For banks to deter ATM heists, they should learn from history

"The thing that hath been, it is that which shall be,” says the Philosopher in Ecclesiastes, in the Bible, “and that which is done is that which shall be done: and there is no new thing under the sun.”

In financial crime, nothing is new. It has all been done before. Kenyans wake up to the news of ATMs having been robbed overnight. Though unknown, the perpetrators are, obviously, no amateurs.

This is evident from the military precision with which they struck, the counter-detection tactics they employed and the sophistication of the technical tools used. It is clear that this is no ordinary smash-and-grab artist from Muchatha.

During Easter, four Barclays Bank ATMs were robbed. That also happened to various other banks seven years ago, during the 2012 Christmas holidays.

It was repeated during Easter in 2013 and again over New Year’s Eve in 2015, for which a Bulgarian organised criminal group was arrested in Diani.

HEISTS

In 2008, Roman Seleznev, a hacker, stole $9 million (Sh909 million) from 2,100 ATM machines across the globe through accomplices he had recruited online.

In early 2013, an attack said to have been coordinated from the Dominican Republic robbed $45 million from thousands of ATMs in 20 countries.

Bulgarian criminals thought to be relatives of one of the Diani suspects were caught cashing out ATMs in Bangkok, India and Australia.

That the heists have been happening for so long with few changes in the modus operandi suggests an inability, or unwillingness, to learn from history.

Or, as I was informed by some stakeholders a few years ago while running an in-house anti-ATM fraud drill for a client, banks have made the pragmatic calculation that the costs of prevention outweigh the actual losses in cash.

Essentially, what the financial sector is dealing with is a combination of two types of crime: unlimited operation and ATM jackpotting. The former is more complex than the latter.

FRAUD

An unlimited operation requires the fraudsters to steal, or otherwise clone, debit cards issued to a bank’s customers.

They then use accomplices inside the bank to defeat fraud red flag systems for those cards and remove the withdrawal limits for them.

They then distribute the numbers and PINs of these cards to accomplices, who clone the cards and strike ATMs simultaneously.

The name “unlimited operation” comes from the fact that the cards are unlimited in how much they can withdraw. And since the limits for the cards have been removed, the fraudsters can withdraw as much as is available in the ATM.

Given the complexity of this crime, the funds stolen will usually be from one bank. Worse, the heist includes access to customer data by the criminals for future attacks.

Jackpotting, however, requires less planning or logistics. The criminals target random ATMs where they insert miniature cameras at the end of a flexible extension, much like a surgical endoscope.

SECURITY

They check whether the ATM has any exposed interfaces, hook up a mobile computing device, run some purpose-built malware (which are available for sale in the unsavoury corners of the internet) and force the ATM to spit out its contents.

Its characteristics are that it is not very sophisticated, does not present a persistent threat, it can be thwarted if the criminals cannot find an interface to connect to or if the ATM is secured and monitored in real time by security guards and, of course, the criminals do not obtain access to sensitive customer data.

To prevent these crimes and protect their assets as well as customer data, financial institutions need to strengthen their institutional memories and learn from each episode.

COLLABORATION

Of course the human in the process is always the weakest link. Training, drilling, random spot checks, retention of experienced security teams might all help.

State enforcement agencies such as the Banking Fraud Unit should also adopt a more proactive posture through high-level collaboration with others around the globe.

The Federal Bureau of Investigation had issued a warning about this type of crime months before it happened. International crime is best fought through international collaboration.

Mr Kuria is a risk consultant specialising in detection, prevention and disruption of complex transnational financial crime; [email protected]