A Two-Step Prevention Model Of ATM Frauds

There is a tremendous increase in the ATM fraud incidents in the recent years. Card fraud reports stated that $16.31 billion are the losses from payment card frauds in 2014, and expected to reach to $35.54 billion in 2020. Hence, there is a real demand to find a robust security method, devices, and technology to safeguard ATM transactions. This paper proposes a two steps to start ATM session using a closed end-to-end fraud prevention system. By adding smartphone as an addition layer for ATM transactions, and using legitimate user smartphone ID number to robust the security transaction with the currently available technologies.

Introduction

Recent years have seen many breakthroughs and security incidents relating to the ATM security. Those incidents led to significant losses for users, card issuers, and financial institutions. Card skimming is the most common known ATM fraud incident and still overtakes all other ATM committed fraud techniques. It happened when thieves steal users’ card electronic data enabling them to counterfeit the card and use it as the legitimate user where they can withdraw cash or make online purchasing. It mostly occurs in retail outlets that request credit card payments such as gas stations, restaurant. There is an increase on ATM skimming frauds in 2015; it reached more than $8 billion in loss which represent 33% of ATM frauds happen around the globe, 98% of all losses committed for ATMs. Financial analytics company FICO stated that skimming incidents increased by 546 percentage from 2014 to 2015, where 60% of such incidents occurred at non-bank locations .

Card trapping which happens when the fraudster traps victim’s ATM card in the machine using any device injected in the ATM to steal the victim physical card. It stated around 18% of ATM frauds in 2015. Cash Trapping in which fraudulent use a device to trap physically the cash that had been dispensed and hence the customer expect that there is a problem in the ATM machine and that the transaction is not completed while the fraudulent come back to collect the money once the client left the location. This type of attack is very low comparing to skimming attack; it was about 15% of ATM committed frauds, a hardware sensor is used get robust information about the device state. Logical attacks in which fraudulent use external electronic devices or malicious software to take physical control in the targeted ATM and then withdraw money. This method is growing rapidly and target ATM’s software, operating system, and communication systems. Fraudster use viruses to exploit ATMs’ operating system, or installing malware to violate the confidentiality and authenticity of ATMs’ transactions. There are several ATM-malware methods such as software skimming malware which target ATM PC and allows an attacker to intercept card and PIN at the ATM, this type of attacks represents 75% of logical frauds. Jackpotting methods where attacker uses malware to control ATM PC to direct cash dispenser to dispense money. Man-in-the-Middle, where attackers take control and manipulate communication between ATM PC and the merchant acquirer’s host system, for example, to withdraw money without debiting the card account. In 2014 logical attacks reported was 51% in Europe and reduced to 15% only in 2015. Physical attacks in which the fraudster tries to remove the entire ATM and then use any industrial tool to gain access to the safe and steal the money. Fraudster use gas explosives, power drills, grinders for cutting, pulling using vehicle, or mailto. The most common Physical attacks are angle-grinders which had been reported 35.9%, explosion attacks 26.77%, manual physical attacks reported 25.35%, and vehicle raid attack reported 6%.

In the following sections, we will discuss the proposed, used and implemented methods for protection from different ATM fraudulent attacks, and then we will demonstrate our proposed method with a comparison to previously adapted methods.

Literature review

Due to the enormous increase in ATM daily operations and the related increase in robbery and fraud operations. It was necessary to find the means and the appropriate systems for protection against fraud and to overcome the growing fraud transactions. Some financial entities merely to give tips to their clients such as requesting clients to change the used PIN regularly, be vigilant and avoid using ATM whenever there is any suspicious individual or thing. Shielding ATM keypad with a client's hand when entering PIN to prevent anyone from seeing or recording, don’t accept help from strangers at ATM, use the nearest phone to contact bank or police to report any incident. Several card fraud detection systems have suggested and used to detect malicious actions on ATM transaction.

Disclosed is a system designed to manage payment card fraud after the card holder has physically passed through at least one security checkpoint in which the card holder’s identity authenticated. Also, at least one payment card identifier associated with the card holder is received, then the card payment profile is updated. This method needs a regular update of authentic checkpoints, also suppose that the fraudster should not be in the same regional area where the genuine card holder. Disclosed method tried to set rigid rules for updating the payment card profile under imaginary scenario for client locations and fraudster location. The update of payment card profile should associate with the card holder authorizing the use of payment card within at least one destination region, a period, or a combination thereof.

The system should update payment card profile under these two conditions:

  1. The card holder has physically passed through at least one recorded security checkpoint in which the card holder's identity authenticated.
  2. Receive at least one payment card identifier associated with the card holder.

