Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Comments are moderated and will not appear until the moderator has approved them.
Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.
In addition, no off-topic remarks or spam is permitted.
March 21, 2022
ATM Jackpotting Attacks Getting Clever
In reviewing my previous posts on ATM fraud, I realized I haven't written about ATM jackpotting since cybersecurity journalist Brian Krebs detailed the first jackpotting attacks against ATMs in the United States in early 2018. ATM jackpotting occurs when a criminal gains physical access to an ATM and instructs the ATM to dispense cash until the ATM is empty. This type of fraud is different from ATM cash-out schemes I wrote about in February 2018 and December 2019, whereby the criminal gains access to an issuer's card management system and overrides card or account withdrawal limits by manipulating the authorization messages to the ATM. More details on the jackpotting process below.
The European Association for Secure Transactions (EAST), which tracks ATM fraud attacks for financial institutions in the EU, reported 202 successful jackpotting (ATM Malware & Logical Attacks) in 2020, resulting in losses of €1.24 million (approximately US$1.4 million or about US$7,000 per attack). While other types of ATM fraud reported such as card skimming and physical attacks were down, jackpotting attacks represented a 44 percent increase in number of attacks and a 14 percent increase in losses from 2019. Statistics of attacks in the United States are more difficult to obtain because most ATM owners avoid the negative publicity associated with a compromise of their terminal.
I recently attended a panel discussion at an ATMIA conference on this topic. The participants discussed several attacks, including one involving multiple ATMs resulting in a loss of $1.5 million in the span of a couple of hours. The amount of money in a machine varies from a couple thousand dollars to as much as $50,000, depending on the ATM type (full-service ATM versus simple cash dispenser), its location, and the expected activity level. It's a balancing act of trying to minimize service calls to replenish the cash versus risking losing the cash to an attack.
So what does it take for a jackpotting attempt to succeed? Unlike the highly secured vault-like compartment for cash storage, an ATM's top compartment, which contains the software-driven components, is more easily accessed, either by jimmying the lock or purchasing a key off the internet (many terminals use a common key). In that compartment, the criminal installs software with jackpotting malware or a black box that intercepts transaction messages. Most often, criminals target ATMS in retail locations, where they can pose as a service technician and not attract the attention of store employees. After the criminal has installed the malware, money mules collect the money. In some cases, a mule presses numbers on the keypad that instruct the terminal to dispense a large quantity of bills or to empty the currency cassette completely. In others, the mule seems to be withdrawing, say, $60 but the malware tells the terminal to dispense $600. In most cases, the ATM owner doesn't discover the attack until the terminal unexpectedly transmits an "out-of-cash" message.
Such attacks can be financially devastating to an independent ATM owner because, unless they have some level of insurance coverage, they bear the full brunt of the loss. In a follow-up to this post, I will examine some of the countermeasures ATM owners can use to prevent such attacks from being successful.
March 7, 2022
Cash Is Critical in Times of Crisis
Before I get into the meat of this post, I want to acknowledge that the events in Ukraine are on all our minds. Our hearts and thoughts are with those caught up in this conflict.
Among the photos coming out of Ukraine are images of the Ukrainian people lined up at ATM machines. These pictures underscore that cash, and access to it, is critical in times of crisis and uncertainty. Here at home in the Southeast, the Atlanta Fed is always on alert during hurricane season in the event that we have to step up our supply of cash to banks.
In addition, understanding the continuing role of cash in an increasingly digital world has been a core focus in the payments research we do through the lens of diversity, equity, and inclusion. Cash remains an important payment option among our many other options, including cards, checks, apps, and digital currencies. There are many reasons some people prefer to use cash: it helps them manage their budget, they don't have a bank account, they lack access to internet or smartphones and therefore lack access to digital payment apps, they're comfortable with cash from a lifetime of use, they're seeking anonymity, or they just plain choose to use it.
Although some businesses had already stopped accepting cash by the time the pandemic hit, the pandemic opened the door for many other businesses to stop taking it. Some businesses stopped offering in-person services and went to online platforms where customers could not use cash, such as order ahead, curbside pickup, and delivery subscription services. Concerns about money and hygiene, the coin supply disruption, and the ease of using cards and apps also discouraged cash use.
Those who use cash, whatever their reason, have been affected by the decisions of these businesses and by other decisions stemming from the pandemic, according to survey data. They've also been affected by the reduced number of ATMs in the United States due to bank and business closures, often in rural and low-income areas, or due to changing policies affecting independent ATM operators. Access issues to ATMs even in the United States can make it more difficult, and perhaps more expensive, for people to get cash when they need it most.
In times of natural disasters, when electronic systems could fail, people turn to cash. People also turn to cash in times of manmade disasters. The reliance on cash as the go-to payment in times of crisis and as a personal choice underscores the need for cash preservation and ease of access.
While the Ukrainian people have much more important things to deal with, and our thoughts are with them as they navigate this crisis, understanding the role that access to cash plays in people's lives is something we will continue to look at here at the Atlanta Fed.
