,034.8 46,874.7 53,150.4 61,534.1 68,461.8<br />
Includes international Br<strong>and</strong> debit card <strong>and</strong> <strong>ATM</strong> card<br />
Source: BNM Annual Report (2004 – 2009)* refers to commercial banks only, also excludes Islamic Banks<br />
Frauds at <strong>ATM</strong>s<br />
Diebold Inco. (2002), indicated that fraud at the <strong>ATM</strong> although more difficult than at a POS, has<br />
recently become more widespread. Recent occurrences of <strong>ATM</strong> fraud range from techniques such as<br />
shoulder surfing <strong>and</strong> card skimming to highly advanced techniques involving software tampering<br />
<strong>and</strong>/or hardware modifications to divert, or trap the dispensed currency.<br />
Recent Global <strong>ATM</strong> consumer research indicates that one of the most important issues for<br />
consumers when using an <strong>ATM</strong> was personal safety <strong>and</strong> security*. As financial institutions use the<br />
migration of cash transactions to self service terminals as a primary method of increasing branch<br />
efficiencies, the <strong>ATM</strong> experience must be as safe <strong>and</strong> accommodating as possible for consumers.<br />
The magazine (1991), published that the UK consumer Association reported a case pf phantom<br />
withdrawals. In 1989, 570 pounds was wrongly deducted from John Allans’ Bank of Scotl<strong>and</strong> account.<br />
A total of 8 cash withdrawals were carried out, three of them when he was away with his card in<br />
Andorra. Complaining to the bank was fruitless <strong>and</strong> later Mr Allan was going to sue the bank of<br />
Scotl<strong>and</strong>. The day before the case was due to come to court, the bank reached an out –of court<br />
settlement with him. The magazine concludes that this case marks a breakthrough because the bank<br />
acknowledged that money can get debited to a account without the use of the card plus the PIN.<br />
This risk exists in each product <strong>and</strong> service offered. The level of transaction risk is affected by<br />
the structure of the institution’s processing environment, including the types of services offered <strong>and</strong> the<br />
complexity of the processes <strong>and</strong> supporting technology.<br />
ISACA (2007), highlighted that the key to controlling transaction risk lies in adapting effective<br />
polices, procedures, <strong>and</strong> controls to meet the new risk exposures introduced by e-banking. Basic<br />
internal controls including segregation of duties, dual controls, <strong>and</strong> reconcilements remain important.<br />
Information security controls, in particular, become more significant requiring additional processes,<br />
tools, expertise, <strong>and</strong> testing. Institutions should determine the appropriate level of security controls<br />
based on their assessment of the sensitivity of the information to the customer <strong>and</strong> to the institution <strong>and</strong><br />
on the institution’s established risk tolerance level.<br />
There are three basic types of <strong>ATM</strong> attacks:<br />
• Attempts to steal a customer‘s bank card information;<br />
• Computer <strong>and</strong> Network attacks against <strong>ATM</strong>‘s to gather bank card information;<br />
• Physical attacks against the <strong>ATM</strong>.<br />
THEFT OF CUSTOMER‘S BANK CARD INFORMATION<br />
Card Skimming<br />
Fake <strong>ATM</strong> machines<br />
Card Trapping/Card Swapping
164 European Journal of Economics, Finance <strong>and</strong> Administrative Sciences - Issue 21 (2010)<br />
Distraction theft or ‘manual’ skimming<br />
Shoulder Surfing<br />
Leaving transaction ‘Live’<br />
Cash trapping<br />
COMPUTER AND NETWORK ATTACKS<br />
Network attacks against <strong>ATM</strong>s<br />
Viruses <strong>and</strong> malicious software<br />
Phishing<br />
PIN cash-out attacks<br />
Utilizing a Fake PIN pad overlay<br />
PIN Interception<br />
PHYSICAL <strong>ATM</strong> ATTACKS<br />
Ram Raid Attacks<br />
Theft of <strong>ATM</strong>s<br />
Smash <strong>and</strong> Grab of <strong>ATM</strong>s<br />
Safe cutting/Safe Breaking<br />
Explosive Attacks<br />
The other most common cash dispenser fraud has become known as the "Lebanese loop"<br />
because criminals of Lebanese origin apparently first used it. This has many variations but usually<br />
involves the cash machine being tampered with so that your card is not returned to you <strong>and</strong> is then<br />
removed by the criminals: alternatively if you get your card back a device has recorded the details of<br />
your magnetic stripe. The crooks have also captured your PIN number though some variation of<br />
shoulder surfing. It is this problem that has led to banks putting posters <strong>and</strong> other warnings on <strong>ATM</strong>s<br />
