Tech

How Cyber Criminals Clone ATM Cards, Fleece Bank Customers Of Savings

How Cyber Criminals Clone ATM Cards, Fleece Bank Customers Of Savings

• Bank officials responsible for most frauds – ICT, legal experts

• Ex-NBA chief recalls how bank duplicated client’s corporate account for fraudsters

• How to identify compromised ATM, PoS machines

On November 3, Ayo, a freelance journalist, was in the comfort of his room drawing a list of what he would need for his impending wedding and to set up a business for his wife to be. For these, he relied mainly on the money he had saved from his toils over the years.

But while he was busy drawing the items, his phone was being hit by messages in quick succession, but he was too engrossed with the task at hand to be distracted by them. By the time it occurred to him to check the short messages on his phone, he realised, to his chagrin, that they were debit alerts from his bank. The money he had banked on for the execution of his plans had been pilfered from his account. Surprisingly, the message in the debit alert indicated that the withdrawal had occurred two days earlier (November 1).

Ayo’s major shock was how it was possible for a third party to withdraw money from his account while he had his ATM card and mobile phone with him.

“When I went to my bank to complain, they searched and found that the money was withdrawn through a modern online payment system. I subsequently reached out to the company and they confirmed what the bank had told me,” he said.

Lamenting the situation, he said: “They have spoilt all my plans. They have returned me to ground zero. Where would I start from again?”

Checks with security and banking experts revealed that Ayo’s experience was one in the long list of ATM cards cloned and used to steal money from the accounts of innocent bank customers. According to ICT experts, most of such crimes are done with the connivance of bank officials.

Bakare, a colleague of the reporter, also tasted the bitter pill recently. He was also at home with other members of his family on a weekend when text messages started hitting his phone in quick succession. By the time he checked, he found a long list of debit alerts. His entire savings had gone.

He said: “I was troubled and kept wondering what could be going on. My phone was not stolen and my ATM card was also with me. So, how could my money have been withdrawn?

“When I went to the bank to complain, they asked if I transacted business with anybody, and I said no. They asked if I gave my ATM card to anyone and I also responded in the negative.

“They did some search and told me they found that the money was withdrawn in Maryland. When they said so, I thought they were talking about the Maryland in Lagos but they said it was the Maryland in the US!”

Unlike Ayo, who at press time was still battling to recover his money, Bakare said the bank immediately refunded his money.

“I guess they found out it was an internal fraud. So to avoid embarrassing themselves, they refunded the money so that the matter would die naturally.”

But another victim, who identified herself simply as Mummy Rachael, was not as lucky.

She said: “I had gone to Lagos Island to buy goods and make payments, so I went to an ATM point to withdraw money, after which I left for my house.

“Later that night, I started receiving debit alerts on my phone. Goose pimples enveloped my whole body immediately. I reported but nothing came out of it.”

ICT experts said she could have been a victim of an ATM machine that had been compromised.

Yet another victim, Abel, suffered a similar fate after he lost his ATM card but ignorantly did not block or retrieve it.

He said: “I did not see any need to block it because there was no money in the account.

“Unfortunately, I asked someone to send money to me, not knowing that some fraudsters had taken possession of the card.

“Shortly after the money was sent to me and I got an alert, I started receiving debit alerts. They cleared the whole money.

“It was after that ugly experience that I blocked the ATM card.”

Of course, Abel’s loss could be blamed on ignorance. But how would one describe that of Ogonna, a kinsman of the reporter had a massive loss to fraudsters.

Ogonna had received a call from fraudsters pretending to be bank officials, requesting that she should provide her ATM details to help rectify some problems with her account.

“Once I provided the details, they cleared all the savings I had made in 10 years. It is one hell of experience I hate to talk about,” she said regretfully.

ATM cloning not limited to Nigeria
Online checks revealed that ATM cloning is a global issue.

Writing on lovemoney.com, Felicity Hannah, a Briton, raised the alarm about card cloning as she recalled how her husband lost his savings to cyber criminals.

She said: “Last week, we saw how this kind of fraud works first hand. My husband received a text from his bank asking if he really was buying £950-worth of stuff in Sports Direct.

“Since he was at work (and isn’t exactly a fan of sports fashion), it was fairly obviously not him. But what confused us was that his card hadn’t been stolen; it was still in his wallet. And we take card security very seriously.

“When paying in shops or restaurants, he knows not to let the credit card out of his sight and he certainly hadn’t used any disreputable website – the only recent purchases had been booking a holiday on a travel comparison site and paying for a book on Amazon.”

How your ATM card can be cloned
Some ICT experts shared with The Nation how cybercriminals clone ATM cards.

One of the experts said: “There are many ways an ATM card can be cloned. There is a device they can slip into the ATM that will read your card and give them the details.