December 13, 2021
Casinos as Technology Innovators
We don't normally think of payments and gambling casinos together, but a recent trip reminded me how the casino industry has adapted technology in a number of different ways to improve their operations and how some of those innovations have found their way to the banking industry. In October my wife and I took a road trip to see the leaf changes and found ourselves in Cherokee, North Carolina, whose economy is dominated by a casino. The greatest number of options for dining in the town were in the casino's food court, so we parked and went inside. While this casino did not have the variety of high-end shops and celebrity chef restaurants found in Las Vegas, it did have a lot of the technology that's evident in those Las Vegas casinos, including lots and lots of rows of slot machines and table games.
Over the years, I have noticed the significant changes that have taken place in casinos with regards to coin handling and slot machine technology. For one, coins have been almost eliminated for both inserting into the slot machines and payouts. Now, if you hit a payout and press the collect button, instead of hearing the loud clang, clang noise of coins hitting the tray, you hear an electronic version of coins being dispensed and then the whirring of a paper voucher being printed out. This change has largely been motivated by the expectation of substantial cost savings from reduced coin handling and storage, as well as transportation expenses.
Another major change in casinos has been the transition from mechanical to electronic in all aspects of casino games. Much to my dismay, it is almost impossible today to find a slot machine with a handle that you pull to start the reels rolling. Now, you press a "spin" button to start the game. I am willing to bet the casino operators have found that eliminating the pull handle increased the number of plays per minute as well as eliminated the breakdown of mechanical parts, for additional revenue and reduced operational expense. Winner, winner, chicken dinner. Anyone who has visited a casino in the last 10 or so years knows that the mechanical reel slot machines have long disappeared and been replaced with electronic video displays, whether those show a hand of cards or symbols you are trying to match.
ATMs have long been present in casinos as a means for customers to get extra cash—with surcharges often as high as $10—but these single-purpose machines have been replaced by multifunction kiosks. The virtual teller machines you often now see in banking offices are an evolution of the casino kiosks. Not only can these casino kiosks perform account withdrawals like an ATM, but they can also redeem those winning paper vouchers down to the penny, break large denomination bills to smaller denominations, and provide dining locations and other guest information.
You can see another technological innovation with table games. Recently, some casino table games—including craps, blackjack, and roulette—have started using virtual dealers. Players sit around the table and place bets electronically from their "stack" of virtual chips while the holographic dealer operates the game. Based on my observations, casino patrons still seem to prefer the games staffed by real people.
Of course, casinos were one of the early users of facial recognition technology to spot individuals who have been banned for cheating or for some other reason. And you'll see the high-definition surveillance cameras everywhere, watching employees as well as patrons, monitoring possible cheating activities, and looking for situations of possible customer conflict.
Incidentally, while I was researching the changes that have occurred in casinos, I came across a paper written by my colleagues at the Federal Reserve Bank of Richmond back in 2005. Although the paper is more than a decade old, it still provides an excellent overview of the technology and coin/currency operational changes that have taken place in casinos.
November 22, 2021
We Are Thankful For…
Two years ago, prior to Thanksgiving, I asked each Risk Forum member to provide me the one thing they were thankful for in payments. This year, I posed a bit of a different question to my colleagues and asked them what payment innovation they are most thankful for. Without further ado, the Risk Forum presents our 2021 Thanksgiving week "What payment innovation are you thankful for?" list.
- Nancy Donahue, project manager: I'm thankful for innovation in voices contributing to payments because it's through these different and diverse viewpoints that the industry develops solutions that are inclusive of all consumers!
- Claire Greene, payments risk expert: I am thankful for the electronic receipt of bills and automatic bill pay. As a payments expert who doesn't want to think about her personal payments, I remember the monthly stack of envelopes on my dining room table.
- Scarlett Heinbuch, payments risk expert: I am thankful for the innovation of dongles and payments apps that make it easy for small businesses and individual sellers to accept credit card payments.
- Douglas King, payments risk expert: I am thankful for innovation in payroll that makes my payday afternoons more flexible through the ability to receive my paycheck via direct deposit. Prior to direct deposit, I distinctly remember receiving a check at my job and then heading to a bank only to wait in a long teller line on Friday afternoons with others to deposit our paychecks.
- Dave Lott, payments risk expert: I am thankful for the ability to make contactless payments with my debit card at stores and gas pumps as it is much faster.
- Sally Martin, senior business analyst: I am also very thankful to be able to schedule payments electronically, either once or as many times as I want out to infinity. Keeps me honest and doesn't allow me to rob Peter to pay Paul as easily. Also, I don't have to think about doing it every month when the due date comes along.
- Catherine Thaliath, project management expert: I am thankful for digital wallets that make it convenient to store my credit cards, boarding passes, concert tickets, loyalty cards, etc., all in one place!
- Jessica Washington, payments risk expert: I am thankful for mobile deposit capture. When I do get lucky enough for someone to give me money (outside employer) and it is a check (whah, whah) I love that I can pop that moolah into my account right after I open the mail or birthday card.
And we are thankful for YOU, our readers of Take On Payments and supporters of the Risk Forum. We sincerely appreciate your comments, kudos, and criticism, and hope that you all find value in the information we provide and share. As we enter into these crazy last weeks of 2021, we wish you and yours a wonderful holiday season.