advising customers to visually inspect the machine to see if it has been altered or tampered with.<br />
Types of Errors<br />
So far the <strong>ATM</strong>s have been the most widely spread application of electronic banking. There are various<br />
types of errors which can occur due to mechanical failure at the <strong>ATM</strong> terminal leading to the following<br />
problems:-<br />
• <strong>ATM</strong> dispenses less cash to the customer but the account is debited correctly.<br />
• The customer’s account is debited twice but the cash is only dispensed once by the <strong>ATM</strong>.<br />
• The customer’s account is debited but the cash is not dispensed by the <strong>ATM</strong>.<br />
Normally errors can occur at any time, even when the <strong>ATM</strong> accepts cash <strong>and</strong> cheques deposits.<br />
There have also been cases of phantom withdrawals <strong>and</strong> the card-holder denying being responsible for<br />
those cash withdrawals, although the computer records showed that a genuine transaction had taken<br />
place.<br />
Reputational <strong>Risk</strong>s<br />
This is considerably heightened for banks using the Internet. For example the Internet allows for the<br />
rapid dissemination of information which means that any incident, either good or bad, is common<br />
knowledge within a short space of time. The speed of the Internet considerably cuts the optimal<br />
response times for both banks <strong>and</strong> regulators to any incident.<br />
Any problems encountered by one firm in this new environment may affect the business of<br />
another, as it may affect confidence in the Internet as a whole. There is therefore a risk that one rogue<br />
e-bank could cause significant problems for all banks providing services via the Internet. This is a new<br />
type of systemic risk <strong>and</strong> is causing concern to e-banking providers. Overall, the Internet puts an<br />
emphasis on reputational risks. Banks need to be sure those customers’ rights <strong>and</strong> information needs<br />
are adequately safeguarded <strong>and</strong> provided for.
165 European Journal of Economics, Finance <strong>and</strong> Administrative Sciences - Issue 21 (2010)<br />
<strong>Management</strong> <strong>Risk</strong> Analysis<br />
<strong>Management</strong> risk analysis identifies the nature of risk involved in detail. This evaluation helps the<br />
financial institution to decide whether it is necessary to have controls to overcome losses which may<br />
arise from various risks associated with the <strong>ATM</strong>s. A plan is normally formulated as to how these<br />
<strong>ATM</strong> risks are going to be identified, what methods are going to be used to overcome these<br />
risks/threats, <strong>and</strong>, if a fraud or a misuse should occur, how much loss is expected <strong>and</strong> how Bank is<br />
going to recover.<br />
This is the highest risk category that requires the strongest controls since online transactions are<br />
often irrevocable once executed. The bank’s internet systems may be exposed to internal or external<br />
attacks if controls are inadequate. A heightened element of risk is that attacks against internet systems<br />
do not require physical presence at the site being attacked. At times, it is not even clear or detectable as<br />
to when <strong>and</strong> how attacks are launched from multiple locations in different countries<br />
In view of the proliferation <strong>and</strong> diversity of cyber attacks, banks should implement two-factor<br />
authentication at login for all types of internet banking systems <strong>and</strong> for authorising transactions. The<br />
principal objectives of two-factor authentication are to protect the confidentiality of customer account<br />
data <strong>and</strong> transaction details as well as enhance confidence in internet banking by combating phishing,<br />
key logging, spyware, malware, middleman attacks <strong>and</strong> other internet-based scams <strong>and</strong> malevolent<br />
exploits targeted at banks <strong>and</strong> their customers.<br />
Two factor authentications for system login <strong>and</strong> transaction authorisation can be based on any<br />
two of the following factors:<br />
• What you know (eg. Personnel Identification Number)<br />
• What you have (eg. One Time Password token)<br />
• Who you are (eg. Biometrics) comprises methods for uniquely recognizing humans<br />
based upon one or more intrinsic physical traits<br />
<strong>Risk</strong> analysis provides the financial institution with variable information as to how much<br />
investment it should make to enhance the security <strong>and</strong> controls of its <strong>ATM</strong> installation.<br />
The EDP Audit Control <strong>and</strong> Security Newsletter (March 1991) indicated that risk analysis involves 4<br />
steps.<br />
• Reviewing the existing <strong>ATM</strong> centre environment<br />
