17 May, 2022


Attack On ATMs: The Use Of The ‘Eyeball Test’ Involving Vigilance Is The Best

By W.A. Wijewardena

Dr. W.A Wijewardena

Irrational reaction of Homo sapiens

It seems that the genetic code of modern Homo sapiens is not different from that of other species. The latter is guided not by thinking but by instincts. Similarly, Homo sapiens is still embedded with the ‘gene of fear’ that compels it to ‘fight or flight’ when faced with fear-stricken situations. That emotion is necessary for safety and survival. But in the modern world, Homo sapiens who is called ‘man the wise’ does not have to resort to either course without subjecting the source of fear to a critical inquiry.

This irrational behaviour of Homo sapiens led psychologist Herbert Simon, a Nobel laureate in economics, to coin the term ‘bounded rationality’ to describe it. According to him, Homo sapiens is rational within the boundary of ‘information, time and brain power available’, no matter what improved education, counselling or mentoring he may have got.

Later, another Nobel laureate in economics, Daniel Kahneman, made a startling revelation about why we make appropriate judgments fast on some occasions and slow on others. He attributed it to ‘biases of intuition’. That is, we allow ourselves to be guided by our own over-confidence in beliefs, impressions and intuitive knowledge rather than rational thinking. We believe that we are correct even when we have made wrong judgments.

This deficiency of ours is being used by politicians, religious leaders, marketers and many more to herd and lead us. We do not think that we have been victims, but firmly believe that we have been correctly guided. This weakness of Homo sapiens has been the source of all financial manias, panics and crashes in the history, as documented by Economist Charles Kindleberger, in a book under the same title.

An isolated ATM skimming

The reaction of Sri Lankans last week when a few Automated Teller Machines or ATMs operated by a few commercial banks came under attack by some criminal elements was testimony to this irrational behaviour.

The modus operandi used by these elements, nicknamed as ATM skimming, is second only to a James Bond movie full of weird-looking, intelligence-gathering high-tech gadgets. To withdraw monies fraudulently from a customer’s account, one needs to have the details embedded in the ATM card and the customer’s personal identification number or PIN. To capture the former, they had stealthily fitted a card-reading electronic device to the ATM’s card slot. To learn of the PIN, a secret camera had been mounted just above the keyboard of selected ATMs. Then, monies had been withdrawn from the customers’ accounts by using a duplicate card cloned by embedding the information so copied.

They had used a long weekend to put their plan into action. That was to prevent banks from detecting the robbery because they are usually operate low key on holidays or during weekends. But the banks, having detected these unusual activities in time, had taken prompt action to limit the loss only to those transactions that had already been completed. Thus, a major cyber robbery of Sri Lanka’s banking system was averted.

Fake news to create a major banking crisis

Even before the news of the ATM robbery was out, Sri Lanka’s irrational minds appeared to have sprung into full action. WhatsApp and other social media communication networks were used by bigger unscrupulous characters to malign the banks concerned and create panic among bank customers.

I received a message purported to have been disseminated by a Sri Lankan living abroad claiming that all bank networks had been hacked, implying monies were being robbed. It had sourced its information to a leading TV channel which is said to have advised bank customers to check the balances in their bank accounts. Though it was obvious that the information in the message had been faked implicating this TV channel, there was no denial of it in the website of its home page. It added credence to the fake message, further fuelling its dissemination.

But a bigger damage was done by other Sri Lankans, either through mischief or compelled by genuine concerns, by re-forwarding this fake message wholesale to all others. It spread like wildfire among Sri Lankans living both in the country and outside, fanned by irresistible manic compulsions. The attack on ATMs had been isolated and it had been brought under control. Yet, the secondary attack orchestrated by the unscrupulous elements through fake news in social media, amplified by word of mouth, was to create a major banking crisis in the country.

LankaClear has no role

The fake news had also implicated LankaPay, a national payment network operated by Sri Lanka’s cheque clearing agency, LankaClear. The rumour had been that LankaPay had been used to rob money from customer accounts. The irrational minds to which both LankaPay and its product JustPay were aliens had believed the story that it was LankaPay which was responsible for the digital heist of bank accounts in the country.

A senior bank manager whom I met also expressed these sentiments to me. His concern was that the security system in the common use of ATMs by several banks, known as the Common ATM Switch or CAS and operated by LankaClear, had been breached, enabling the cyber robbers to rob customers’ money.

LankaClear was not responsible for the robbery in question because it was only a facilitator of the common use of ATMs by several banks. ATMs were still owned by banks which were responsible for their security and proper use by bank customers. On the other hand, the product of LankaPay – tagged JustPay – was a transaction between a customer and a merchant by directly debiting his account by using a mobile device. ATM cards did not come into the picture at all.