“There are people who could stand at a distance and see how you punch in your details. If they get your card number with the pin, they can activate it.

“Another is when you hand over your card to a PoS operator. He is putting your card in a machine which to you looks like a PoS but might be a machine that reads the details on the card.

“It is up to the authorities to find all the different ways. Any system you use can be breached. Nigerians have not yet met real hackers.

“One of the ways we are open to fraudsters is when you are buying things online and you are entering your details.

“Sometimes, some people put a fake site where you enter your details thinking that you are buying things. Suddenly, it will tell you “error” without you knowing that they have collected your details and they will start using it.

“The field is so open and so wide.”

Another expert, Mr Olusola Teniola, said : “You can fall for this incident even when you claim to have your ATM cards with you and your pin or signature attached to the phone have not been disclosed. Unfortunately some ATM machines, if they have cloning devices attached at the point of card entry into the machine, they can copy your ATM information, which is the card number.

“They can, through hacking techniques, get your pin number associated with the card.

“The most prevalent is that as a society we tend to in some cases give sensitive and private information to others to carry out transactions on our behalf without knowing that you are now exposing not only your ATM number but also the pin to a third party and that third party may share the information through their contacts.

“That is the easiest way to get people to clone your ATM card and use it without your knowledge.”

Bankers behind most ATM card frauds —ICT, legal experts

Relying on their wealth of experience, some ICT experts told The Nation that bankers are responsible for most ATM card frauds.

One of them, Bayo Banjo, said: “Most bank frauds are insider jobs. We haven’t had a situation where professional hackers would come and do everything from outside.

“The most common is from within the bank and the next is about being careless with your card.”

He described Ayo’s experience where the fraud was said to have been committed using an online payment portal as strange.

He said: “It could be that a staff of the online payment organisation is lifting details. How can someone duplicate that if it is not an insider’s job?

“If no code was sent to the owner of the account before payment was made, the first person they should hold responsible is the online portal.

“That is why every company that handles payment portals that read your card has to get thorough approval and have so many safety methods.

‘For instance, Interswitch will send a code by SMS to process transactions. But other ones that are external to the country are not detailed. They will just take your card number and the three digits at the back and the computer will check that the name matches the expiry date matrix.

“With those ones, you can read the details of someone’s cards. The banks should also put in place necessary control so that they can tell where the fraud is coming from.”

Former Second Vice President of the Nigerian Bar Association (NBA), Monday Onyekachi Ubani, shared Banjo’s line of thought.

“It is clearly sometimes the collusion of bank officials,” he said.

“The moment this thing happens and you come to them, they will first of all accuse you of compromising your pin. It is always the first accusation they will haul at you and you will begin to defend yourself. It then becomes my word against your own.

“But most times, if a deeper investigation is carried out by the security agencies, it will actually underpin those that are behind this criminal act. Most times, the banks don’t even give out information for that comprehensive investigation to be done.”

Ubani proceeded to share a disturbing experience of how a bank used his client’s details to open an account for suspected fraudsters.

He said: “I have a particular case now and, in fact, we are filing the suit this week against a bank where my client has a corporate account. The bank went and opened the same corporate account to fraudsters who are using that name to dupe people of various sums of money running into millions.

“The People they dupe will pay big money into the fraudulent account and they (fraudsters) will pay about N100,000 into the genuine account. They were doing this in collusion with the bank officials.

“Before you know it, they will empty the fraudulent account and take out all the money. The person who has paid the money would complain to the police who will block our client’s account.

“My client will say I never had any dealings with this person that paid N100,000. Meanwhile, it is the same company’s name. When you go and check this company’s name, it will be changed to an individual’s name in the same bank.

“Meanwhile, the payer would have paid into a corporate account. There is no way that would have happened without an insider’s collusion.

“Luckily for us, we have a print out where this money was paid into the company’s account. The bank has quickly paid the lawyer who is coming to give evidence in our favour.

“There is a lot of evil going on in the banking sector. Bank officials now take undue advantage of the fiduciary relationship of trust. Bankers we used know were the most trustworthy people on earth.

“When you begin to have armed robbers in the banking sector, you know that that bank is not safe and people’s money is not safe.”

Lamenting the magnitude of compromise in the banking sector, Olusola Teniola, an ICT expert, advised that banks must adopt what he called four eyes system to check internal fraud.

Teniola said: “Banking is about trust. They have to ensure that their staff or employees have effective background checking.

‘The system that they actually adopt into their processes or business model should be able to have what I call four eyes. By this I mean there shouldn’t be an individual with a pair of eye carrying out sensitive operations without someone else overlooking it.

