ATM Fraud Prompts Text AlertsSingapore Bank Launches Mobile Alerts After $1 Million in Losses
See Also: 2016 Social Engineering Report
Loke Siew Fei and H'ng Gaik Chin were arrested last week after their hotel room was raided by the Commercial Affairs Department of the Singapore Police Force. During the raid, investigators discovered skimming equipment, a pin-hole camera used to record PIN entries and a fake ATM fascia, used to cover an ATM's card reader. The two now face up to 10 years in prison.
In response, DBS, one of the largest retail banks in South East Asia, last week announced plans to launch a real-time SMS/text alert service.
On Jan. 5, the bank notified its accountholders of an ATM-skimming scheme that had targeted what was thought to be only 200 customers. On Jan. 6, the bank confirmed 400 compromised accounts had been connected with the scheme, which was traced to two ATMs in Singapore. The fraudulent ATM withdrawals were conducted in Malaysia.
"Increasing evidence points to the unauthorized withdrawals as being part of a card skimming operation," the bank said. "Preliminary investigations at this stage reveal that two ATMs at Bugis street have possibly been compromised."
As a security precaution, DBS says has temporarily blocked overseas ATM transactions for customers with no overseas usage history. The bank also is advising customers update their mobile details, so they can stay informed about ATM activity via real-time alerts, which will be offered Jan. 17.
"Customers who have chosen to enable their cards for overseas use will also receive a real-time SMS alert confirming their request," DBS says.
Tom Wills, a fraud analyst for Javelin Strategy & Research who's based in Singapore, says the DBS breach garnered a great deal of public attention. "The attacks were a big deal," he says. "Offering SMS alerts to customers for ATM withdrawals is a smart move for any financial institution, because it takes advantage of the strengthened transaction security that mobile out-of-band messaging offers."
Wills talks about opportunities for mobile SMS/text alerts during a webinar he's hosting later this month entitled, Fraud Prevention: Utilizing Mobile Technology for Authentication & Transaction Verification.
Phil Blank, who works in Javelin's Security, Risk and Fraud Practice, agrees mobile technology is vastly underused as a means of communicating transactional information with consumers. He says most institutions, especially in the United States, are not keeping up with fraud trends, and they fail to adequately leverage mobile technology for alerts.
"If FIs [financial institutions] would encourage consumers to set alerts on their credit and or debit cards, a lot of this would be detected a whole lot sooner," Blank says. "Skimming is only effective if there is a delay between the time of the skim charge and the time the consumer notices it on their statement. Without alerts, the fraudsters will always have the upper hand."
DBS's move to launch SMS/text alerts for ATM transactions is innovative. Most mobile alert services have been limited to Internet banking; mobile serves as a channel to which an additional verification code for online login can be sent.
"This kind of countermeasure has most typically been deployed with Internet banking systems to thwart Trojan-based fraud attacks, but it can work very effectively in just about any transaction environment," Wills says. "This flexibility offers FIs a good way to leverage their investment in a customer alert system."