Banks have always been source for robbers 

Throughout history, banks have been the most sought-after institution by robbers. That was because they were rich with stacks of currency notes and coins and robbers could have an easy getaway after robbing them. Hence, armed gangs often covering their faces with masks have raided banks to rob cash in their vaults at gun point. It was an action-filled spectacle to witness armed men storming into a bank branch, asking both customers and bank staff to lie face down and then freely pushing money into bags before making a getaway in speeding vehicles.

However, these incidents were kept under control by banks by stepping up their physical security alarm systems. As such, the incidence of bank hold-ups has been on the decline. Another reason for its decline has been the significant reduction in the potential gain due to a similar reduction in the currency content in a bank branch, a development due to fast and progressive digitisation of banks.

With that, a new type of bank robbery in the form of cyber attacks on banks began to take root in the system. The attackers were not armed with guns but with sophisticated equipment that could hack banks’ computer systems to transfer money from accounts to undisclosed destinations. They were carried out at two levels. One was at the banks’ head office level penetrating their main computer systems. The other was at the local level targeting cash dispensing machines also known as ATMs.

Compromising a bank’s computer system

At the head office level, a bank’s computer system is operated by numerous staff members who have been given passwords to have access to it. It is these passwords which hackers try to acquire. Hence, banks have introduced a strict password compliance guideline to their staff.

Despite these measures, simple human errors and negligence would open doors for hackers to acquire them easily. Against this human error, banks have protected themselves through firewalls that would block unauthorised entry, encryption of messages preventing viewers from reading them and regular update of software and ‘data use audits’ as a preventive measure.

Hence, it is very rare now that computer systems have been hacked and monies belonging to customers have been stolen. The risks to systems have been the introduction of malware temporarily disabling their operation. In Sri Lanka, such major attacks on banks’ computer systems have not been reported in the past few years.

Today, it is ATMs that come under attack by criminal elements to rob money from genuine customers.

ATM jackpotting

In addition to ATM skimming, there are other ways of doing so. One frequently adopted method, known as ATM Jackpotting, involves in fitting ATMs with a duplicate computer operated remotely from an off-site. Similar to an endoscope that penetrates a human body to take pictures inside, the heart of the operating system of the ATM is penetrated and its operating system is captured.

For practical purposes, the bank concerned will receive the alert that the ATM is out of order. By the time the bank’s technical staff comes there to fix it, the remote operator would have drained it of all the cash, forcing the machine to cough it out at full speed. This would amount to a hold-up of a bank branch by criminal gangsters since it is bank’s money that is being stolen.

Removing ATMs by using forklifts

Another popular method is the removal of ATMs located in isolated places using forklifts and carrying them away to retrieve the currency inside them at leisure. This is exactly similar to how it was done in the Wild West in the 18th century.

There, the bank robbers will come behind the bank branch, blow up the wall partitioning the iron safe of the bank, pull it out by using actual horse power and whisk it away before the sheriff would make his presence in the crime scene. The safe is then cut in order to retrieve the stacks of currency notes and coins within. Hence, raiding of ATMs by criminal elements is a common occurrence in the world today.

Ghost or fake ATMs

To retrieve details of ATM cards and PINs, criminal elements had in the initial stage used some ingenious methods. They would buy a used ATM discarded by a bank and recondition it to look like a genuine ATM operated by a reputed bank.

Then, the ghost or fake ATM is set it in a public place to deceive unsuspecting customers. When a customer inserts his card into the slot of these ghost or fake ATMs and enters his PIN, the machine immediately captures the data in the card and PIN, having displayed an error message on the screen to send the customer away.

The information is then used to clone duplicate cards for use in subsequent operations. This has been made possible by the availability of a large number of discarded ATMs in the used ATM market.

Technology brings in risks too

Technology has definitely eased our life. But, it has also brought in new risks. Thus, the challenge of bankers today has been how to use technology, while keeping the risks at a minimum. For that, the three parties which have an interest in a safe financial system – customers, banks and regulators – should get together and form a common front to fight abusers of technology.

In this context, vigilance, due diligence and quick action are the buzz words of success.

Alert the customer in real time

On the banks’ side, there should be adequate safety measures within the bank to thwart cyber robbers who usually operate from unknown foreign countries.

There are instances where banks have been negligent in changing the password of the customer. In one instance, the password had been communicated to the customer via common email and the email had been intercepted by criminal elements operating from a foreign country. Before the customer had noted it, his whole account had been drained. While the bank should take responsibility for not passing the password in encrypted form to the customer, the issue involved in this case boils down to failure to alert and failure to exercise due diligence.

In this modern communication world, there are enough low-cost methods of alerting customers of transactions being done in their accounts on a real-time basis. One is the use of SMS services; another is the use of email communications. Of these two methods, the first is preferred since it does not require internet facilities for communication.

When a customer is alerted via SMS, he could immediately alert back the bank concerned about a possible compromise of his account. It could limit the loss to what has already taken place.

