The Fraud Blog with Tracy Kitten

Reconnecting with Banking/Security Leaders

Reconnecting with Banking/Security Leaders

But journalists also cannot lose perspective. I was reminded of this point last week, after delivering a brief presentation to a small group of community banks and credit unions based near San Diego. The company that invited me to speak is a third-party ATM service and maintenance provider that, like most, is expanding its offerings to include more holistic solutions and services. My goal: To talk about some of the emerging security threats I see affecting the industry overall.

So, as I work on my presentation, some points are gimmes: ATM skimming, mag-stripe vulnerabilities, the online channel's susceptibility to breaches, phishing attacks, malware, etc.

And then, suddenly, a voice from the audience asks, 'What is chip and PIN?' 

I toss in a few stats, include some comparative data to offer perspective on how certain types of cyber- and low-tech threats are growing. And yes, let's see: Crime is a global problem, so I cannot forget to include some information about cross-border fraud, money-laundering and money-mules, since, well, most hacks and attacks involve some sort of money-laundering. Then we have the mortgage crisis and ever-growing concerns about rescue schemes. For fun, I'll also talk about some of the check concerns that are now being raised by remote deposit capture. This is good stuff.

During the presentation, I start rolling through the slides, and everything is moving along nicely. I get to a slide I've put together about the migration of fraud that industry analysts have been predicting for years. As the rest of the world completes its move to EuroPay, MasterCard, Visa/chip and PIN standard, the United States' continued reliance on the magnetic-stripe opens doors for fraudsters. I half mention this in passing as I review the content of the slide. And then, suddenly, a voice from the audience asks, "What is chip and PIN?" I'm surprised by the questions, but wait silently as I hear a few other attendees chime in to answer.

This offers a nice segue to the next slide in my presentation, which includes a quote from Merrill Halpern of United Nations Federal Credit Union about the expected migration of fraud because of EMV. UNFCU, in anticipation of an eventual move to EMV in the U.S., as well as to ensure UNFCU cardholders can use their cards in EMV-compliant countries, is issuing its membership mag-stripe debit and credit cards for U.S. use and EMV/chip and PIN credit cards for use internationally.

A hush falls upon the group. They're stunned, in a good way, but stunned nonetheless. "Really?" they ask. "That's something that's really going to come here?"

Well, yes. Most experts accept that EMV will eventually have to be implemented in the U.S. I thought everyone knew that.

Then I move into some discussion about ATM hacks, highlighting the staged attack put on at the Black Hat security conference in Vegas a few weeks back. "Hackers really can infect an ATM's PC that easily?" one attendee asks.

It was a good lesson for me: most bankers are spending their days serving customers and members. They don't have time to keep up with all of the new regulations coming down from Congress; with all of the new fraud schemes coming out of Eastern Europe; or with all of the cool technology that's being developed to thwart skimming attacks and ATM raids.

In fact, a lot of them are still relying on traditional or even old-fashioned ways of doing business. Some highlights I picked up last week:

  1. A significant percentage U.S. institutions likely have no idea what EMV is, despite that the technology has been around for nearly two decades, much less that the move to EMV overseas was a catalyst for the migration of card fraud to the U.S.
  2. A lot of U.S. ATMs are still running IBM's now-unsupported OS/2 operating system - about 45 percent of the ATMs serviced by the company that hosted the event are still running in an OS/2 environment.
  3. And, despite the nearly six years that have passed since the Check 21 movement, most institutions have not transitioned their ATM fleets to imaged-enabled deposits. One decent-sized credit union in Washington told me last week that only 50 percent of its ATM fleet has moved away from envelope deposits.

Those highlights aside, I was pleased to hear that the service provider that invited me is starting to spread the gospel about EMV. In fact, all of the NCR Corp. SelfServ ATMs this service provider has purchased over the last six months are equipped for chip reading. So when the transition to EMV/chip and PIN does happen in the U.S., these ATMs will be ready.

Now it's my job to remember that I have to keep writing about the real issues and technology affecting bankers in the U.S. on daily basis, even if I've written about it several times before.

Thank you for reminding me why it's dangerous to make assumptions.

About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years' experience, she covered the financial sector for 10+ years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.