• Identifying the critical information processing of <strong>ATM</strong> applications<br />
• Estimating the value of the <strong>ATM</strong> assets used by these application that must be<br />
protected<br />
• Quantifying the estimated loss associated with the occurrence of a fraudulent misuse<br />
of cards of unauthorised withdrawals etc.<br />
Reviewing the Existing Operation of the <strong>ATM</strong> Installation<br />
It is essential that management identify all the various hazards to which <strong>ATM</strong> centre is exposed,<br />
including natural disasters or otherwise. The management normally identifies the controls that are in<br />
operation that are to reduce the possible impact of these risks/threats. <strong>Controls</strong> of all kinds which are<br />
applicable to the Automated Teller Machine must be identified.<br />
Even though the existing <strong>ATM</strong> controls may appear to be in operation, the management must<br />
make sure that maintenance is preformed to ensure that the controls will be effective in the event of a<br />
fraud or misuse. John Page <strong>and</strong> Paul Hooper (1987) indicated that compliance testing is used to<br />
determine the following:<br />
• To determine whether the necessary controls are in place.<br />
• To provide reasonable assurance that the controls are functioning properly<br />
• To document when, how, <strong>and</strong> by whom, the controls are preformed.<br />
The management may recommend that some of these controls be changed, implement or<br />
modified in ways that minimize the relevant risks <strong>and</strong> the exposure associated with them.
166 European Journal of Economics, Finance <strong>and</strong> Administrative Sciences - Issue 21 (2010)<br />
<strong>ATM</strong> <strong>Risk</strong> <strong>Management</strong><br />
<strong>ATM</strong> risk management is a ongoing process of identifying, monitoring <strong>and</strong> managing potential risk<br />
exposure considering as <strong>ATM</strong>s relates to payment systems. The following should be considered:-<br />
• General Supervision<br />
• Transaction Processing<br />
• System administration<br />
Identifying the Various Areas<br />
The management can identify the major area of risks by doing an analysis or statistical sampling of the<br />
information given below. They should be able to form an opinion from this information below:-<br />
a) Total number of <strong>ATM</strong>’s <strong>and</strong> their usage.<br />
b) Time logged on/Settlement time.<br />
c) Number of Cardholders.<br />
d) Number of Transactions, e.g. Withdrawals <strong>and</strong> transfers etc.<br />
e) Total amount withdrawn of transferred etc.<br />
f) Number of <strong>ATM</strong> reports generated etc. <strong>and</strong> may more areas.<br />
g) Overall review of <strong>ATM</strong> management resources etc.<br />
Only after management have identified these areas can the controls be increased, changed or<br />
modified. It is important to determine a reasonable estimate of the overall value of the <strong>ATM</strong><br />
installation. Care should also be taken in determining the value of the installed software.<br />
Estimating the <strong>ATM</strong> Loss<br />
Estimating losses can be difficult, Dr Catherine P Smith (1987) indicated “that normally the loss could<br />
be due to human error, technical error or deliberate action such as fraud, misuse or unauthorised use of<br />
the <strong>ATM</strong> card etc.” Most financial institutions treat <strong>ATM</strong> losses unless it is major as a small loss<br />
unless it is a major fraud. Normally the loss is only a very small percentage when compared to the<br />
overall volume <strong>and</strong> amount transacted within the bank. Alvin A, Arens <strong>and</strong> James K Loebbecke (<br />
1988) indicated “that it is not possible to establish my dollar- value guidelines as it depends on a<br />
number of factors which the management analyses <strong>and</strong> forms a decision”.<br />
Upon management identifying the risks, audit techniques can be used to evaluate the<br />
consequences of fraud or misuse at the <strong>ATM</strong> prior to recommending improved controls.<br />
There are several exposures to losses inherent in an <strong>ATM</strong> installation, e.g. exposure occurs<br />
when a customer transfers funds over communication links; customer’s financial data are subjected to<br />
fraudulent interception at many points.<br />
What should be done is to find a way to reduce risks <strong>and</strong> threats to an acceptable level <strong>and</strong> to<br />
provide a method of recovery of <strong>ATM</strong> losses.<br />
<strong>ATM</strong> Security Measures<br />
Normally security measures are divided into 2 groups. Firstly to reduce the losses at the <strong>ATM</strong> <strong>and</strong><br />
secondly to find a way to fund or recover these losses.
