In the evening of December 11, 2016, we got an opportunity to have a tea session with Mr. Shah Azizul Islam, EVP & Head of Card & ADC Operations Unit, Dhaka Bank. He’s been working in the cards landscape for over 15 years.
During the interview, we asked about ATM card skimming, ATM tampering, card fraud activities, and how to avoid them.
“Card or ATM fraud isn’t new,” Shah said. What has changed, he said, is that “the technology of the miscreants is changing every year.”
“In ATM card skimming, miscreants usually use two devices to capture PIN and card data. The first one is used by placing it in the ATM where you insert your card. It extracts the required data from the magnetic stripe on your card. The second tool is a hidden camera used to capture images of the PIN being entered,” he said. But how do they then use those data without a valid card? “Once miscreants get hold of the stolen data, they use it to create a counterfeit card and use it with the captured PIN to access your account,” he explained.
However, mandatory Anti-Skimming device and PIN Shield installation at all ATMs of the country has been introduced and has effectively reduced the risk exposure.
But Banks and customers must both stay be vigilant at ATM transactions.
Innovative and technologically advanced attacks like ATM Cash-Out fraud or ATM Jackpotting capitalize on issuer’s and acquirer’s time zone differences, country holidays and other times when normal support and monitoring staff may not be available, or by loading malware to remotely gain control of ATMs. Banks should adopt globally-established security standards and practices such as PCI-DSS and ensure that effective policies, processes and reviews are in place to protect from such attacks.
Shah Azizul Islam also talked about what banks/Issuers may do as preventive measures. “Chip cards and PIN-based transactions are inherently safer than magnetic- stripe cards and signature-based transactions. And for online transactions, 2-Factor Authentication significantly reduces fraud risk. Issuers have to move in that direction,” said Shah.
“Customer awareness is another vital area. Banks must keep their customers aware about safe practices and promptly notify them through transaction alerts. Similarly, Banks must also educate and monitor their merchant relationships to ensure that customer protection is not compromised.”
“Banks should also keep close monitoring on their ATMs. Setting up necessary surveillance equipment with ample lighting to detect suspicious activity is a effective measure.”
All maintenance activity must be authenticated, monitored and documented. Unauthorized persons must not be allowed access to the ATM premises.
“Banks should inspect ATM booth on a regular basis. They should physically inspect all elements of the ATM Booths and document the same,” Shah stressed.
ATM Anti-skimming device and PIN Shield are mandatory measures to safeguard against card and PIN data theft. Banks must ensure these at all ATMs.
ATM Booth Security Guards should be properly trained and monitored. “ATM Booth security guards must be given proper instructions, training and posting rotation. Emergency contact numbers must be kept available to them.”
What should you look for when you inspect an ATM machine and booth, we asked. “Typically you look for anything irregular on the ATM or the Booth area, like stickers, labels and cords that are popping out inaptly or if anything looks like it’s been pulled or tugged inside the ATM booth. Also, you should get the security guard’s feedback regarding any suspicious activity observed by him” he said.
So, what happens when you discover a skimming device? “You must immediately inform the concerned authorities. They can also help you proactively mitigate any additional fraud that can stem from the skimming device,” Shah Azizul Islam said.
He also stressed that for fraud detection banks should verify that each of their card portfolios is protected by a fraud detection system. “There are a number of fraud detection tools available. Banks should consistently make use of such tools to detect and mitigate fraud risk.”
What should the card users do then? Shah said that, “First and foremost, developing an awareness about card security should be emphasized. Sometimes, some basic precautions can go a long way towards averting undesired consequences.”
“Keeping your Bank up-to-date on your contact information is very important. It helps you to stay informed about what’s happening in your account, and if you notice anything unexpected, you should promptly contact the Bank.”
“If you notice anything wrong or suspicious at an ATM, do not use that ATM. Inform your bank about it right away.
“If your card gets captured or stuck in an ATM, immediately ask your Bank to block your card.”
“Use familiar ATMs and limit your visit. ATM in dimly lit areas or used at late night could be more susceptible to fraud. And try to limit the number of your visits to the ATM and the time spent there – the more frequency, the more risk.”
“Do not let anybody else to assist you when making a transaction. If you need help, read the Instruction Board in the ATM Booth or call your Bank’s Contact Center for assistance.”
“Finish the transaction before leaving the ATM. Make sure that you’ve finished the transaction and removed your card before leaving the ATM. Some ATMs ask if you want “another transaction”. You must select “no” to close your card’s transactions,” he added.
Another simple way is to keep a close eye on your account balance. Customers can do this by monitoring their accounts regularly and detect unusual withdrawals or activity if they occur.
People should treat their cards like their cash – keep it in your own possession or under lock and key, without exception.
Even though this is common knowledge, Shah Azizul Islam, nevertheless, stressed on keeping the PIN secret: “Keep your PIN in your memory and never write it down or store it. Never let someone else enter your PIN for you or if you suspect someone knows your PIN, change the PIN immediately.”
“Also never disclose your debit or credit card information in response to an unsolicited email or request as e-mail is a widely used tool for perpetration of fraud,” he added.
Shah said that it is particularly important to be careful during online shopping: “Make sure that your account information is protected at the time of
online shopping. Use 2-Factor Authentication (One-Time-PIN) for all online transactions. Always logoff from any site after making an online purchase or if you can’t logoff, shut down your browser to prevent unauthorized access to your account information.”
Customers should also report in case of a stolen card, Shah said. “Report to your bank immediately if you lose your card, even if you think it’s only misplaced and you will find it later. This will prevent unauthorized transactions.”