Due diligence should be rewarded

At the same time, bank officers should use due diligence when they observe unusual patterns of debits to customers’ accounts. Such due diligence exercised by a Sri Lankan bank when the payments system of Bangladesh Bank or BB was compromised by hackers had saved BB some $ 900 million. Hence, due diligence is a preventive measure and bank officers should be encouraged to use it by rewarding them appropriately. Thus, there is nothing better than the use of the costless ‘eyeball test’ involving vigilance for preventing cyberattacks on banks.

*W.A. Wijewardena, a former Deputy Governor of the Central Bank of Sri Lanka, can be reached at waw1949@gmail.com 

Print Friendly, PDF & Email

Latest comments

  • 7

    Best to use an ATM that is attached to the bank.

    • 1

      Typical Sri Lankans, using modern tools like FB to spread unfounded fake news.

      • 1

        Dr. Wije: your seem like an intelligent guy so could you do help us? Pl. some analysis on how Sri Lanka may ensure Debt Cancellation with help of Jubilee debt campaign in London?
        In January 2019, 1 $ billion was paid and another $5 billion of loans is due this year according to CBSL. To whom???????
        The rupee will crash further according to Fitch ratings. Much of the national debt is due to corruption – BOTH supply side corruption and demand side corruption, i.e. both unethical lending practices by foreign bond traders and aid donors, corrupt politician, and financial illiteracy. It is also due to counting by bailout business accounting firms like KPMG, Deloitte and PWC. Check out Transnational Institute reports and U Tube on he Bail Out Business.
        Sri Lanka needs a discussion on Debt Cancellation with help of the Jubilee Debt Campaign in London. https://jubileedebt.org.uk/
        which US-Euro Bond private banks and sovereign bond traders have put Lanka into a debt trap, of course, with Corrupt Lankan politicians on the advice of IMF and WB?
        Coomaraswarmy who works for the Washington Consensus, America First, and the global 1 percent is not telling us to whom the $5 billions will be paid? Nor is he talking about sustainable solutions, accounatnable and ethical lending and debt cancellation with its debtors who want to asset strip this country of land and Marine resources.
        Lanka has vast marine and ocean resources and is a major security choke point for energy, trade and undersea internet data cable routes that could being down the global internet.. and US wants to set up military bases here.
        Lanka it seems is now in being played by US related sovereign bond traders who own more than 50% of national debt and Lanka is in the IMF “Bail Out business”.

        • 1

          Yes, saying that China has put Lanka in a debt trap is Fake News from Pentagon and Pence. China has less than 15 percent of Lanka’s sovereign debt an mostly long-term concessionary loans.
          It is in fact the Washington Consensus (IMF, WB and Millennium Challenge Corporation), with its Euro bond and Japanese proxy including ADB that has been building overpriced expressways and flooding Lanka with Toyota cars and SUVs for corrupt politicians, that is responsible of the transport crisis and debt trap in Sri Lanka, and so many other countries in the world.
          In the late 1990s IMF has very few client states and was about to close down but after the financial crisis, now it has a huge “bailout business” – putting counties into debt traps and bailing them out! Pakistan has been bailed out 17 times, but never develops. So too Lanka, Argentina, Ecuador, Greece and the list goes on..

  • 4

    It is said that a computer will do the work of 100 people but to correct a
    mistake you need million brains.

    • 0

      Dr.Wije, quite right,
      We live in a world where promoting insecurity, including big data insecurity, is big business for multi-national insurance companies, military, arms traders and info. technology surveillance and arms manufacturing companies –which want access to our data.
      This is why RISK analysis is itself a massive security industry, while people maybe starving on the road.
      The insurance and security industry is the worst. They play on the fear and paranoia of people. This is Capitalism and its risk business and derivatives game – trading on loosing.
      You would likely enjoy Arjun Appadurai’s book: “Banking on words: Language in the Age of Derivatives” and David Greaber’s “Debt the first 5000 years”.

  • 0

    No need to run away with the machine anymore. It is possible for the hacker to make money come out of the ATM using computer code: https://www.youtube.com/watch?v=KFSzLVXnQCg. The idea here is to bypass encryption. Encryption is in the form of some random number generator. Once the hacker has passed this level of security, the machine will perform any mechanical function that he wishes. In any event, one should not worry about ATM’s, as the amount of money they contain is limited and all the money is insured by some other entity.

  • 0

    Change the password after one time use let the machine message the next password to the mobile no
    or any other secret ie Strong Password Generator one the money is withdrawn accounts can use text-message-based password reset PIN code that’s sent to your phone, like loading the mobile card.

Leave A Comment

Comments should not exceed 200 words. Embedding external links and writing in capital letters are discouraged. Commenting is automatically disabled after 5 days and approval may take up to 24 hours. Please read our Comments Policy for further details. Your email address will not be published.