167 European Journal of Economics, Finance <strong>and</strong> Administrative Sciences - Issue 21 (2010)<br />
Measures to Reduce the Losses<br />
a). The <strong>ATM</strong> Audit Log<br />
The <strong>ATM</strong> audit log provides information that is recorded after the incident. The <strong>ATM</strong> audit log is<br />
useful as it identifies <strong>and</strong> diagnoses security violation. It traces figures contained in a report back to the<br />
point of processing <strong>and</strong> from processing to the source of the input.<br />
b). Encryption<br />
Encryption is an effective technique for protecting the <strong>ATM</strong> system. This technique is to make<br />
intercepted data useless to the interceptor by making it too difficult or too expensive to decipher. This<br />
means there is little risk if disclosure.<br />
c). Software Auditing<br />
R.M Richards <strong>and</strong> J. Yestingsmer (1986) indicated that “software audit techniques include a review of<br />
program listing, use to test input/output data with expected results <strong>and</strong> auditing of the <strong>ATM</strong> system<br />
processing program using error detectors built into the system. Tracing is software used by the auditor<br />
to identify which instructions were used in a program <strong>and</strong> in what order”. The advantage is that it helps<br />
to analyse the way in which the <strong>ATM</strong> program operates.<br />
Software auditing provides system integrity to management <strong>and</strong> also provides an opportunity<br />
for management to identify security <strong>and</strong> control weakness. There are several good security packages<br />
that can monitor an <strong>ATM</strong> software execution to detect possible tampering with the programs.<br />
These <strong>ATM</strong> utility programs provide the opportunity for management to examine that the <strong>ATM</strong><br />
programs are being properly executed <strong>and</strong> are not being overridden or by-passed. By using the audit<br />
software, frauds <strong>and</strong> misuses can be detected in a timely manner.<br />
<strong>Controls</strong><br />
In general the process should ensure Confidentiality, Integrity <strong>and</strong> Availability (CIA). This<br />
requirement should be addressed with controls implemented at different levels of the <strong>ATM</strong><br />
implementation, such as General Application controls, business process controls, applications controls<br />
<strong>and</strong> Platform controls.<br />
1. General <strong>ATM</strong> Operation <strong>and</strong> Organisation <strong>Controls</strong><br />
The operation <strong>and</strong> organisational controls are designed to ensure that functions are segregated among<br />
individuals. There are two main important elements in an <strong>ATM</strong> system; firstly the magnetic card <strong>and</strong><br />
secondly the PINs. Making of the PINs is not to be carried out by people who are processing the cards.<br />
Miklos A Vasarhelyi <strong>and</strong> Thomas W Lin (1988) indicated that “there should be segregation” in order<br />
to limit an individual to only one interface with the system.<br />
Most <strong>ATM</strong> systems rely heavily on programmed controls within the <strong>ATM</strong> system software;<br />
hence it is important to separate the system development individuals, e.g<br />
To separate:-<br />
• application testing from systems design <strong>and</strong> programming <strong>and</strong><br />
• System software programming from application programming.<br />
<strong>Risk</strong>s/Threats<br />
• Mailed cards being intercepted before reaching the authorised address.<br />
• Uncollected cards not only take up valuable space for storage but also pose a security risk to the<br />
bank through fraudulent use of these cards by bank staff.
