The Monsters Within
Brunner et al (2004) states that the ATM fraud is not the sole problem of banks alone. It is a big threat and it requires a coordinated and cooperative action on the part of the banks, customers and the law enforcement machinery. The ATM frauds not only cause financial loss to banks, but they also undermine customers’ confidence in the use of ATMs. This would deter a greater use of ATM for monetary transactions.
The CBN in exercise of the powers conferred on her by section 2(d) and 47(2) of the CBN Act 2007, to promote and facilitate the development of efficient and effective systems for the settlement of transactions, including the development of electronic payment systems, thus issued the guidelines on Operations of Electronic Payment Channels in Nigeria in June 2020 which supersedes that of 2016 on the same subject.
These guidelines speak to the operational modalities and regulatory expectation of the apex Bank. However, the audit process of one of the channels (Automated Teller Machine) would be the focus of this article in view of the increasing fraudulent activities by both staff members of banks (operators) and external users of the ATMS as well as non-adherence or inadequate adherence to the regulatory requirements as established by the CBN within the June 2020 guidelines on ‘Operations of Electronic Payment Channels in Nigeria’.
AUDIT OF ATMs E-CHANNEL – RESPONSIBILITY HIGHLIGHTS
It would be worthy of emphasis here that ‘Audit of ATMs’ as part of the E-channels Payment System; used to be viewed as the duty of the Information System Audit to critically audit the process. In view of the dynamism of the Internal Audit profession, Deposit Money Banks often times are implored by CBN to get staff of relevant units within Internal Audit Division – Head Office Audit, Branch Audit, Revenue Assurance, Monitoring & Implementation to get on the trail and be conversant with information systems and cybersecurity related audit. This is because the audit of electronic businesses (ATMs inclusive) do not lie with Information Systems Audit Unit alone.
2.1 It does appear real sometimes for Internal Auditors not to be conversant with the processes they review; these are due to the inherent manpower challenges bedevilling virtually all departments and divisions across Deposit Money Banks (DMBs) in Nigeria; where times for trainings may not be fully achieved as part of Internal Audit planning prior to client engagements. Thus, this graphic presentation of components of the ATMs and what Internal Auditors responsibilities are.
FRONT-END (CUSTOMERS’ SPACES)
Automated Teller Machine has two inputs devices and four output devices as listed and explained below:
CARD READER
The card reader captures the account information stored on the magnetic stripe on the back of an ATM/debit or credit card.
The host processor uses this information to route the transaction to the card-holder’s bank.
KEYPAD
The keypad lets the cardholders tell the bank what kind of transaction is required (cash withdrawal, balance inquiry, etc)
The amount to be withdrawn and the mapped account on the card (savings or current to be withdrawn from).
The bank requires the cardholder’s personal identification number (PIN) for verification.
The output devices within the front end of an ATM are:
SPEAKER
speaker provides the cardholder with auditory feedback when key is pressed.
DISPLAY SCREEN
The display screen prompts the cardholder through each step of the transaction process.
Some machines (leased – line machines)
EAGLE EYE Q4, 2022
commonly use a monochrome colour CRT; that is the cathode ray tube (CRT) display.
While dial-up machines, usually use a monochrome or colour LCD; that is liquid crystal display (commonly found on laptops’ screens).
RECEIPT PRINTER
The receipt printer provides the cardholder with a paper receipt of the transactions; providing cardholders with evidences of transactions, time, amount and date as well as the location of the ATM terminal.
CASH DISPENSER
The heart of an ATM is the safe and cash- dispensing mechanism
The entire bottom portion of most small ATMs a safe that contains the cash dispensed to customers.
BACK-END VIEW OF THE ATM
Cassettes for loading sorted cash notes
Cassettes.
CAN CASH THEFT BE SUCCESSFUL AT THE END OF THE TERMINALS?? YES!
B A C K –
e-journal application.
PECULIARITY OF EQUIPMENT OWNERS MANUFACTURERS
These terminals are built by different EOMs (equipment owner manufacturers) and come with varying codes for having access to the ‘supervisory operating panel’ (SOP). The commonly EOMs terminal types commonly found in Nigeria are: (1) Wincor (2) Hyosung (3) Diebold, the newest version of Hyosung terminals used touch screen keyboards.
The back-end of the terminal comprised of the following:
£ Display screen (usually of a monochrome liquid crystal display.
£ Reject cassette
£ Trap card port
£ Cash cassette 1 – 3 and 4 in some terminals.
£ The keyboard is embedded within the LCD as it is in recent times in a ‘touch-screen format’; which enable the terminal operators (Cash Officers to load cash and issue the terminal various instructions regarding cash loading, balances and display of the Supervisor Operating Panel (SOP).
AUDIT OF ATM – DETECTING CASH THEFT BY OPERATORS
To aid detect cash pilferages on terminals, the Internal Auditors should understand these spot reconciliations, and be able to simulate same when the ATM vault is being accessed and audited.
Cash thefts or pilferages are most of the times done by the Operators from the back-end. Most often these pilferages beat Internal Auditors’ curiosity and the highest level of professional scepticisms if such Internal Auditors do not have good understanding of the nitty gritty of ATM monitoring and audit.
An insight into the process of theft controls at the backend starts with knowing what the operators know. The steps are as given thus:
(1) Upon accessing the ATM vault, put machine out of service;
(2) Display cash
(3) Clear cash (clear rejects)
(4) Add cash
(5) Reset dispenser (machine)
(6) Test cash.
