ATM Risk

Well amongst all the headlines in the news this one caught my attention. Partly because its a little bit hyped and partly because its probably true Full Story here. Now it might seem strange that this type of story gets into the news but we all love a bit of scare mongering which has an element of the truth and a “I didn’t know they could do that” to it.

Having being responsible for Revenue Assurance & Fraud in a couple of my previous roles the ingenuity and resourcefulness of actual or wannabe fraudsters never ceases to amaze me and that is why I would not at all be surprised there is at least some gravity to the report. I remember many a meeting between different fraud detection agencies where someone would bring up a story from the press and people would say no way is that true.

Other times there was a partial truth or an actual fraud to back up the story. I have also been in the position where people have said “actually guys I know that sounds crazy but that can be done”, and everyone looking across at them and asking how. After all one of the reasons these groups, often from rival organisations directly competing against each, other meet is so that these things can be discussed.

One of the reasons credit card and ATM use has grown the way it has is that there is an element of consumer protection underlying and supporting their use. I recognise that the removal of these regulations and business practices is often discussed and I heard it again recently following Brexit. However the spread of the ATM has largely been fuelled by the concept and belief that the end user has some support and protection if things go wrong.

With the drive both from the consumer and the institutions for more online delivery the increase not only in digital interventions but also physical interventions to obtain the missing details needed to hack the system will only increase.

So what about the person in the street, the traveller or the business man, what can they do to make sure they stay one step ahead of the fraudster. Well to be honest its difficult, there is a reason these fraud departments are so complex and that’s because although some fraud attacks are simple some are very complex.

Life has strange ways of getting back at you of course, sometimes knocking you down when you think you have reached the top other times bringing a touch of reality to bear.

I always remember chatting to a fraudster at a conference, yes that’s right a fraudster. He had been tracked by the FBI for years and managed to avoid capture, eventually he had been caught and was now working with fraud detection agencies. Guess how he was eventually captured. It wasn’t the powers of the FBI or anything like that, no he had an affair with his friends partner who found out and turned him in. So you see there is simplicity in complexity sometimes.

Many years ago I remember being asked to advise a large organisation on their password policy as they were having serious problems with information being leaked. On questioning I found that they had implemented a very strict password policy where all passwords had to be changed every week and you couldn’t reuse the same password for 6 months. Additionally after they found that people were simply adding a increasing number at the end each month they prevented that so you could no longer have Michael1, Michael2, Michael3 etc. So on attending the secure area that this applied to I noticed that passwords were often on yellow post-it notes or in notepads. In making it so strict the password policy had meant that no one could remember their passwords so they were nearly all written down somewhere close to the screen of the user. Not such a good idea it seems. This predates Bio-metrics by the way.

So my advice on fraud prevention has not really changed over the years. Firstly ensure you do as much as possible to make life difficult for the potential fraudster or as some prefer to call them thief.

So don’t write things down, make them difficult to guess and make sure you are insured in some way so that any loss is covered. If you have a card in a purse or wallet I would recommend that its screened (RFID) but on the whole just be aware of whats going on around you. The most common attacks are the simplest.

One of the great advantages of cash points of course is that you can travel the world cashless these days and just get local currency at any cash point. Long gone in the distant past is the idea of travellers cheques, in fact when I gave a recent presentation none of the younger people in the audience had a clue what they were. I think on the most part they have been consigned to history along with the idea of having film in your camera.
As regular travellers it’s great to be able to simply arrive in country and be able to get local cash so easily. If your PA or office change plans and you end up going to Singapore instead of Boston as planned then it’s no problem as far as the cash goes. Cash and a couple of credit cards along with a passport mean that you are truly free to travel the globe.

There are basically two major designs of cashpoint machines. There are those based in a room normally as part of a bank but sometimes in shopping malls where you swipe your card to gain entry. The second type is often simply referred to as hole in the wall machines. As this suggests they are just fixed to the side of a wall outside banks, garages and shops
Neither offers you the protection of people not realising you are gathering cash. If you are simply making a deposit then you should assume that bystanders believe you have just withdrawn cash.
There are several ways we can look at these different setups as each has advantages and disadvantages for you.

If we look at the cashpoints in the context of assault the room based systems have a slightly improved security as in theory everyone in there has swiped their card to gain entry and they are always well covered by cameras. However it’s possible a stolen card could be used to gain entry so you shouldn’t lower your guard. Additionally if there is any kind of robbery or confrontation you are then trapped in this locked room with your attacker. Even a well-meaning passer-by can’t come to your aid and assistance. CCTV is great in helping the police catch who ever robbed, raped or murdered you after the event but never rely on CCTV to protect you before or during your struggles.

If you are in one of these types of areas with cashpoints and someone knocks on the door asking to be let in what would you do?

Think first act later.

If they were able to use the machines then their card would also open the door and let them in. The fact they want you to help them enter means that they can’t use the machines anyway. If that doesn’t raise alarm bells with you then it should. One of the ways that these types of characters fool you into letting them in is by having something in their hands like shopping bags or being on the phone. These are all distractions to take your mind off the fact they can’t get entry into the area means they shouldn’t be in there. At this point even if you don’t let them in you should be really alert as they may well be waiting outside.

The hole in the wall machines offer you the chance to just leave the card and cash and run. Yes you will be down a few notes but really it isn’t worth fighting over.

The biggest danger from the hole in the wall option is that someone approaches unnoticed and blindside you. In this scenario you don’t have the option to run or just hand over the cash as you have already been hit, stabbed or shot. Awareness around you at all times is crucial. When I talk about awareness I don’t mean to start looking around constantly like a startled hare as it identifies you as a victim. Additionally if you were watching a cash point and someone was really nervous then you and everyone will assume they are drawing out large sums.

If you feel someone is watching or too close then cancel the transaction make a fuss of looking mad shake your head and stride off. People will assume you were refused the cash and simply wait for the next unsuspecting victim.

Shoulder surfing and a number of other similar scams have inevitably sprung up to take advantage of these cash machines. Your main defence is to be alert to your surroundings and other people. If someone talks to you while you are working the machine assume the worst. This is an intrusion into your personal space and if it isn’t setting off alarm bells for you then nothing will.

When giving a talk I was asked about what I would recommend in the situation where someone was forced to go to a cash point and withdraw money.

In this case the person was coerced by a gang with a weapon being used to threaten them. All situations are different and in most there is probably not a right or wrong that you can state as each person and each attacker will behave in different ways. Couple that with the environment around them and as events unfold circumstances, threats and levels of danger could change rapidly.
My overwhelming recommendation for the majority of people in this type of situation is to give the people the money they want. If possible take any opportunity to make good your escape but not at risk of your own safety.

This type of theft has a natural ending to it, its time defined in that you can only withdraw so much money before your card is no longer of use. You and your attacker both know that and that is a huge problem.

As the events come to a natural conclusion the attacker is left with a problem and that problem is you. They have a choice to make now which may have already been decided weeks or months ago when this was being planned. Do they let you go or do they make sure you can’t talk about what happened to the authorities which could lead to their arrest. The likelihood of each choice is not linear and could depend on a number of variables some of which you don’t know.

Depending on where you are in the world taking someone’s life might be a lot less of a major decision than elsewhere.