In a time of “zero day” attacks, advanced network penetration, and ransomware, financial institutions are spending significant portions of their budgets on security, and for good reason. Of course, the concept of defense in depth is nothing new in the security and physical security field, especially in the financial services industry, but as organizations are preparing themselves for advanced threats, criminals have begun to turn again toward more basic attacks on ATMs.
One of the more common low-tech attacks is a growing global threat known as transaction reversal fraud (TRF). So just what is TRF and how can your financial institution be ready to defend against it?
A transaction reversal fraud attack is almost as simple as it sounds. For this attack, a criminal manipulates an ATM’s cash delivery process to trick it into believing that the requested cash was not properly taken by a customer when it actually was. When this occurs, the ATM’s internal processes then register that there was an error with the transaction, that no cash was actually delivered to a customer, and that no debit should be made to a customer’s account. And although no individual customer is affected by this fraud, it reduces the bank’s cash holdings in the ATM itself.
However, there is a version of the TRF that can negatively affect your ATM customers: a cash-trapping attack. In the event of a cash-trapping attack, an individual customer can fall victim to fraud when a criminal modifies the cash withdrawal sequence legitimately initiated by a customer after they have entered their card and pin. Next, the cash requested is then trapped inside the ATM and is only allowed to dispense from the machine after the card-holding customer leaves the terminal.
TRF can affect ATMs around the world, but Europe has seen a surge in the frequency of the attack, especially as chips, EMV, and other integrated fraud prevention protections such as anti-skimming mechanisms have been phased in.
In Europe, according to a study presented by the European Association for Secure Transactions (EAST), TRF increased by 147 percent across 11 countries in 2015, and another 88 percent in 2016. On the other hand, EAST notes that overall skimming losses were down 18 percent over the same period.
Mitigating the risk to your organization and your customers requires several different phases.
First, it is important that all parts of your ATM fleet have upgraded software and patches applied to make sure that all necessary transaction logic bugs are remedied. Because older ATMs can have outdated configurations and processing sequences, they can currently be set to automatically refund a customer account when there is any kind of error condition during the cash-withdrawal process. Having updated software and changes to the fault conditions—including preventing transaction reversal when checks for pre-positioned cash have not occurred—should be applied.
A second mitigation takes advantage of the “bank note validation” that’s built into some units, which has the ability to detect, count, and correlate the status of cash-withdrawal requests in coordination with the machine’s overall status (e.g., the card reader, the cash dispenser, and the cash slot) so that invalid or suspicious transactions are prevented and flagged. The ATM’s overall cash management tools can then log the event and send notification to a monitoring device so that potential fraud can be identified and remedied.
Finally, you can consider physical security updates and ATM unit modifications. In addition to increased camera presence in and around the ATM unit itself, cash slot cameras can be utilized to capture cash dispenser manipulation and respond with an alert.
Cash dispensers can also be physically fortified with anti-TRF modifications and software changes to help prevent potential fraudulent behavior. For example, the cash dispenser can be altered so that cash is not immediately pre-positioned behind the shutter during transaction verification, which is how one criminal executed their TRF attack.
In security, the only constant is change: There will always be a new threat that requires mitigation with a countermeasure. So whether your financial institution is concerned about TRF attacks or even what lies ahead, having an experienced team like Burroughs in your corner can help keep your organization braced and prepared.