Posted by Mark Brousseau
An interesting article by Diebold from the Self Service and Kiosk Association Web site:
Is consumer remote deposit capture right for every financial institution?
by Robert MacMahon
26 May 2009
Since the inception of Check 21 in October 2004, adoption of remote deposit capture has been steady among financial institutions that cater to business customers.
According to Celent, 75 percent of all U.S. FIs are expected to be remote capture-enabled by the end of 2008. With the rapid and widespread embrace of commercial RDC, many financial institutions are interested in exploring the new frontier of this capability: consumer remote deposit capture.
Technologies are now available that enable FIs to securely process checks sent via ordinary scanners, thus opening the doors to RDC for consumers and small business owners. On this front, Celent says that 7 percent of FIs report already having either a complete solution or a pilot program up and running; meanwhile, 15 percent report plans for a consumer RDC solution and 22 percent say they would consider such a solution.
For many FIs contemplating this offering, questions still abound. To determine whether a consumer RDC program is right for your institution, and to ensure a smooth execution, a few key steps should be followed.
Identify your customer base
To assess the potential for success with a consumer RDC program, it is important to first evaluate your existing customer base, as well as potential new customers. For customers acclimated to off-hour banking solutions such as online banking, or for those who live far from a branch, consumer RDC could be a welcome offering. Evaluating your customers can also help you analyze overall risk and define the ideal customer to target in your marketing efforts.
Qualify your customer base
Diligent "know your customer" policies are extremely important in consumer RDC programs. While advanced safeguards are incorporated in the software developed for these programs, mitigating risk lies largely in the hands of the FI. Take inventory of the risk management controls that are currently in place at your institution, and consider a risk strategy designed specifically for a consumer RDC program. First and foremost, you'll need to set criteria to determine a customer's eligibility for this offering. For example, prerequisites for access to a consumer RDC application could include good credit and a long and positive history with your institution.
Take inventory of your security and monitoring capabilities
As previously mentioned, consumer RDC software solutions should include security features that allow your FI to control the flow of remote deposits in real time and customize the security criteria. This ensures that any deposits submitted for processing that do not meet the set standards are flagged and held until cleared by an authorized employee.
The crucial element then becomes identifying designated and qualified staff to monitor and control the software. Smooth deployment depends on your employees' understanding of and adherence to all protocol related to your RDC program.
Deploy your consumer RDC program
The final element of a successful consumer RDC program is smooth integration of the application into your FI's existing system. The key to a seamless inclusion of a consumer RDC program is that the software is easily installed and integrated into other back-end processes. Furthermore, the application should be easy and straightforward for the end user to encourage adoption among your target customers.
As the most rapidly adopted technology in the history of the financial services industry, the potential is there for remote deposit capture to become a successful consumer application. As with any new technology, before considering a consumer RDC program for your institution, several factors must be taken into consideration. With a firm understanding of your institution's customer base, risk controls, employees and, last but certainly not least, the technologies and processes through which you plan to execute the program, a successful consumer RDC program launch is within reach.
Robert MacMahon is senior business development manager of payments and imaging solutions for Diebold ImageWay, the deposit automation and imaging division of Diebold Inc.
Showing posts with label atm. Show all posts
Showing posts with label atm. Show all posts
Wednesday, May 27, 2009
Monday, July 7, 2008
ATM Hack Reveals Security Woes
Posted by Mark Brousseau
An interesting article from the Associated Press about ATM security challenges:
Citibank ATM breach reveals PIN security problems
By JORDAN ROBERTSON
The Associated PressTuesday, July 1, 2008; 4:39 PM
SAN JOSE, Calif. -- Hackers broke into Citibank's network of ATMs inside 7-Eleven stores and stole customers' PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record.
The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs -- the numeric passwords that theoretically are among the most closely guarded elements of banking transactions -- by attacking the back-end computers responsible for approving the cash withdrawals.
The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem.
Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp.'s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption -- which means encoding them to cloak them to outsiders -- some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.
"PINs were supposed be sacrosanct _ what this shows is that PINs aren't always encrypted like they're supposed to be," said Avivah Litan, a security analyst with the Gartner research firm. "The banks need much better fraud detection systems and much better authentication."
It's unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March of this year and was first reported by technology news Web site Wired.com. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores throughout the U.S., but it doesn't own or operate any of them.
That responsibility falls on two companies: Houston-based Cardtronics Inc., which owns all the machines but only operates some, and Brookfield, Wis.-based Fiserv Inc., which operates the others.
A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn't been answered publicly.
All that's known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.
They could have gained administrative access to the machines -- which means they had carte blanche to grab information -- through a flaw in the network or by figuring out those computers' passwords. Or it's possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.
What that means for consumers is that their PINs were stolen from machines that showed no signs of tampering they could detect. In previous PIN thefts, thieves generally took steps that might draw notice -- sending "phishing" e-mails, for example, or installing false-front keypads or even tiny cameras on ATMs.
Getting the PINs is a key step for identity thieves. It lets criminals encode stolen account information onto blank ATM cards and withdraw piles of cash from compromised accounts.