168 European Journal of Economics, Finance <strong>and</strong> Administrative Sciences - Issue 21 (2010)<br />
• Retained cards – these <strong>ATM</strong> cards pose an even greater risk, if they fall into the wrong h<strong>and</strong>s<br />
<strong>and</strong> are misused.<br />
• Inadequate supervision of embossing of the card.<br />
• Stolen cards not being reported immediately<br />
• Stocks of blank cards could lead to unauthorised cards being issued leading to fraud.<br />
2. Business Process <strong>Controls</strong><br />
In general no one person should h<strong>and</strong>le all the transactions. This can be achieved by proper segregation<br />
of duties. Appropriate control should be included during reconciliation, verification of withdrawals <strong>and</strong><br />
date/time of transactions was completed.<br />
Application Close supervision is necessary within the embossing department, where control on<br />
card issuance should be rigorous after embossing. Furthermore the envelopes should be issued based<br />
on a predetermined control number. During hours of non-production, the embossing department should<br />
be kept locked. Personnel having access to cards must be denied access to PINs whenever cards are<br />
prepared <strong>and</strong> processed. There should be two staff in charge of the process in order to have dual<br />
accountability for stock.<br />
Security <strong>and</strong> Control of PIN (Personal Identification Number)<br />
A PIN is a “personal identification number” . This is a number consisting of four numerical characters<br />
which is essentially a cardholder’s password. PINs can be assigned by the institution or can be<br />
customer selected. PINs which are generated for the customer can be derived from the customer’s<br />
account number <strong>and</strong> a logarithm used. These PINs are normally stored in an encrypted form at the<br />
<strong>ATM</strong>. A temporary PIN is issued which can be used at the <strong>ATM</strong> immediately. Later the customer has<br />
the choice of selecting his own PIN number at the <strong>ATM</strong>.<br />
<strong>Risk</strong>s/Threats<br />
There are a number of risks involved in the management of PIN numbers:-<br />
1 There is the integrity of the PIN itself. If control <strong>and</strong> security is not tight, the method of<br />
selecting PIN or encryption keys may become known <strong>and</strong> duplicated PINs <strong>and</strong> mailers be<br />
prepared.<br />
2 The PIN mailers are intercepted during mailing.<br />
3 PINs longer than four digits are security hazards, as holders may be tempted to write down their<br />
number to remember them.<br />
4 Issuing replacement PIN numbers to customers. If the person making the request has stolen the<br />
card or is not authorised to use it, the true owner of the card st<strong>and</strong>s to lose a substantial sum of<br />
money.<br />
Application <strong>Controls</strong><br />
For controls <strong>and</strong> security purpose the PIN which is in encrypted form is stored in a database file for<br />
security purposes. The PIN mailers are prepared separately. The PIN is only activated upon the use of<br />
the card by the customer at the <strong>ATM</strong>.<br />
Adequate control should be carried out when PIN is produced for mailing. Mailing of the PIN<br />
is carried out subsequent to card mailing. The PIN is forwarded to the customer in a separate mailer on<br />
a different day.<br />
For security reasons all systems documentation concerning PIN generation/encryption <strong>and</strong><br />
decryption keys must be under tight control at all times. Furthermore, extreme care must be taken when<br />
requests for new PINs are made. It is important for security reasons that the request for a new PIN<br />
should be in writing.
169 European Journal of Economics, Finance <strong>and</strong> Administrative Sciences - Issue 21 (2010)<br />
For control purposes confirmation of numbers of PINs generated must be carried out against the<br />
total application approved.<br />
It is recommended that the customer’s PIN should not be displayed on the PIN mailer. For<br />
control <strong>and</strong> security reasons the PIN mailers should not have direct reference or correlation to the<br />
customer’s account number or identification of the financial institution. The PIN must be scrambled or<br />
encrypted if printed or displayed on terminal screens.<br />
Other <strong>Controls</strong> are as follows:-<br />
• Access controls <strong>and</strong> authorisation to any addition, deletion or changes to <strong>ATM</strong> transaction<br />
details should be implemented.<br />
• Any changes to cardholder details should be authorised by the officer at the next level.<br />
• Realistic maximum transaction <strong>and</strong> maximum daily total limits should be implemented for<br />
<strong>ATM</strong> withdrawals.<br />
• Printed receipts should be dispensed by the <strong>ATM</strong> for every <strong>ATM</strong> transaction.<br />
