ATM Security & The $40,000,000 Mistake

ATM Security illustration

Published May 28th, 2013 by Leveraging Logic
Written & illustrated by Micah Kearns

One of the largest cyber-crimes in history happened recently in February, when an international ring of hackers stole $40 million by conducting 36,000 ATM transactions in 24 countries. After the hackers breached the servers of the Bank of Muscat in Oman, manipulated account balances and disarmed withdrawal limits, local gang cells would use standard pre-paid debit cards with spoofed magnetic stripes to withdraw the cash through thousands of ATM’s across each city. The attacks were so well choreographed that the operation lasted less than 10 hours.

Now, when $40 million disappears from ATM’s across the world, people notice, and it raises some serious questions about the quality of the safeguards in our financial system. Cyber crime is quickly becoming a top global threat and has affected 46% of online adults, or 556 million people in the past year (that’s 18 people per second!) and cost the world US$110 billion, an average of $198 per victim. How much larger does the problem have to become before serious advances in security are implemented? Is it still cheaper for banks to write off these losses rather than invest in the security of their customers?

Magnetic stripe technology for credit and debit cards is woefully incapable of securely storing and accessing data. Magnetic stripes were adopted in the 1970’s, and are widely used due to the low cost and ease of use. But in the 40 years since, lost and stolen cards, card spoofing, card skimming, and affordable card printing equipment have given thieves easy opportunities to steal your money by using this technology against you.

Innovative solutions like biometric ATM’s are already being used all over the world, why haven’t they caught on in the US? Though the initial cost of implementation would be steep, the financial industry needs to take a good hard look at the potential cost of not embracing a better solution. Biometric technology has improved greatly in recent years, and utilizes the unique features of a user that cannot be lost, shared, or stolen. Many tech companies are releasing products that incorporate the infrastructure for such security applications, such as the possibility of a fingerproof reader being included with the iPhone 6. Other smartphone providers are already experimenting with facial and voice recognition. Once consumers own products with the appropriate hardware, secure software solutions can be implemented to regulate access to sensitive information. Consumers can relax knowing that their money is better protected, and banks can relax knowing that they are reducing their risk of incurring hefty AML & KYC fines.

So the $40,000,000 lesson to banks is this: You will never be able to stay two steps ahead of thieves (and fines) if your technology is forty years behind. Invest in creating a new paradigm of banking security, both for the sake of your customers, and the sake of your entire industry.