“The four eyes principle is the most effective way to find out if there is connivance. There is no way two people can deny a crime. It is easier for one person to deny and the other one knows that they committed the crime.

“The four eyes principle is the best way I think banks would have adopted in addition to ensuring that the systems are operated by trustworthy employees.”

He implored banks to move from using text message and emails to alert customers to fraudulent practices to embarking on mass campaign, using local languages.

“We are in a society that is evolving. Our educational system needs to be improved because we have a high percentage of young people who cannot read and write. The jingle of speaking in their dialect is much more appropriate in terms of communicating than using text messages in English.”

How to identify compromised machines

Explaining how to identify a compromised ATM machine, Illinois Bank & Trust in a post said the first step is to know what to look for and know the different kinds of skimming devices.

The Federal Deposit Insurance Corporation (FDIC) has recommended the following on knowing what to look for:

Card-reader overlays – The most common ATM skimmer, and perhaps the easiest device to detect, is the card-reader overlay. It is made of plastic and fits over the slot where you insert your card. As you insert your card, the device reads the data from your card and stores it. Before inserting your card, look at the card reader for signs it has been altered, loose, crooked, damaged and if your card doesn’t easily slide into the machine. Other possible signs could include glue, adhesive tape or other signs of tampering. The plastic around the card reader should look permanent and professional. All pieces should be securely affixed to the machine.

Hidden cameras – While banks typically have security cameras near their ATMs to keep an eye on the area, thieves sometimes hide tiny cameras on or around ATMs. There are instances where the camera could be inside the device. Also, know that business and financial institutions do not point cameras toward the keyboard.

PIN-capture overlays – Criminals have been known to attach dummy keypads over an ATM’s real keypad to record and capture PIN numbers as they are entered. The keypad might be fake if it looks too thick or different from what you’re used to seeing.

Fake ATM faceplates – Some thieves go as far as placing a fake ATM cover that could contain card-reader overlays, hidden cameras and PIN-capture overlays over some or all of a real, fully operating machine. Look for flaws like loose wires, seams that are not flush and key pads that look out of place.

CBN mum, security expert, police react

The Central Bank of Nigeria (CBN) has refrained from commenting on the menace. The Director of Corporate Communications, Osita Nwanisobi, after asking that questions on the matter be sent to him, declined response to subsequent calls and text message.

A security expert and university don, Dr Bala Abdulahi Husaini, in a chat with our correspondent lamented the rising cases of ATM cloning.

Husaini said: “It is a global phenomenon. The country is lacking in cyber experts. It is a new development here, but on the global scene, it had been there and they have been able to mitigate it to a certain level. Here we don’t have much people who can do that.

“I was able to interview someone who is also a guru in that. He told me he can hack any bank he feels like hacking just for 10 minutes. He said whatever transaction you are doing with that bank will go to his account and you will receive alert and that there is no way they can trace that one.

“If we can have these people, it can also help in mitigating the crime.”

He added: “If you have an ATM card that has not been configured and you put it in a fridge to get to a certain degree Celsius, you can use it to withdraw money. It works. Nothing is hidden now in this global village.

“I know of someone who can recharge your phone by hacking telecommunications providers’ systems. Once he does that, you will see the alert of any amount he feels like giving you on your phone. I argued with him and he tried it on my phone and it worked.

“When you go to a shopping mall, you buy things slotting your card into the machine that also has memory. It stores your information. If they like, after you must have left, they can retrieve your pin number and start using it to your detriment.”

Efforts made to speak with the spokesman of the Nigerian Police, Frank Mba, were unsuccessful as he did not respond to the calls made to his phone.

The spokesman of the Lagos State Police Command, Muyiwa Adejobi, however told The Nation that the IGP had just launched a Cryptography and Cyber Crime Unit in Abuja to tackle the problem of cybercrime.

He said: “I am sure various offices have been handling cases like this, including the Lagos State Police Command. Many of our units have been on most of these cases.

“We have ICT and forensic experts who have been handling cases like this. The police have arrested many of the fraudsters. In fact, some of them are in our custody in Ikeja now. We have been arresting them and we will continue to arrest them.

“The police as an institution have established anti-cybercrime office in Abuja. When we have cases like that, we will always be in touch with them to do proper investigation for us.

“Besides that, we have the Technical Intelligence Unit (TIU) in Abuja, which runs certain investigations on issues like these. We sympathise with the victims. The police with the establishment of these units know what to do. They will be liaising with the CBN and other banks to see what we can do to forestall other occurrences of this crime.

“If someone’s money has been withdrawn illegally and you don’t report to the police, we would not be able to know.

“All cases must be reported to the police so that we can have a very good statistics of these crimes to help us appraise our strategies and develop other strategies to curtail them.”

ALSO READ:  FG Declares May 29 Work-Free Day