Don Jackson, director of threat intelligence for SecureWorks Inc., said he has seen an "alarming" spike in the number of attacks on back-end computers for ATM networks over the past year.
"This was fairly large, but I don't think it's anything out of the ordinary -- these kinds of scams go on every day," Jackson said. "What makes this case unique is the sheer luck of happening upon these guys and catching them red-handed. But there are a whole lot of other ATM and PIN compromises going on that aren't reported."
The alleged plot is outlined in court papers supporting the prosecution of three people _ Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva. They were indicted in March on two counts each of conspiracy and fraud. Prosecutors say their activities generated at least $2 million in illegal profits.
Defense lawyers for all three people did not return calls for comment, and it was not clear where they had been living. The main defendant, Rakushchynets, was described as having Michigan and Florida's driver licenses in a February FBI affidavit for an arrest warrant.
Citibank, part of Citigroup Inc., has declined to comment on the technique or how many customers' accounts were compromised. It said it notified affected customers and issued them new debit cards.
"We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts," the bank said in a statement.
Cardtronics said it is cooperating with authorities but otherwise declined to comment. Fiserv spokeswoman Melanie Tolley said the intrusion didn't happen on Fiserv's servers.
"Fiserv," she said, "is confident in the integrity and security of our system."
An interesting article from the Associated Press about ATM security challenges:
Citibank ATM breach reveals PIN security problems
By JORDAN ROBERTSON
The Associated PressTuesday, July 1, 2008; 4:39 PM
SAN JOSE, Calif. -- Hackers broke into Citibank's network of ATMs inside 7-Eleven stores and stole customers' PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record.
The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs -- the numeric passwords that theoretically are among the most closely guarded elements of banking transactions -- by attacking the back-end computers responsible for approving the cash withdrawals.
The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem.
Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp.'s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption -- which means encoding them to cloak them to outsiders -- some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.
"PINs were supposed be sacrosanct _ what this shows is that PINs aren't always encrypted like they're supposed to be," said Avivah Litan, a security analyst with the Gartner research firm. "The banks need much better fraud detection systems and much better authentication."
It's unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March of this year and was first reported by technology news Web site Wired.com. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores throughout the U.S., but it doesn't own or operate any of them.
That responsibility falls on two companies: Houston-based Cardtronics Inc., which owns all the machines but only operates some, and Brookfield, Wis.-based Fiserv Inc., which operates the others.
A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn't been answered publicly.
All that's known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.
They could have gained administrative access to the machines -- which means they had carte blanche to grab information -- through a flaw in the network or by figuring out those computers' passwords. Or it's possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.
What that means for consumers is that their PINs were stolen from machines that showed no signs of tampering they could detect. In previous PIN thefts, thieves generally took steps that might draw notice -- sending "phishing" e-mails, for example, or installing false-front keypads or even tiny cameras on ATMs.
Getting the PINs is a key step for identity thieves. It lets criminals encode stolen account information onto blank ATM cards and withdraw piles of cash from compromised accounts.
Don Jackson, director of threat intelligence for SecureWorks Inc., said he has seen an "alarming" spike in the number of attacks on back-end computers for ATM networks over the past year.
"This was fairly large, but I don't think it's anything out of the ordinary -- these kinds of scams go on every day," Jackson said. "What makes this case unique is the sheer luck of happening upon these guys and catching them red-handed. But there are a whole lot of other ATM and PIN compromises going on that aren't reported."
The alleged plot is outlined in court papers supporting the prosecution of three people _ Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva. They were indicted in March on two counts each of conspiracy and fraud. Prosecutors say their activities generated at least $2 million in illegal profits.
Defense lawyers for all three people did not return calls for comment, and it was not clear where they had been living. The main defendant, Rakushchynets, was described as having Michigan and Florida's driver licenses in a February FBI affidavit for an arrest warrant.
Citibank, part of Citigroup Inc., has declined to comment on the technique or how many customers' accounts were compromised. It said it notified affected customers and issued them new debit cards.
"We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts," the bank said in a statement.
Cardtronics said it is cooperating with authorities but otherwise declined to comment. Fiserv spokeswoman Melanie Tolley said the intrusion didn't happen on Fiserv's servers.
"Fiserv," she said, "is confident in the integrity and security of our system."
Friday, November 16, 2007
Remote Channels Drive Growth
By Mark Brousseau
U.S. bank transactions are expected to grow at a compound annual rate (CAGR) of nearly 10 percent between 2006 and 2010, according to Needham, MA-based TowerGroup. Driving this growth are remote channels, with the fastest rates coming from online (27 percent) and the call center (7.1 percent), followed by the branch (still kicking at 1.4 percent) and the ATM (0.5 percent).
Is this what your bank is projecting? E-mail me at m_brousseau@msn.com.
U.S. bank transactions are expected to grow at a compound annual rate (CAGR) of nearly 10 percent between 2006 and 2010, according to Needham, MA-based TowerGroup. Driving this growth are remote channels, with the fastest rates coming from online (27 percent) and the call center (7.1 percent), followed by the branch (still kicking at 1.4 percent) and the ATM (0.5 percent).
Is this what your bank is projecting? E-mail me at m_brousseau@msn.com.
Subscribe to:
Posts (Atom)
