With new techniques like shoulder surfing and fake ATMs, criminals are getting access to consumer deposit accounts. While ATM and debit card fraud is low, the industry is attacking the problem before it gets out of hand.
Shoulder surfing. It has nothing to do with flipping the remote control. And you won't hear the phrase on beaches where surfers hang out.
But you will hear shoulder surfing discussed in banks and at electronic funds transfer networks. The phenomenon--using high-powered video equipment to survey consumers entering their personal identification numbers at ATMs--is just one sign that crooks are exploiting a new market. With a cardholder's PIN and card number from a discarded receipt, crooks can make counterfeit cards at will.
The reports of shoulder surfing have been accompanied by at least one well-publicized incident of a fake ATM used to record card numbers and PINs. Consumers and banks have lost tens of thousands of dollars in such scams. That doesn't count losses from lost, stolen and never-received cards, many of which are off-line debit cards and don't require PINs for purchases. In short, the seemingly impenetrable security wall of PINs has holes.
Losses from debit and ATM card fraud are low, but it's a relatively new market. Criminals have shown amazing resourcefulness in developing credit card scams, and there's no reason to believe that they won't apply the same ingenuity to ATM and debit cards. "From a reporting standpoint, (fraud) does not seem to be a major issue," says Kirk Ergang, senior vice president of systems and operations for electronic funds transfer network Cash Station in Chicago. "However, it is being addressed by the industry so it does not become one."
That concern is helping transform the ATM and debit card industry. Computer chip-implanted smart cards are coming into vogue for debit cards. Networks are petitioning the Federal Reserve to let them truncate card numbers on ATM receipts. Off-line debit cards are being verified as on-line products, and cards are being encoded with card verification data similar to what's put on credit cards.
Biometric identification techniques, long entertained as the best means to wipe out fraud at ATMs and the point of sale, are almost afterthoughts in 1994. Many industry observers say the most effective fraud-fighting technologies lie elsewhere.
No Safe Haven
While banks don't report fraud losses, making ATM and debit card theft all but impossible to track, a Visa International survey of 12 major debit card issuers showed fraud losses between .03% and .35% of sales. That's small stuff, to be sure. But some wonder if fraud losses are actually higher, given banks' reticence to draw attention to theft. "It's taken awhile for the criminal element to become sophisticated enough to crack the debit card system," says James Brown, director for the Center of Consumer Affairs at the University of Wisconsin. Brown says that from anecdotal evidence, he thinks that debit card fraud is increasing, and criminals are getting more sophisticated.
Protected by the PIN, ATM cards are considered the safe haven of payments. Lose it, and no one else can use it. Stolen cards can only be used when customers write the PIN on the card or on a piece of paper in their wallet or purse. Off-line debit cards--which function as a check card and don't need a PIN--pose a different problem. Anyone can use the card at a merchant that accepts Visa or MasterCard. But if the cardholder reports a card lost or stolen, it can be immediately deactivated.
Counterfeiting to date has comprised only a small portion of total ATM/debit card fraud. According to Visa, 73% of total debit card fraud is from lost or stolen cards, 23% from cards never received, and only 4% from counterfeit.
But shoulder surfing has changed the equation. Crooks have staked out open-air ATMs and surreptitiously filmed cardholders entering PINs. When a cardholder leaves his or her receipt at the ATM, it gives the shoulder-surfer the opportunity to counterfeit the card, giving unlimited access to bank accounts--without the knowledge of the consumer or the bank. "In the end, it's the card user who has to take precautions, and take the bloody receipt with them," says Thomas Honey, an executive vice president with the newly formed InfiNet EFT network.
Shoulder surfing is not the only technique for getting card numbers and PINs. One scam involves setting up a fake ATM or even a fake business. A consumer will buy a T-shirt from a traveling vendor using a debit card; the purchase will ostensibly be authorized and the consumer gets the T-shirt. In return for a $10 T-shirt, a criminal has gotten the consumer's card number, stored on a dummy terminal, and knows the PIN by watching the cardholder enter it. "You can write a terminal just to capture the data," says Curtis Fish, senior vice president of Southeast Switch, which operates the Florida-based Honor Network. "That's something the networks are almost wide open to."
The biggest undertaking in the fight against fraud is smart cards. Banks are running tests on the technology, and at least one network owner, Electronic Payment Services Inc., has started a smart card subsidiary. After years of ignoring the technology, MasterCard International and Visa International have become proponents of smart cards in the last year.
The Anti-Fraud Arsenal
Smart cards are considered the best anti-fraud weapon. Even if a criminal has a card number and PIN, it's impossible to reproduce the computer chip embedded in a smart card. Magnetic stripes are relatively easy to replicate. "Smart cards certainly raise the stakes in trying to get past the security in the card," says Thomas Sladowski, vice president of electronic banking for Chemical Bank, which is running a smart card pilot with employees. "It is a far superior technology than mag stripe."
It will be years before smart cards have the widespread distribution that Europe and other countries offer. Adapting the nation's 100,000 ATMs and millions of point-of-sale terminals to read chip cards will cost tens or hundreds of millions of dollars. That doesn't include the cost of replacing millions of mag stripe cards with a more expensive chip card.
But ATM, debit and credit card fraud alone is not large enough to justify smart cards. Smart cards will need more uses than as a fraud-prevention device before banks start retrofitting their ATMs and issuing cards. In addition, industry standards for smart cards haven't been agreed upon. Even if fraud-detection savings justified smart cards, no bank or network is going to retrofit ATMs and POS terminals until such standards are developed. "You don't want to retrofit to something that may not be adopted as the standard," says Cash Station's Ergang. "You don't want it to become the 8-track of the terminal industry."
While waiting for smart cards to come of age, banks are using other fraud-detection measures. Card Verification Value (CVV), a Visa-developed credit card verification system, is being used by many debit card issuers. Most banks are having off-line debit card purchases authorized on-line, so consumers--and crooks--don't overdraw accounts.
Also, networks are pushing for number truncation on receipts as a shoulder-surfing protection. Without a full card number, it's impossible to replicate a card, even when the criminal has a PIN. Backed by other EFT networks and industry trade groups, the Star network in California has petitioned the Federal Reserve Board to allow networks to print only the last four digits of a card number on ATM receipts. Currently, the Fed's Regulation E requires that all the digits be printed on a receipt. Most observers expect the Fed to approve the modifications.
A Big Bronx Cheer
"If you truncate the numbers, the shoulder-surfing guys will have the PINs, but not the data to make the card," says James McCarthy, Star executive vice president. "If we get over this hurdle, we should be in pretty good shape."
While smart cards and number truncation have major support in the industry, many bankers are giving biometrics a Bronx cheer. Biometric devices, which scan unique characteristics such as fingerprints or voice prints, have been advocated for many years as a credit card fraud deterrent. Since biometric devices identify cardholders by information that's impossible to duplicate, it has been touted as a foolproof way to eliminate card fraud.
But don't expect a fingerprint or retina scanner at your neighborhood ATM before the end of the century--or perhaps even after. That's because biometric devices are not reliable or cost-effective. While the price continues to drop, biometrics is far more expensive than other anti-fraud techniques. One vendor estimates the cost to retrofit an ATM with biometrics at $2,000 per machine. Just getting the information between ATM and host computer could be a huge expense. Industry observers say this problem could be overcome by smart cards, which could store the cardholder's fingerprint or voice print, allowing on-site verification.
The other major problem for biometrics is that the technology doesn't work well enough yet to be sold. "We've never talked cost, because they have no product to sell," says Chemical's Sladowski.
Over time, biometric technology will become workable and less expensive, but there are still problems. Bank executives won't look at retina scans because most consumers are adverse to the idea of having their eyes scanned. Voice recognition technology hasn't developed to the point where computers can always recognize a cardholder's voice the first time he or she speaks. "Do you want a situation where the customer is yelling out their password or codeword?" says John Stroia, Diebold Inc.'s marketing manager for the financial industry. Diebold and IBM own InterBold, a major ATM manufacturer. Diebold has shipped fingerprint-recognition ATMs to South Africa, where they are used for distribution of public aid.
While biometrics slowly develops, low-tech identification techniques are becoming popular. Some issuers are following the lead of credit card issuers and putting cardholder photos on the face of debit cards, as a deterrent to fraud at the point of sale.
Banc One Corp. has put photos as well as digitized signatures on approximately 400,000 debit cards. "The incremental deterrent is significant," says Tim Rosenbusch, vice president, systems development for Banc One.
Of course, there's still going to be ATM and debit card fraud, cardholder photos or not. Crooks find ways to beat the system. "There's no ultimate fantasy out there," Rosenbusch says. "We know that."