A Simple Plan to Combat ATM Fraud
In the 2011 updated guidance, the FFIEC stresses the importance of not only strong authentication, but also to know your customer. There lies the missing link in combating ATM fraud that fortunately has an eloquent solution.
Similar to online banking, customers have normal patterns of ATM activity, relatively consistent patterns relating to dollar amounts and frequency of ATM cash withdrawals. Since financial institutions utilize "know your customer" capabilities to combat online banking fraud, the same techniques can be used to combat ATM fraud.
Keeping It SimpleUpon detecting unusual and possibly fraudulent ATM activity, the ATM screen could present the user an out-of-wallet challenge question. Making sure the question has a numeric answer means that current ATM key pads used to enter in PIN information would not have to be modified.
Since financial institutions utilize "know your customer" capabilities to combat online banking fraud, the same techniques can be used to combat ATM fraud.
Even with limiting the out-of-wallet questions to those with numeric answers, the list of potential questions is quite long:
- What year was your first child born?
- What was the model year of your first car?
- What year were you married?
Obviously not an exhaustive list, but it does illustrate the fact that there is no shortage of such questions.
It's important that the challenge questions are strictly out-of-wallet. If the fraudster did in fact steal the victim's wallet, with their driver's license, then asking the question "what year were you born" would be inappropriate. Asking what year you graduated from high school would also be a weak question. The fraudster could simply add 17 to the date of birth on the driver's license and answer that question correctly the majority of the time.
The lesson here is the importance of keeping the challenge questions out-of-wallet.
Eloquent and EffectiveSo there you have it. Using out-of-wallet questions that are compatible with existing ATM hardware, you can add another layer of security to combat ATM fraud. A low-cost solution that could potentially save customers, and financial institutions, millions of dollars.
To complete the anti-fraud circle, banks can also consider having the ATM machines keep the bank cards when a customer [fraudster] fails to correctly answer the out-of-wallet challenge question. You'd have the card, with fingerprints, as well as photographs of the attempted fraud.
Don't miss Philip Alexander's new webinar, Vendor's Guide to the FFIEC Authentication Guidance.
Philip Alexander, an information security officer at Wells Fargo Bank, is the author of the books "Data Breach Disclosure Laws: A State-by-State Perspective," "Information Security: A Manager's Guide to Thwarting Data Thieves and Hackers," and "Home and Small Business Guide to Protecting Your Computer Network, Electronic Assets, and Privacy."