Wednesday, 18 January 2012

DBS’s disclosure on ATM security in the spotlight

Two Bugis ATMs in Nov card-skimming scam didn’t have key security feature on

2 comments:

Guanyu said...

DBS’s disclosure on ATM security in the spotlight

Two Bugis ATMs in Nov card-skimming scam didn’t have key security feature on

By WONG WEI KONG
16 January 2012

And so it has finally emerged: the two DBS Bank automated teller machines hit by the latest ATM card-skimming scam that resulted in $1 million of fraudulent withdrawals did not have a key security feature switched on.

The revelation is likely to further jolt the bank’s customers, already shocked by the fraudulent withdrawals, which have seen police making several arrests in relation to the case.

The development also raises questions about the manner of DBS’s disclosures, and its approach to ATM security.

Last Saturday, DBS revealed that both the ATMs in the Bugis area that were compromised last November did not have ‘jitter’ technology turned on.

Jitter technology is used in ATM machines here and globally. While not fraud- proof, it is part of the recommended suite of security measures for ATMs.

Jitter technology works via a stop-start or jitter motion inside the card drive specifically designed to distort the magnetic stripe details should they be copied onto a foreign card reader inserted into the ATM. It is often used in conjunction with a fraudulent device inhibitor (FDI), which prevents fraudsters from placing a skimming device over the ATM card slot.

Before last Saturday, the bank did not respond directly to queries on whether the Bugis ATMs had their anti- skimming feature switched off. All it said was that the bank has a variety of fraud prevention measures in place at all its ATMs: ‘We have a different combination of security measures in place, at different ATM locations, at different times.’

However, DBS, in its statement on Saturday, said: ‘It is correct that the ATMs in Bugis Street did not have the jitter as part of the combination of security measures in place when the skimming took place in November.’

When the fraudulent withdrawals were first reported two weeks ago, the impression was that the two Bugis ATMs were hit despite having all security measures in place. To its credit, DBS offered immediately to compensate in full all those affected, and quickly introduced measures to secure its cards.

But soon, word went around industry circles that the jitter devices had not been turned on in the first place, which prompted media queries to both DBS and the Monetary Authority of Singapore (MAS).

‘From the standpoint of transparency, I would want to know why they didn’t disclose this from the start,’ said a long-time corporate watcher. For consumers worried about the safety of their bank accounts, it was important for them to know whether the jitter feature was operating or not when the fraudulent withdrawals took place.

In a response to BT, DBS explained why it made the disclosure only last Saturday: ‘From the onset, we have been proactive and transparent with our customers, and the public at large, about the situation. However, we needed to exercise prudence with respect to matters that could jeopardise our security arrangements, other than to the authorities. This is why, for obvious security reasons, the specifics of the combination of measures employed at this location, and all our ATM locations, are a matter of confidentiality and continue to remain confidential.’

But the recent arrests suggest there is a card- skimming syndicate operating in the region, it said. ‘As such, we believe that it was prudent for us to disclose the fact that jitter was not part of the combination of security measures deployed at the two Bugis ATMs and for the public to be made aware that no single security measure is fool-proof in the fight against ATM fraud.’

Beyond disclosure, DBS’s approach to ATM security will also come under scrutiny.

Guanyu said...

Banking watchers say the bank could have employed a ‘round robin’ approach in which the jitter feature is turned on and off for the ATMs in its network on a rolling basis. This makes it difficult for crooks to target specific machines, because they wouldn’t know which would have jitter operating. At the same time, it prevents the whole network from being slowed down, as ATM transactions take longer when the jitter feature is turned on.

Singapore’s largest bank - with 4.3 million customers and an islandwide network of over 1,000 ATMs and cash deposit machines - has long been sensitive to complaints about long queues and transaction times.

‘With every layer of security added on, we also take into account various factors, including customer convenience and response time,’ it said on Saturday.

But the bank maintained that it was unlikely the crime could have been prevented even if that security feature had been turned on.

Based on the evidence received in relation to police arrests of suspects who were in possession of skimming devices, ‘it is believed that even if the jitter function was on, it is highly unlikely that it could have circumvented the card-skimming incident’, DBS said in its statement.

‘It is fair to say that the more security measures you leave on, the better you are likely to be protected. The analogy is a house: you can lock the door, get a guard dog, get a security guard, install a burglar alarm, set up an infrared intruder detection system. Each additional precaution adds an additional layer of security, but it is rare for every precaution available to be used as a norm.’

Yet that isn’t a universal approach. OCBC Bank said that, since 2007, all security measures have always been activated at all its ATMs. United Overseas Bank also said that it currently has everything activated on all its ATMs.

To the critics, whether jitter would have prevented the fraud or not is a moot point. The bank should just have used all at its disposal to deter fraud - and not trade security for faster transaction times, especially when it had identified itself as a prime target.

As one banker said: ‘Does it mean that if you have a house alarm, you don’t need to lock your house? Does it mean that if it takes a longer time for me to unlock the door to get into the house than simply walking in, I shouldn’t lock the door? Customers want faster response time - but not at the expense of their security.’

The difference in approach was one reason why a scheduled press briefing by the Association of Banks in Singapore (ABS) on enhancing ATM security was aborted last week, sources say.

With the police on the case, more details of the case will likely come to light. One positive outcome is that the threat of ATM fraud is now placed high on the agenda, with banks revealing new initiatives to safeguard ATM security. A bigger push towards smart cards may also result. The full adoption of Europay-MasterCard-Visa (EMV) smart-card chip technology provides the longer-term solution, as confidential information stored on ATM and debit cards with embedded EMV chips is very difficult to clone.

Still, it’s apparently no banking panacea. DBS noted: ‘Smart cards are, however, not as popular as cards with magnetic stripes . . . though lauded for their high security, smart cards are not widely accepted globally.’