• Every <strong>ATM</strong> transaction should be acknowledged by e-mail or a short message script sent to the<br />
mobile phone to confirm or alert the user that a transaction was performed.<br />
3. Platform <strong>Controls</strong><br />
<strong>Controls</strong> to consider should include:-<br />
I. Encryption<br />
II. Algorithm<br />
III. Communication <strong>Controls</strong><br />
i. Communication protocols<br />
ii. Encryption protocols etc<br />
Measure to Use if Fraud does occur at the <strong>ATM</strong>s<br />
Unfortunately, losses <strong>and</strong> security breaches do occur. It is important to have a recovery procedure<br />
which will identify if losses occur through the <strong>ATM</strong>s. Normally insurance companies provide banks<br />
with a Bankers Insurance Coverage, which includes losses that “the cover needed will vary depending<br />
upon the risk”. It is important for financial institutions to have a straight loss control program in order<br />
to fully protect its <strong>ATM</strong> customers itself. In addition to the Bankers Insurance cover there is also<br />
computer crime insurance cover. This covers all transfers of funds which are lost as a result of a<br />
fraudulent input into system.<br />
On its own, technology will never solve the problems of an inefficient <strong>and</strong> poorly managed<br />
institution. At such an institution, technology may just automate problems <strong>and</strong> highlight inefficiencies.<br />
<strong>ATM</strong>s require a high degree of additional control beyond those traditionally employed by financial<br />
service providers. Institutions need to make sure they are able to track funds that have been deposited<br />
into the <strong>ATM</strong>s but not yet accounted for in central accounts as fraud or errors may be involved with the<br />
deposit. When initiating new technologies such as offering financial services through <strong>ATM</strong>s,<br />
institutions must be prepared to educate clients on the benefits <strong>and</strong> train them in the use of the new<br />
technology. Failing to do so can reduce adoption rates <strong>and</strong>/or lead to a rejection of the technology by<br />
the targeted clients.<br />
Clients are often relationship oriented <strong>and</strong> enjoy person-to-person transactions. These<br />
transactions build trust <strong>and</strong> familiarity while automating processes can depersonalize services <strong>and</strong><br />
alienate clients. This must be considered <strong>and</strong> adequately planned for, when switching from highly<br />
personalized services to automated transactions.
170 European Journal of Economics, Finance <strong>and</strong> Administrative Sciences - Issue 21 (2010)<br />
Some suggested Audit EFT Procedures<br />
• Physical <strong>Controls</strong><br />
• Process <strong>Controls</strong><br />
• Transmission <strong>and</strong> System failures<br />
• System logon controls<br />
• Messaging controls<br />
• Transfer <strong>Controls</strong><br />
• PIN controls<br />
• Card <strong>Controls</strong><br />
• Back –end application<br />
• Front end application<br />
• Transaction Journal/ Audit Trail<br />
• Visible Terminals.<br />
Source: ISACA -Information Systems Audit <strong>and</strong> Control Association (2007)<br />
Conclusion<br />
Praveen Dalal (2006) indicated that although comprehensive computer insurance cover is available to<br />
Banks for losses relating to <strong>ATM</strong>s, it is important to note that they vary significantly. By utilizing<br />
careful <strong>ATM</strong> analysis <strong>and</strong> the best prevention <strong>and</strong> reduction methods acceptable levels of <strong>ATM</strong> risks<br />
can be maintained. One of the benefits that banks experience when using e-banking is increased<br />
customer satisfaction. This due to that customers may access their accounts whenever, from anywhere,<br />
<strong>and</strong> they get involved more, this creating relationships with banks.<br />
Banks should provide their customers with convenience, meaning offering service through<br />
several distribution channels (<strong>ATM</strong>, Internet, physical branches) <strong>and</strong> have more functions available<br />
online. Other benefits are exp<strong>and</strong>ed product offerings <strong>and</strong> extended geographic reach. This means that<br />
banks can offer a wider range <strong>and</strong> newer services online to even more customers than possible before.<br />
The benefit which is driving most of the banks toward e-banking is the reduction of overall costs. With<br />
e-banking banks can reduce their overall costs in two ways: cost of processing transactions is<br />
minimized <strong>and</strong> the numbers of branches that are required to service an equivalent number of customers<br />
are reduced. With all these benefits banks can obtain success on the financial market. But e-banking is<br />
a difficult business <strong>and</strong> banks face a lot of challenges.