Disclosed system claims for adaptation:

  1. Client pass through an authentic and recorded checkpoints.
  2. The used payment card is one of pre-listed payment cards.
  3. Payment card authorized to be used within at least on destination region, period or a combination thereof.
  4. Receiving payment card identifier through a magnetic stripe payment card reader, a text message, an optical recognition of a picture of a payment card, a near field wireless communication with a smart-chip embedded in the credit card, or a combination thereof.
  5. Matching between payment card identifier information and information from purchased ticket.
  6. Receiving the payment card identifier from a ticket venue network address means an identifier for a node, and the network interface of a telecommunications network associated with the ticket, and within a settable period.

However, this ignoring that the fraudulent often theft the genuine client authentication data and use a counterfeit card to make his transactions, and this could happen in the same regional location especially with card trapping or stolen cards cases. Furthermore, payment cards are broadly used to make payments everywhere in the globe especially for cardholders often traveling.

This system still vulnerable, what is the card holder scam happened after passing through an authentic checkpoint, this system will manage transaction as an authentic transaction. The system will update payment card profile after comparing payment card identifier with the information from online receipt of purchased item or ticket, what if the cardholder purchasing an item or flight ticket for his wife, kids, or relatives. Disclosed system provide good solution for specific scenarios but still vulnerable to many different none covered scenarios, also provide many restrictions for the card usage.

FraudBlock is a comprehensive fraud detection and protection solution that is designed to provide near real-time fraud prevention. This system provides online authorization decisions to identify and prevent fraud before it happens by accumulating historical data to determine the fraud patterns. The system establishes rules for transaction blocking using a parameterized rules-based structure. Also, review every transaction take place by client card, and if for instance; the transaction made is falling outside the client normal spending pattern, then the transaction should be forward to the fraud protection section.

If it has been looking suspicious, then a temporary block is placed, and a direct contact with the card holder performed. This system depends on specific historical patterns while fraudsters use victim authentication data which make the transaction as a normal transaction and the real solution is to discover that the transaction users is not the genuine card user.

3SmartVista Fraud Prevention & Monitoring system use historical data about detected fraud cases and create a set of rules for detection, these rules updated with any new fraud cases or bank experiences allowing the system to classify a transaction as suspicious.

For example, if a large number of cards issued by a bank was used in a specific shop whose database was stolen, the data of these cards can be employed in any part of the world. In such case, the bank should be able to react quickly to detect and tackle any suspicious transactions from these cards coming from any other region. Also, if cards reported as stolen in a specific area then the system will register this area as a suspicious area, and it will monitor subsequent card usage coming from that area. When detecting a suspicious transaction made with the card previously used in the registered area, the system will send alert and allow timely blocking of the used card. This system depends on historical data i.e. after the occurrence of the fraud action, not before it; then fraudster will be able to make transactions, and the system will consider it as a normal transaction.

Various methods have been suggested and used for protection against skimming such as learn patterns of normal behavior from the status information in an ATM and hence any significant deviation from the learned behavior is an indicator of a fraud attempt. Designed time method wherein the client can choose the time of usage which can also change any time. Although, it is an effective method to tackle scams but it is not proper for clients who often use their cards in daily purchasing operations. ATM monitoring using electronic cameras, it is useful to control physical attacks and card trap, cash trap, but it is not helpful to disclose scams results from card theft, or counterfeit cards where fraudster can normally use clients’ data to make ATM transactions. Install alert systems which give alert to police, bank, and client whenever there is a suspicious physical attack. In the next section, we will demonstrate our suggested model which aims to tackle fraud transactions.

Suggested system

Non-physical attacks depend on the theft user authentication data, malware, or hack transactions in the card network back-end infrastructure. If we break the standard path of the transaction, then even if the fake user has authentication data, he will not be able to complete the transaction. Attacks can be local attacks which happened in the ATM where fraudster use correct authentication data with the counterfeit card and remote attacks which happen during the transaction processing within the network as shown in figure

We aim to use the genuine client smartphone as an intermediate tool where financial institutions will maintain not only customer PIN number but also customer smartphone device ID (device identification), which is a unique number associated with a smartphone and is separate from hardware serial numbers. Bank base application (BBA) should be installed on the bank back-end system (2ABES), and on ATM (2AATM) and on the genuine user smartphone (2ASTP).

When the genuine user starts his ATM transaction and enters a correct PIN number, ATM system (2AATM) should ask the user to select one of two choices which are barcode or transaction PIN number (TPN).A request should be sent to the bank system (2ABES) requesting to start ATM transaction for the login user. Bank system has two options even generate barcode or transaction PIN number using hash function each composite of transaction random number and user smartphone device ID.

