ATM Risk Management and Controls - EuroJournals

More documents

Recommendations

Info

164 European Journal of Economics, Finance and Administrative Sciences - Issue 21 (2010) Distraction theft or ‘manual’ skimming Shoulder Surfing Leaving transaction ‘Live’ Cash trapping COMPUTER AND NETWORK ATTACKS Network attacks against ATMs Viruses and malicious software Phishing PIN cash-out attacks Utilizing a Fake PIN pad overlay PIN Interception PHYSICAL ATM ATTACKS Ram Raid Attacks Theft of ATMs Smash and Grab of ATMs Safe cutting/Safe Breaking Explosive Attacks The other most common cash dispenser fraud has become known as the "Lebanese loop" because criminals of Lebanese origin apparently first used it. This has many variations but usually involves the cash machine being tampered with so that your card is not returned to you and is then removed by the criminals: alternatively if you get your card back a device has recorded the details of your magnetic stripe. The crooks have also captured your PIN number though some variation of shoulder surfing. It is this problem that has led to banks putting posters and other warnings on ATMs advising customers to visually inspect the machine to see if it has been altered or tampered with. Types of Errors So far the ATMs have been the most widely spread application of electronic banking. There are various types of errors which can occur due to mechanical failure at the ATM terminal leading to the following problems:- • ATM dispenses less cash to the customer but the account is debited correctly. • The customer’s account is debited twice but the cash is only dispensed once by the ATM. • The customer’s account is debited but the cash is not dispensed by the ATM. Normally errors can occur at any time, even when the ATM accepts cash and cheques deposits. There have also been cases of phantom withdrawals and the card-holder denying being responsible for those cash withdrawals, although the computer records showed that a genuine transaction had taken place. Reputational Risks This is considerably heightened for banks using the Internet. For example the Internet allows for the rapid dissemination of information which means that any incident, either good or bad, is common knowledge within a short space of time. The speed of the Internet considerably cuts the optimal response times for both banks and regulators to any incident. Any problems encountered by one firm in this new environment may affect the business of another, as it may affect confidence in the Internet as a whole. There is therefore a risk that one rogue e-bank could cause significant problems for all banks providing services via the Internet. This is a new type of systemic risk and is causing concern to e-banking providers. Overall, the Internet puts an emphasis on reputational risks. Banks need to be sure those customers’ rights and information needs are adequately safeguarded and provided for.
165 European Journal of Economics, Finance and Administrative Sciences - Issue 21 (2010) Management Risk Analysis Management risk analysis identifies the nature of risk involved in detail. This evaluation helps the financial institution to decide whether it is necessary to have controls to overcome losses which may arise from various risks associated with the ATMs. A plan is normally formulated as to how these ATM risks are going to be identified, what methods are going to be used to overcome these risks/threats, and, if a fraud or a misuse should occur, how much loss is expected and how Bank is going to recover. This is the highest risk category that requires the strongest controls since online transactions are often irrevocable once executed. The bank’s internet systems may be exposed to internal or external attacks if controls are inadequate. A heightened element of risk is that attacks against internet systems do not require physical presence at the site being attacked. At times, it is not even clear or detectable as to when and how attacks are launched from multiple locations in different countries In view of the proliferation and diversity of cyber attacks, banks should implement two-factor authentication at login for all types of internet banking systems and for authorising transactions. The principal objectives of two-factor authentication are to protect the confidentiality of customer account data and transaction details as well as enhance confidence in internet banking by combating phishing, key logging, spyware, malware, middleman attacks and other internet-based scams and malevolent exploits targeted at banks and their customers. Two factor authentications for system login and transaction authorisation can be based on any two of the following factors: • What you know (eg. Personnel Identification Number) • What you have (eg. One Time Password token) • Who you are (eg. Biometrics) comprises methods for uniquely recognizing humans based upon one or more intrinsic physical traits Risk analysis provides the financial institution with variable information as to how much investment it should make to enhance the security and controls of its ATM installation. The EDP Audit Control and Security Newsletter (March 1991) indicated that risk analysis involves 4 steps. • Reviewing the existing ATM centre environment • Identifying the critical information processing of ATM applications • Estimating the value of the ATM assets used by these application that must be protected • Quantifying the estimated loss associated with the occurrence of a fraudulent misuse of cards of unauthorised withdrawals etc. Reviewing the Existing Operation of the ATM Installation It is essential that management identify all the various hazards to which ATM centre is exposed, including natural disasters or otherwise. The management normally identifies the controls that are in operation that are to reduce the possible impact of these risks/threats. Controls of all kinds which are applicable to the Automated Teller Machine must be identified. Even though the existing ATM controls may appear to be in operation, the management must make sure that maintenance is preformed to ensure that the controls will be effective in the event of a fraud or misuse. John Page and Paul Hooper (1987) indicated that compliance testing is used to determine the following: • To determine whether the necessary controls are in place. • To provide reasonable assurance that the controls are functioning properly • To document when, how, and by whom, the controls are preformed. The management may recommend that some of these controls be changed, implement or modified in ways that minimize the relevant risks and the exposure associated with them.
Page 1 and 2: European Journal of Economics, Fina
Page 3: 163 European Journal of Economics,
Page 7 and 8: 167 European Journal of Economics,
Page 9 and 10: 169 European Journal of Economics,
Page 11: 171 European Journal of Economics,

ATM Risk Management and Controls - EuroJournals

Create successful ePaper yourself

Delete template?

Save as template?