Despite Shift to EMV, ATM Fraud PersistsSkimming and Card Closing Remain Persistent Threats
Despite India's move to EMV-chip payment cards, ATM fraud continues to take place.
In a recent incident, for example, a branch manager of Canara Bank in Bangalore filed a police complaint saying a skimmer had been fixed to a bank ATM, compromising several accounts, according to the Deccan Herald.
Several customers complained to the bank that money has been fraudulently withdrawn from their accounts even though they possessed their debit cards, The Deccan Herald reported. Police determined that those who used one specific ATM kiosk lost their money, according to the news report.
In another incident two weeks ago, a woman in Delhi went out for dinner and paid a bill of INR 5,300 using her husband's debit card. A few days later, her husband, received a message that INR 75,000 had been debited from the card, according to news report in India Today.
According to the website of Cyber Crime Cell, Delhi, the number of reported card cloning incidents in that state have risen from 70 in February to 100 in May.
Data from cybercell Uttar Pradesh as well as Karnataka shows that 25 percent of those using an ATM card in India have been a victim of online fraud in India during FY 2018-19.
Ministers in Parliament recently stated that during fiscal 2017, India saw 3,409 cases of reported bank fraud involving credit cards, debit cards and internet banking with the amount lost at INR 134 crore.
After the Reserve Bank of India's mandate to move to chip-based cards, many banks in India have issued EMV cards that also have magnetic stripes. The reason: Many ATMs are not yet equipped to read data off the chips.
A Canara Bank security researcher, who requested not to be named, tells Information Security Media Group: "At Canara Bank, we only started with the procedure of issuing new cards four months ago. Most of our ATMs also do not support chip-based cards. The process has just begun, and it will take us at least a year or two more to be 100 percent compliant." The bank plans to upgrade ATMs and issue cards with both chip and stripe.
Experts say the risk of skimming is not eliminated with chip cards if they still have a magnetic stripe and ATMs continue to read these stripes. The risk of skimming can be eliminated, however, with a chip-based card that has no magnetic stripe.
As part of its effort to boost security, RBI in May 2015 asked banks to gradually phase out magnetic stripe cards and move to EMV chip cards. RBI set Dec. 31, 2018, as the deadline for the changeover to chip cards as a way to fight against card cloning.
"The guidelines do not spell out removal of the magnetic stripe in cards as it takes time to make ATMs compliant with chip-based cards," says Triveni Singh, superintendent of police in Azamgarh, a town in Uttar Pradesh. Banks have been asking RBI for an extension of the deadline for issuing chip cards, he notes.
"The entire effort of RBI to push banks to shift to EMV cards was a waste of effort since banks on paper have followed RBI guidelines but are still issuing magnetic stripe in chip-based cards," says Singh.
"The purpose of moving to EMV chip was to make cloning of cards tough for cybercriminals. But banks issuing cards with both chip and magnetic stripe has made mockery of RBI's efforts," Singh says.
Singh, who has investigated multiple incidents of card cloning, says he has already reported 5,000 such cases to the RBI from his region this year.
One element missing in the effort to shift to chip cards, some security experts say, is making sure that ATMs are updated to read the chips rather than magnetic stripes. According to 2018 data from RBI, there are 205,184 ATMs in India.
RBI did not immediately reply to a request for comment.
Payment card companies claim that although EMV chip cards also have a magnetic stripe, sensitive card customer data is stored on the chip.
But Singh refutes that claim. "Every month, I come across so many cases of card cloning. If indeed the data was getting stored in chips and encrypted, how is that criminals with no IT background are able to clone cards so easily?" he asks.
One way to help fight fraud, some security experts say, is to use one-time passwords for every ATM transaction.
"There is an urgent need to have some kind of authentication in place for every ATM transaction that we do apart from entering the PIN," says Gautam Kumawat, founder, Cybersecurity and Digital Forensics Academy.
Singh, who recently arrested a gang on charges of card cloning and stealing money, says the availability of inexpensive skimmer devices on various ecommerce websites is making ATM cloning an easy task for cybercriminals.
"A skimmer is placed on ATM card's swiping slot. When a card is swiped, the skimmer captures information stored on the card's magnetic stripe. The skimmers are so well placed that it's impossible for customers to suspect anything foul," Singh says.
Some criminals also place a small camera above keypad to capture the PIN used for the ATM transaction, Singh explains.
Ravinder Gupta, joint general secretary, All India Bank Officers Confederation, notes: "The captured data is stored in a blank new card. More often than not these criminals do multiple cloning of a card, which helps them to withdraw large sums of money in a short time. By the time a victim gets his/her card blocked, money has already been withdrawn."
According to Sachin Raste, security researcher with eScan, an anti-virus firm based in India, ATM card skimmers are multipart devices, which consist of a card reader and keypad logger.
"The card reader would read the magnetic stripe data of the card, while the keypad logger is for logging the PIN," Raste says. "The keypad logger need not be an overlay keypad. It can also be a pinhole camera which captures the visuals of the keystrokes. All these devices are embedded into a casing which is made to look just like a part of the ATM."
Criminals transmit the stolen card information to fraudsters across the globe, who then siphon off the account balance by shopping online.
Cracking Down on Crime
In many card cloning cases, banks have not reimbursed customers for money stolen as a result of ATM fraud, Singh says.
"Banks either put the blame on customers saying they have shared their OTP or ask for proof of skimmers being installed. It is tough to show evidence," Singh says.
Selling skimmers is not considered a crime in India as there is not law around it, he explains. As a result, he says RBI should develop a policy that requires vendors selling skimming machines to share with law enforcement officials the details of customers purchasing these machines. "This will go a long way in tracking criminals," he says.
Security experts also suggest the deployment of ATM anti-tampering devices to prevent not just skimming but also other forms of attacks, such as jackpotting attacks.
Although some banks are deploying anti-tampering devices in ATMs, others are installing new ATMs which have anti-tampering devices pre-installed.