Banks on high alert

By Maheesha Mudugamuwa

Last week’s media reports of unauthorised withdrawals from several banks in Colombo and its suburbs caused panic amongst account holders, while banks seemed helpless in their efforts to control the security breach, which turned their entire system upside down.

Several banks disabled their ATMs (Automated Teller Machine) as they initially believed there was a fault with the LankaPay National Payment Network – the financial service provider of LankaClear – but later they clarified that their systems were safe and were not being hacked.

Subsequently, it was discovered that ATM skimming was the source of the issue.
The investigating authorities suspect that fraudsters used card skimmers to clone debit/credit cards, which they then used to withdraw money from remote locations.

ATM skimming is the theft of card information, where a small device, known as a skimmer, is used to steal the card details during a legitimate ATM transaction. As the card is swiped at the machine, the skimming device captures the information stored on the card’s magnetic strip.

Ninety percent of the banks in Sri Lanka use high-tech machines, not just to enable withdrawals through ATMs but also deposits, in some banks, up to Rs. 200,000 through CDMs (Cash Deposit Machines), in order to reduce the number of over-the-counter transactions by customers within the bank’s premises, in an effort to ease congestion.

Even though ATM transactions cost customers each time they withdraw (the amount depends on many factors), they were forced to use ATMs as banks weren’t allowing them weren’t processing the transactions manually.

In such a situation, isn’t it the responsibility of the banks to maintain 24-hour security in their so-called high-tech smart zones?

Security at ATMs

The Sunday Morning got in touch with the Sri Lanka Computer Emergency Readiness Team (SLCERT), which comes under the purview of the Digital Infrastructure and Information Technology Ministry.

Information Security Engineer Ravindu Meegasmulla said that banks should be held responsible for any ATM frauds, and that banks generally compensate customers who have lost their money as a result of fraudulent activity.

Explaining the recent ATM frauds, Meegasmulla stressed that it had nothing to do with cyber security and explained the concept of ATM skimming.

He said that the individual would have to physically insert a gadget into the ATM which would enable them to record the PIN numbers of the cards while they were being entered by the cardholder, and later prepare a plastic/temporary card which would be used to withdraw money from those accounts.

Police Media Spokesman SP Ruwan Gunasekara said they suspected two Chinese nationals and a Romanian national in connection to the ATM fraud, and that these suspects had been arrested by the Criminal Investigation Department (CID) following the investigations.

ATM skimming

Similar incidents were reported over the past few years as well.

In 2018, the Police apprehended two suspects in the Kurana area in Negombo after they stole Rs. 8.7 million from ATM machines in Negombo and Ja-Ela.

In 2017, three suspects were arrested, based on evidence in the form of CCTV footage, for engaging in ATM skimming where they withdrew money from ATMs of both private and public banks in Matugama, Pelmadulla, Ratnapura, Baduraliya, Kahawatte, Dankotuwa, Marawila, Nattandiya, Pannala, Kochchikade, Gampola, and Nawalapitiya. The total value of the theft amounted to around Rs. 700,000.

In 2016, two Chinese nationals were arrested in connection with ATM skimming after an electronic device used to steal such information was found attached to the ATM of a state bank in Kandy.

Being prepared

Commenting on the ATM skimmer and safety aspects of the whole banking system in Sri Lanka, former Central Bank Sri Lanka (CBSL) Governor Ajith Nivard Cabraal said: “The banking system is safe, but at different times there are people who try to take advantage of the situation. As things like these continue to happen, we need to be vigilant. Banks should be prepared to face these incidents.”

He also explained: “It’s very similar to installing a virus guard to protect your computer from viruses. As we know that ATM and credit card fraud can take place at any time, we need to constantly be in a state of readiness to be able to deal with it at the time of incident. Banks need to ensure that the authorities are ready as well, as incidents like this or even new threats could pop up in the future.”

On speaking to HNB Chairman Dinesh Weerakkody about the matter, he said: “Banks are very well regulated in Sri Lanka. CBSL has taken several initiatives to make systems safe and secure throughout the country. However, just like most other countries, there are challenges.”

According to the CBSL, fraud can also take place through card reading machines, and not only ATMs.
To mitigate the possibilities of such incidents, international payments and security standards best practices have been adopted in Sri Lanka’s ATM and card payment network.

These include the issuance of cards with electronic chips (EMV) and sending SMS alerts to customers for all electronic transactions.

The efforts of banks, payment card issuers, acquirers, and regulators need to be acknowledged and supported by customers in order to safeguard their payment systems.

In order to strengthen security in ATM transactions, customers are required to use EMV chip cards. These EMV-enabled cards carry an electronic chip visible in the front of the card.
If the card used by a customer is not EMV enabled, a request can be made to the relevant bank to issue an EMV enabled card, the CBSL stated.

Meanwhile, the Payment Card Industry Association of Sri Lanka and the Sri Lanka Banks’ Association (Guarantee) Ltd. stated that fraudulent withdrawals of funds via ATM skimming was being investigated, and that action was also being taken.

They said that the member banks received complaints from some customers that their savings/current accounts were debited with amounts as a result of fraudulent ATM withdrawals, caused by card data that was compromised through ATM skimming activities.

They confirmed that this process was where cloned cards were created to make these fraudulent withdrawals.

As soon as they received the complaints, member banks took prompt action to attend to the complaints received and credit the accounts upon relevant verification.

In addition, banks adopted proactive action where they contacted customers whose cards were used at ATM locations where the skimming took place.

The SLCERT urged the public to be vigilant and to activate SMS alert services, where transaction notifications are sent to customers, so that they may contact the bank if any unauthorised transactions are recorded.

In addition to fraud through ATM machines, Meegasmulla stressed that there were many other types of fraud that can take place without the knowledge of the cardholder. He also added that cardholders need to be vigilant and ensure that they are near the card machine whenever their card is handed for a transaction.

Meegasmulla said: “There are some devices that can read the details of the customer’s credit/debit card.”
He added that these types of incidents are listed under financial fraud and not cyber crime.

An expert in the field of information security explained that the security procedures in place need to be followed by both customers and security personnel at the bank.

He said that the banks should always monitor their CCTV footage, especially when they notice suspicious activity.

Similarly, a customer should also follow the security measures laid out by the banks – such as not wearing helmets when entering an ATM booth – which are mostly on notice just outside the kiosk.

However, the security at the bank should be vigilant in instances where a person does not abide by these rules, and should take appropriate action, Meegasmulla added.