Fraud Detection Firm Sniffs Out ATMThieves

For Douglas D. Anderson and Richard H. Urban, a celebrated automated teller machine crime in 1993 pointed to a business opportunity.

The ATM industry veterans were working at Electronic Payment Services Inc. when two thieves installed a dummy Fujitsu ATM in a Connecticut shopping mall, capturing people's account numbers and defrauding banks of more than $100,000.

It occurred to the EPS executives that there ought to have been a way to detect the phony card transactions before so many took place.

"The magnitude of the loss wasn't high," said Mr. Anderson, a former vice chairman of EPS and former president of its MAC subsidiary. But the event "got the industry's attention."

In particular, it prompted Mr. Anderson and Mr. Urban-who was a vice president at MAC-to form a company to address ATM crime. In 1994, they left EPS to create Card Alert Services Inc. of Arlington, Va., which uses computer software to sniff out suspect activity at individual ATMs.

Banks and ATM networks that buy the company's service are notified of irregular transactions after they take place and can then start tracking down potential criminals and victims.

Card Alert's computer system thrives on bulk, since the number of crime patterns it can detect increases as ATMs are added.

"We liken ourselves to a community fire department," said Mr. Anderson, the company chairman. "The more smoke detectors we have out there-the more participants we have-the greater the likelihood of detecting fires earlier."

ATM card fraud is a relatively small problem, but as point of sale volume increases nationwide, it is growing, Mr. Anderson and Mr. Urban said.

Typical thieves used to be "shoulder surfers" who snooped on consumers as they made ATM transactions, then took discarded receipts to get account numbers. Today's ATM bandits are far more sophisticated and organized; some use a process called "skimming," which captures batches of card numbers and PINs electronically at point of sale terminals.

When Card Alert introduced its service, interest ran high. Thirty of the top 50 banks signed up the first year, and four ATM networks - Star System Inc. of San Diego; NYCE Corp. of Woodcliff Lake, N.J.; Cash Station Inc. of Chicago; and CU Cooperative Systems of Pomona, Calif.-bought equity stakes totaling about one-third of the business.

Dennis Lynch, president and chief executive officer of NYCE, said he was sold on the low cost of the service and the idea of having someone else detect fraud from a central location.

"The whole notion of having a national expert examining when new or exotic deposit access pops up is a valuable service to the industry," Mr. Lynch said.

Nevertheless, Card Alert has not convinced most banks that ATM crime is serious enough to merit time and money. The company has still not reached financial institutions holding 60% of U.S. deposits.

"We've had difficulty getting the industry's attention," said Mr. Anderson, whose goal is to get all ATMs and point of sale terminals linked to his fraud detection hub.

To add customers, the partners changed their marketing strategy last summer. Instead of appealing to individual banks, the company began focusing on regional ATM networks, which would presumably escort member banks into the service.

To make sure that happened, Card Alert began offering a program called Universal Participation, in which banks were automatically enrolled when their network signed up. Card Alert's service, the partners argue, acts like an insurance plan for network members.

Four ATM networks have signed up for Universal Participation, and four others are considering enrollment, Card Alert said. If the latter four sign up, the company would double its base of banks, to 6,000.

Mr. Lynch praised Card Alert's new approach and predicted adoption of the Card Alert system would grow as more banks are exposed to ATM crime. "People are much more prone to action when they have been burned big time," he said.

Despite the growth of ATM crime, on-line debit cards are considered safer than their off-line cousins. On-line debit card fraud is not tracked nationally, but a 1994 study by Card Alert found it costs banks about $100 million a year. By contrast, the combined credit and debit card fraud losses of Visa U.S.A. and MasterCard International are approaching $1 billion.

Indeed, Card Alert has had a tougher sell in areas with little ATM card fraud. The crime has been most prevalent in California and on the East Coast, but Mr. Anderson said, "What we've seen so far is the tip of the iceberg."

Card Alert's system is similar to the neural networks banks use to look for suspect spending patterns in credit cards and checking accounts. For example, an ATM in a remote location might not get much traffic at 3 a.m. So if that ATM has several large withdrawals at that hour, the transactions are flagged.

On a given day, said Mr. Anderson, Card Alert might deem 10% percent of a network's transactions suspect; a network that switched two million transactions a day might find itself with 200,000 that raised red flags. From that batch, Mr. Anderson said, anywhere from 0 to 450 could turn out to be fraudulent.

"It's a great winnowing-down process," he said.

When fraudulent transactions turn up, Card Alert notifies the network and bank and begins to hunt for other cardholder numbers that may have been stolen. As the company finds more contaminated transactions or compromised cards, it continuously feeds the information to the bank.

"It's one thing to identify the problem," said Mr. Urban, Card Alert's president. It is another thing to "set up the infrastructure to get back to the right people" at networks and banks.

While some ATM experts believe that hardware authentication systems-like iris scanners or fingerprint readers-are the best remedy for fraud, Card Alert believes its software-based system is the most efficient and thrifty.

In the early 1990s, while at EPS, Mr. Urban had looked into piloting a magnetic stripe technology that would make each card as unique as a fingerprint. But cost estimates placed the project at more than $700 million, so it never got off the ground. The lesson, Mr. Urban said, was that retrofitting ATMs and point of sale terminals with new security technology was too expensive.

David B. Lipkin, a partner at Drinker, Biddle & Reath of Philadelphia, who has been counsel for EPS and MAC, said the beauty of Card Alert's system is that banks don't have to adapt their machines.

Card Alert "is one of the few in the marketplace with a technology available on a cost-effective basis," Mr. Lipkin said.

Card Alert leaves pricing decisions up to the network. The company said that the service costs an average bank $300 a year but runs up to about $20,000 a year for the largest banks.

Mr. Anderson, 55, was a founder of the MAC network when it was conceived in the late 1970s by Philadelphia National Bank, which was later bought by CoreStates Financial Corp. Mr. Urban, 54, joined the bank in 1979 to work in systems, operations, and planning.

In the 1980s, as a board member of Plus Systems Inc., the national network now owned by Visa U.S.A., Mr. Anderson helped contribute to development of the "black box," a contraption meant to counter the threat of an inside programmer's breaking into a network switch and stealing PINs.

Mr. Anderson and Mr. Urban's interest in security enhancements led them, in 1994 after founding Card Alert, to survey ATM breaches at 38 banks nationwide. What they found was that PIN-based cards were under attack in many states, particularly California.

"The crooks are getting more sophisticated and more high-tech," said Thomas O. Bennion, president and chief executive officer of Maitland, Fla.- based Honor Technologies Inc. "Any network in any area is going to get tested."

Mr. Urban, the security expert, agreed. Networks are "built with tens of thousands of pieces-terminals, processors, sub-processors, and switches," he said. "If you look at all the interconnections," an expert can find a way to tap into the system.

Card Alert tries to counter criminals' moves in a high-stakes game of chess.

"We're trying to stay one step behind," Mr. Anderson said. "It's awfully tough to stay ahead of them because you plug up one hole over here and it pops out over there."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER