Install

Get the latest updates as we post them — right on your browser

. Last Updated: 07/27/2016

ATMs Are Still Risky Business




Moscow's network of automatic teller machines remains weak and vulnerable to fraud, despite the latest efforts to shut down a crime ring that robbed hundreds of cardholders earlier this year, industry analysts said this week.


"There is always a danger," said one industry insider, who asked not to be identified. "In Europe, the banks have worked within the payments system for decades and observe all the rules. Here, many banks are just taking their first steps, and there is not always adequate control over them to insure that security rules are scrupulously followed."


The official added that levels for all types of card fraud were three to four times lower in Western Europe than in Russia, although Russia posted lower fraud rates than other emerging markets countries.


Meanwhile, other insiders have commented that card fraud organized within a banking institution - such as the fraud ring that penetrated Russia's Union Card processing centers - was an unprecedented breach of banking security.


The recent arrest in London of a Swedish national carrying 50 forged bank cards - some of which carried data stolen from Moscow's ATM network - has reignited fears that putting a card into a local automatic teller machine means playing Russian roulette with your bank account.


As of last week, Visa officials were still conducting a top-to-bottom check of their payments network in Russia, the stated goal of which was to determine how Visa transactions originating at local ATMs were routed.


This raises the question of how Visa can guarantee security within its system when it is itself unsure of which organizations have access to payments information as it makes its way from Moscow ATMs to customers' bank accounts abroad.


Europay, despite publicly fingering Union Card as the culprit in the Moscow ATM scandal, says its investigation into the card fraud in Russia is continuing and may continue indefinitely. It refused to comment on last month's arrest of the man whose counterfeit ATM cards contained information stolen in Russia.


Visa officials interviewed last week said it was not clear yet when or where the information was compromised.


It is now widely accepted within the card payments industry that a security breach at the Union Card processing center allowed fraudsters to steal PIN codes and other sensitive bank details from victims who used their cards at Moscow bank machines.


Estimates of the losses that resulted range from $200,000 to $1 million.


Other industry officials have privately voiced concerns that even if the information leak at Union Card has been plugged, it has not yet beenproven that it was the only point through which cardholder information was compromised.


As details of the scandal continue to emerge, it is becoming more apparent that Union Card - which at one point processed 50 percent of all card transactions - was only one of the many weak links in the chain of bank machine operators and processing centers that link local ATMs with customers' bank accounts.


Lack of adequate outside regulation, Russian banks' widespread use of inexpensive homemade encryption software and other cost-cutting shortcuts have made Moscow's bank machine network unusually accessible to fraudsters, according to some industry officials.


Another problem is the ready availability of decryption software and hackers talented enough to use it.


Visitors to the Gorbushka outdoor market on any given weekend are offered tables full of the latest software for hackers, selling for the princely sum of about 70 rubles apiece ($2.70) on pirated CD-ROM discs.


This modest investment, plus some good inside contacts at a Russian bank or card payments processing center, is all one needs to begin his or her career as an ATM bandit in Moscow, according to some industry officials.


But a bigger part of the reason for the ATM system's vulnerability in Moscow has been that international payments systems such as Europay and Visa rely to a great extent on their member banks to regulate themselves.


While this approach has worked well enough in developed markets, the Moscow ATM scandal seems proof that it has not been adequate to insure security in Russia's rough-and-tumble financial sector.


Even in September, before the scandal became public, Western banks introducing their own ATM networks to the Russian market had opted to set up their own processing centers because they believed using local third-party operators for handling their card transactions would expose their customers to excessive risk.


"Given what we knew, we decided to go for the more costly option of setting up our own processing center - otherwise we would not have even started. If you rely on a third party processing center, you have to share all your customers' information with them - in Russia that immediately raised confidentiality and security issues," an official said.


The security of the Russian payments system had been steadily improving until the 1998 August crisis, after which time it deteriorated rapidly.


"The banks slashed their workforces, which meant that a lot of people who were technically very competent wound up looking for work," said one official, who declined to be named. "Evidently, they managed to find a hole in the system."


In recent months, the number of payments centers handling ATM transactions has increased exponentially as banks look to get in on the card business, one of the few growing areas of the Russian banking sector, industry analysts said.


While this may be good for local banks, it also makes maintaining existing security standards more challenging for the international payments networks.


As to what security precautions to take to avoid being taken by ATM bandits, card companies have little to offer in the way of advice.


Typically, they warn customers to be aware of their surroundings and to be on the lookout for any signs that the bank machine they are using has been tampered with.


However, these precautions offer no protection against fraudsters working within the payments system.


Those in need of cash can opt to avoid ATMs altogether by using credit cards at the cash windows at local banks. Although, theoretically, a corrupt cashier could steal card details, the teller would not have access to the customer's PIN code.


This makes manufacturing and using a counterfeit card more difficult. Such a card must be made to look genuine because it can only be used for store purchases, not ATM transactions, which require a PIN code.


Fake ATM cards are typically made on white plastic, because bank machines' card readers only read the information contained on magnetic stripe on the cards' back.