Bank system should update its database records; user transaction permission field, with the generated barcode or transaction PIN number as per user selection on ATM. Bank system will reply to ATM by sending generated barcode or transaction PIN number. Accordingly, Bank system will send method, used a hash function and used a random number to the user’s smartphone application, which will use the installed application (2ASTP) to generate barcode or TPN as per method, a hash function, and random number parameters received from the bank and the extracted device ID the application read directly from the client smartphone.

ATM system will ask the user to enter TPN or show generated barcode to the ATM system as a confirmation to complete the transaction.

Suggested scenario

We suppose that the penetration actual holds, and then we want to avoid the use of PIN directly, but through another trusted intermediate which is the legitimate user reliable phone to complete the process as described in below steps:

  • Bank database system maintains not only customer PIN number but also customer smartphone device ID (device identification), which is a unique number associated with a smartphone and is separate from hardware serial numbers.
  • Bank base application (BBA) should be installed on the bank back-end system (2ABES), ATM (2AATM) and on the user smartphone (2ASTP).
  • A user log-in to ATM using the PIN number as usual, if authentication successful.
  • ATM asking user to select one of two choices barcode or transaction pin number TPN to continue the transaction,

If user select barcode then Back-end banking system (2ABES) use specific Hash Function to generate barcode which is a combination of smartphone device ID, and Random Numberi. Back-end banking system (2ABES) update user banking record with the generated transaction authentication, this should repeat with each transaction session started by the user.

If user selects TPN, then i. Bank back-end system (2ABES) will use a hash function to generate a transaction pin number from the user registered smartphone device ID and update user record and then sent both generated random number and used hash function to the user registered smartphone cell number. ii. The user’s smartphone application (2ASTP) is configured to receive used hash function and a random number from bank system. Then 2ASTP will generate transaction pin number from smartphone device ID read from user smartphone. iii. ATM will ask user to enter generated transaction pin number. If used smartphone device differs from the user registered smartphone device, then the generated transaction pin number will be different, and hence the user is not authentic to complete the transaction. The main aim of using user’s smartphone device is that even if fraudster got legitimate user authentication PIN number, then fraudster would not be able to perform a transaction without users’ registered smartphone device. Furthermore, if fraudster gains access to user’s smartphone device, he should not know the user's PIN number which should be used to begin a transaction. The only situation which the fraudulent can complete the transaction, when he has the user smartphone device and user’s cell number and card PIN number which we expect it is very rare.

Suggested algorithm

The suggested algorithm suppose that there is an attack which might be a local attack or remote attack.

Therefore, when user; we mean here any user not necessary to be the legitimate user, login to ATM using card PIN number. If entered PIN correct then the ATM system will start a transaction session authentication process by asking the user to select to enter TPN or show 5barcode to the ATM screen barcode reader. If the user did not have any of them, then the user will request transaction session authentication from the bank system which it can be barcode format or TPN as a serial number both created as a combination of legitimate user’s smartphone device ID and random number using a hash function. The bank system will update user transaction record with the generated transaction session authentication and then send used method, random number and used a hash function to legitimate user recorded cell number. The genuine user smartphone will generate barcode or TPN based on received data and the read smartphone device ID. The user smartphone device ID is recorded in the bank database and is never send in the transaction processing. Therefore, wherein the processioning in the bank side, the genuine user smartphone device ID read from user records, while if processing in the genuine user’s smartphone, the smartphone device ID read directly from the smartphone itself.

Although it is very rare to happen that the fraudster will gain an access to card PIN, genuine user smartphone device, and genuine user cell number. We can calculate the probability that the fraudster will be able to get a transaction authentic pin number (TPN) if and only if he got access to previously mentioned triad parameters.

It is clear that implement this model should make the vulnerability extremely rare comparing to the current system, which depends on PIN number as an authentic method for ATM transactions.

Conclusions

The suggested method provides a viable solution to the problem of ATM skimming and remote fraud. It depends on the available technology and therefore will not need substantial changes to the current installed ATMs. Moreover, even if fraudster got user PIN number and used counterfeits card, he will never be able to get user’s smartphone device ID number which read directly from the user device. Also, bank system should send method, the used hash function and the created random number to the legitimate user cell phone number recorded in the bank records.

We see that it is very rare that fraudster will get card PIN and genuine user smartphone device and also genuine user cell number. An ATM transaction authentication should start with each session but not in every processing within the same session. Bank system should provide full support to the clients to avoid huge losses happened due to vulnerabilities and at the same time an awareness should be given to customers to prevent new tricks might they face and cause too many losses and problems to both clients and the banks financial system.

03 December 2019
close
Your Email

By clicking “Send”, you agree to our Terms of service and  Privacy statement. We will occasionally send you account related emails.

close thanks-icon
Thanks!

Your essay sample has been sent.

Order now
exit-popup-close
exit-popup-image
Still can’t find what you need?

Order custom paper and save your time
for priority classes!

Order paper now