A new type of fraud has hit South Africa’s streets and is on the rise, reports Karen Harverson
AUTOMATIC teller machine (ATM) crime in South Africa appears to be the worst in the world and it’s on the increase.
Assistant general manager Stuart Grobler of the Council of Southern African Banks (Cosab) says thieves are becoming increasingly innovative and developing new scams as fast as the banks put in counter-measures.
He attributes the problem, in part, to the unsophisticated client base which is easily duped by gangs of thieves who, through various means, obtain both the client’s ATM card and pin number.
Some victims of ATM fraud have claimed money was withdrawn from their accounts after their cards appeared to have been swallowed by the ATM but at no stage during the incident did they key in their pin number.
They have queried whether it is possible for anyone to either read their pin number off the magnetic stripe or — through staff collusion — obtain the pin number from the bank’s
All of the banks surveyed comment that despite claims to the contrary, in almost all cases, the thief did view the customer keying in their pin number at some stage whether it was at the ATM where the card was retained, swapped or stolen, or possibly at a previous
In any event, it is not possible for a thief to work out a pin number from the card itself, says an industry source. He adds that even with staff collusion, it is practically impossible for anyone to access pin numbers if stored in the bank’s databases.
The banks say the pin number is not on the magnetic stripe although certain information on the magnetic stripe is used to calculate the pin number.
During a transaction, the machine reads the magnetic stripe, puts the available information through an algorithm and calculates what the pin is from this data. It then matches this number with the pin number entered by the ATM user.
Standard Bank assistant general manager (market research and development) Errol van der Merwe is adamant that the internationally accepted encryption and decryption method used to decipher the pin number is unlikely to be cracked by the average thief. ”It would require a team of scientists with considerable computing expertise.”
Some of the banks do store a derivative of the pin number centrally in a security module. When the client keys in the pin number at the ATM, it is encrypted and sent to the security module where the two pins are checked against each other.
However, says First National Bank (FNB) senior manager (debit cards) Cedric Edwards, it is not possible for anyone to access the security module or read the pin when it is being sent up line to the module.
FNB allows customers to change their pin numbers as often as they like after being issued their card and original pin number by the bank.
Nedcor Bank allows clients to select their own pin number on card issue at the branch without going through the the mainframe. This can be changed by the customer as often as required.
”It reduces the security risk if customers can change their numbers often,” says Edwards.
Standard Bank only lets customers change their pin numbers if it is specifically requested — it is not an option offered at the ATM.
Van der Merwe believes that customers are likely to forget their pin numbers more easily if it’s often changed and that numbers chosen by the customer as opposed to a random number selected by computer are more likely to be worked out, especially if the customer is known to the thief.
Nedcor Bank contends that if a client is issued with a random number that has to be stored or written down somewhere easily accessible, it is potentially easier for a thief to acquire.
Amalgamated Banks of South Africa (Absa) manager (ATM development) Johan Woest comments that to help clients prevent fraudulent transactions on stolen cards, Absa accepts ”stop card” requests on all ATMs without requiring the card. ”The transaction is initiated on the ATM by pressing a key, the account number and the pin.”
Chip technology — as used in smart cards — is considered by some banks to be the future of electronic banking.
Edwards says chip technology is far more secure than magnetic stripe ATM card technology as the information on a microchip is almost impossible to copy. ”The pin number can be stored on a card because it is a microprocessor and so the pin doesn’t go further than the card and is never put into a network.”
Nedcor Bank head of electronic banking Colin Wheater agrees that over time, it is possible that the smart card will supersede magnetic stripe technology.
FNB and Absa are in the process of converting ATM machines to read smart cards as well as magnetic stripes while Nedcor Bank says all of its new ATMs ordered over the last two years have smart card capability.