171 European Journal of Economics, Finance <strong>and</strong> Administrative Sciences - Issue 21 (2010)<br />
References <strong>and</strong> sources<br />
1] ISACA// www.isaca.org/glossary(2007)<br />
2] http://www.atmsecurity.com/monthly-digest/atm-security-monthly-digest/atm-fraud-<strong>and</strong>security-digest-march-2009.html<br />
3] http://www.computerworld.com/securitytopics/security/story<br />
4] http://www.denverpost.com/headlines.<br />
5] http://www.europol.europa.eu<br />
6] http://www.mydigitallife.info/2006/09/25/atm-hacking-<strong>and</strong>-cracking-to-steal-money-with-atmbackdoor-default-master-password/<br />
7] http://www.theregister.co.uk/2006/11/18/mp3_player_atm_hack/<br />
8] http://www.wired.com/threatlevel/2009/04/pins/<br />
9] https://www.european-atm-security.eu<br />
10] McGlasson L., ‘<strong>ATM</strong> Fraud: Growing Threats to Financial Institutions‘, Bank Info Security,<br />
http://www.bankinfosecurity.com<br />
11] <strong>ATM</strong> crime (2009): Overview of the European situation <strong>and</strong> golden rules on how to avoid it.<br />
12] Robinson G., ‘Bondi banks scam: <strong>ATM</strong> alert‘, The Sydney Morning Herald, October 2008,<br />
13] Hamelink, C. "The Ethics of Cyberspace," Sage, London, 2000.Ind, N. "Living the Br<strong>and</strong>,"<br />
Kogan Page, London.<br />
14] Kalakota, R. <strong>and</strong> A. B. Whinston, "Electronic Commerce: A Manager’s Guide" 2nd Edition,<br />
Addison Wesley, Harlow, 2001.<br />
15] Marcia Crosl<strong>and</strong>, NCR Corp.(2010), Consumer behaviour drives innovation inn <strong>ATM</strong><br />
technology. http:/www.atmmarketplace.com.<br />
16] ISACA (2001) , Is Auditing Procedure (Electronic Fund Transfer( EFT). Information Systems<br />
Audit <strong>and</strong> Control Association.<br />
17] RCBC (2007) Rizal Commercial Banking Corporation. Electronic Banking (e Banking)<br />
Consumer protection Policy.<br />
18] Mike Fenton (2008) by Admin. Banking systems <strong>and</strong> technology; The Blog. Taking <strong>ATM</strong><br />
fraud prevention to the next level.<br />
19] Roy Martin R <strong>and</strong> Jan Y (1986) Computer <strong>and</strong> Security <strong>Risk</strong> <strong>Management</strong>. A key to security in<br />
Electronic Funds Transfer System Elsevier Science publishers.<br />
20] Praveen Dalal (2006) Preventive measures for <strong>ATM</strong> Frauds, Computer crime research centre -<br />
Preventive measure for <strong>ATM</strong> frauds.<br />
21] Diebold Inco. (2002), <strong>ATM</strong> Fraud Security white paper.<br />
22] James essinger (1987), <strong>ATM</strong> Networks, Their organisation security <strong>and</strong> finance, published by<br />
Elservier Int Bulletin Chp 6 Future developments.<br />
23] Alvin AA <strong>and</strong> James K Loebbecke (1988) , Auditing an integrated approach 4 th edition Chp8<br />
pg 231-269 prentice hall Int. Edition.<br />
24] The EDP Audit, Control <strong>and</strong> Security Newsletter (1991) EDPACS, Robert Parker- Acss<br />
Control software: What it will <strong>and</strong> will not do. Vol XVIII No 8.<br />
25] John <strong>and</strong> Paul H (1987) Accounting <strong>and</strong> information System, Compliance testing in a computer<br />
environment. Chp16, 3 editions Prentice Hall.<br />
26] Andrew D Chambers (1981), Computer Auditing Insurance, Chp5, Pitman Books Ltd.<br />
27] Campion, Anita & Sarah Halpern. “Automating Microfinance: Experience from Latin America,<br />
Asia, <strong>and</strong> Africa.” MicroFinance Network, 2001.<br />
28] www.mfnetwork.org/bookmarks/Itemid,26/task,detail/catid,1/navstart,0/mode,0/id,5/search,CG<br />
AP IT Innovations Series<br />
29] www.cgap.org/publications/microfinance_technology.html