Monday, July 21, 2008

ATM Industry Group: Don’t Blame Us

How can you tell when concern about ATM fraud has reached a tipping point, or a level of absurdity that defies logic and shuns accountability?

Maybe when a trade association for the ATM industry reassures the public that it’s point-of-sale terminals, not ATMs, that they should be worried about. Earlier this month, a federal court case against three alleged hackers in New York included the bombshell news they had apparently breached Citibank’s ATMs inside 7-Eleven convenience stores and made off with millions of dollars and thousands of unencrypted consumer PIN numbers. Reports centered the blame on two ATM operators, Cardtronic and Fiserv, and raised alarms about how many other ATMs have readily available numbers inside.So how did the global ATM Industry Association respond?

By boasting of how many ATM transactions DON’T end in fraud, and spreading the good news for cardholders that boosted encryption at ATM terminals—well, at least when it’s applied—has pushed most of the reported debit card fraud onto POS terminals and merchant IT systems.

In a press statement, Lana Harmelink, international director of ATM Industry Association, cited “proactive ATM security”—notably, the implementation of Encrypted PIN Pads (EPP) and Triple DES Encryption (Triple DES)—as a reason that consumers not be worried about ATM fraud. “As a consequence of TDES and EPP, criminals shifted their focus” to stealing PINs and card data from POS and pay-at-the-pump terminals, as well as merchant IT systems. “In these cases, the ATM is simply used as a means to retrieve cash; it is not the point where the cardholder's card number and PIN were stolen or copied, and in no way represents a threat to consumers,” she says.

But such a statement avoids the obvious: ATM fraud is real, and ducking that fact helps no one, including the ATM Industry Association’s members. Is ATM security going to the dogs?
..

No comments: