The ATM Industry Association (ATMIA) (www.atmia.com) has moved to reaffirm the industry's faith in ATM security despite some recent cases of PIN fraud and ATM attacks and distorted press coverage of ATM crime.
"The ATM in general, and the Personal Identification Number (PIN) in particular, are extremely secure and safe for consumer use," said Lana Harmelink, International Director of ATMIA, a global non-profit trade association with over a 1,050 members in just under 50 countries. "There are over 1,6 million ATMs in the world performing millions of transactions every day and the scale of ATM crime is truly minute compared to these volumes of safe, convenient transactions going through our systems all the time."
There are aboute 49 billion cash withdrawals each year at ATMs, including over 14 billion at US ATMs. The amount of cash withdrawn annually from ATMs in the United States is several hundred billion dollars. The ATM industry's estimated fraud losses are less than one-tenth of one percent of cash dispensed at ATMs in the United States and these losses are carried by the issuing banks and networks and not by the consumer.
The industry association has put on record that while the whole ATM industry works diligently to prevent fraud, a combination of banking laws and network rules ensure that consumers in many countries, including the USA, are protected from monetary losses that arise through any fraudulent use of their ATM card, PIN, or personal financial information. In the United States, whether consumers opt to use credit or debit cards to access cash at the ATM, Federal Reserve Regulation E ensures that consumers are covered and do not bear the financial burden of fraud.
"The ATM Industry is dedicated to providing a safe and secure way for consumers to conduct financial transactions at the time and place of their choosing," Harmelink explained. "As criminals trying to exploit ATMs modified their methods over time, our industry developed new technologies and safeguards to prevent fraud."
An example of this kind of proactive ATM security is the implementation of Encrypted PIN Pads (EPP) and Triple DES Encryption (Triple DES). These security enhancements, which instantaneously encrypt PINs within the PIN Pad itself using strong encryption standards, are now mandatory on all ATMs operating in the United States and have effectively eliminated the electronic theft of PINs from the ATM.
As a consequence of TDES and EPP, criminals shifted their focus to:
* POS terminals and pay at the pump
* Merchant IT systems
ATMIA have released a chart, courtesy of Fair Isaac Corporation, showing this fraud migration pattern.
These statistics factually demonstrate a dramatic decline in PIN compromise at ATMs, especially privately owned ones. Harmelink explains this shift in more detail:"Today, criminals attempting to acquire PINs at the ATM are more likely to do so by using physical skimming devices coupled with PIN Pad overlay devices or camera systems to capture card data and PINs." She categorizes this is a relatively rare type of fraud which is particularly difficult to accomplish with ATMs placed in retail locations as these ATMs are under constant scrutiny by store staff during business hours and are unavailable to would be criminals during non-business hours. "This makes it particularly difficult to install and retrieve the equipment required to steal card data and PINs. However, as the above chart demonstrates, such skimming attacks are much more likely to occur at a POS terminal than an ATM."
Due to the EPP and TDES requirements by the various Networks, PIN based transactions have far less incidences of fraud than signature based transactions and are much harder to compromise than card numbers.