Note that reject cash plus cash within cassettes would give you the remaining cash
Thus, total cash less dispensed cash would give remaining cash. The remaining cash on the Supervisor Operating Panel (SOP) must equals physical cash balance when counted by the Internal Auditor.
As a matter of exigency, the Internal Auditor should be quick to carry out the ‘test of e-journal application vis CCTV timeline. Where there is a mismatch between e- journal timing and CCTV timeline; investigative works on the Bank’s ATM may become misleading in the future. Fields validations would become diluted as there would be no basis for sampled test of transactions traces and ATM room activities as carried out by the Operators (Head of Operations or Cash Officers).
WHAT ARE THE REMEDIES FOR E- JOURNAL/CCTV TIMELINE MISMATCHES.
TERMINALS
NARRATION
AMOUNT(N)
XXXXXXXXXX
Cash figure on SOP
XXX
Cash figure on GL
(XXX)
Physical cash in ATM
XX
Shortage (GL – Physical Cash)
(XX)
XXXXXXXXXX
Cash figure on SOP
XXX
Cash figure on GL
(XXX)
Physical cash in ATM
XX
Surplus (GL – Physical Cash)
XX
At the point of commissioning the ATM, the established timeline must sync with that of the CCTV surveillance system in place.
At each service period of the terminals, the
MECHANISMS
Diebold (2002) states some ATM Frauds in a paper
titled “ATM Fraud and Security”. The following Techniques were outlined:
CARD THEFT
In an effort to obtain actual cards, criminals have used a variety of card trapping devices comprised of slim mechanical devices, often encased in a plastic transparent film, inserted into the card reader throat. Hooks are attached to the probes preventing the card from being returned to the consumer at the end of the transaction.
When the ATM terminal user shows concern due to the captured card, the criminal, usually in close proximity of the ATM, will offer support, suggesting the user enter the PIN again, so that he or she is able to view the entry and remember the PIN. After the consumer leaves the area, believing their card to have been captured by the ATM, the criminal will then use a probe (fishing device) to extract the card. Having viewed the customers PIN and now having the card in hand, the criminal can easily withdraw money from the unsuspecting user’s account
SKIMMING DEVICES
Another method of accessing a consumer’s account information is to skim the information off of the card. Skimming is the most frequently used method of illegally obtaining card track data. “Skimmers” are devices used by criminals to capture the data stored in the magnetic strip of the card. Reading and deciphering the information on the magnetic stripes of the card can be accomplished through the application of small card readers in close proximity to, or on top of, the actual card reader input slot, so it is able to read and record the information stored on the magnetic track of the card. The device is then removed, allowing the downloading of the recorded data.
PIN FRAUD
This can take the following forms:
Shoulder Surfing: Shoulder Surfing is the act of direct observation, watching what number that person taps onto the keypad. The criminal usually positions himself in close but not direct proximity to the ATM to covertly watch as the ATM user enters their PIN.
Sometimes miniature video cameras that are easily obtained might be installed discretely on the fascia or somewhere close to the PIN Pad, to record the PIN entry information
Utilizing a Fake PIN Pad Overlay: A fake PIN pad is placed over the original keypad. This overlay captures the PIN data and stores the information into its memory. The fake PIN pad is then removed, and recorded PINs are downloaded.
Fake PIN pads can be almost identical in appearance and size as the original. An additional type of overlay that is more difficult to detect is a ‘thin’ overlay that is transparent to the consumer. This method used in conjunction with card data theft provides the criminal with the information needed to access an unsuspecting consumer’s account.
PIN Interception: After the PIN is entered, the information is captured in electronic format through an electronic data recorder. Capturing the PIN can be done either inside the terminal, or as the PIN is transmitted to the host computer for the online PIN check. In order to capture the PIN internally, the criminal would require access to the communication cable of the PIN pad inside the terminal, which can more easily be done, at off-premise locations.
INTERNAL AUDITORS ROLES ON AUTOMATED TELLER MACHINES REVIEWS.
(ONSITEANDOFF-SITE ENGAGEMENTS)
The Information Systems Audit and Control Association (ISACA) stated within the Information Systems Auditing Process (ISAP – domain 1) that ”an ATM is specialized form of the POS terminal that is designed for the unattended use by a customer of a financial institution’’
4.1 Many ATMs are located in uncontrolled environs to aids to easy access to customers during and after business hours, thus becoming retail electronic funds transfer networks, transferring information and money over communication lines. It is therefore expected that the system must provide high levels of logical and physical security for both the customer and the bank’s assets. It is worthy to first understand the terminal architecture – the ATM architecture has a physical network layer, a switch and a communication layer connecting the various terminals.
The Internal Auditors roles over ATMs are as provided below:
μ Review encryption key change management procedures.
μ Review physical security measures to ensure security of the ATM and the money contained in the ATM.· Review the ATM card slot, keypad and enclosure to prevent skimming of card data and capture of PIN during entry.
μ Review the existence of in-built anti-scheming device on terminals (contact ATM support at Head Office for validation).
μ Review the existence of hard-core or physical anti-scheming device with the spot green light always on.
μ Substantive review of sampled days for dual control purposes via the use of replay-able CCTV logs, thus enabling the Internal Auditors to give reasonable assurances as to the existence of dual control. It is worthy to note that reliance on dual controls existence via names on the access log register may not provide 100% validity or evidence of dual control system.
OTHER REGULATORY MEASURES (RISKS ATTRIBUTABLE TO AUTOMATED TELLER TERMINALS)
The CBN guidelines on ‘Operations of Electronic Payment Channels requires Deposit Money Banks to take ATM channel more seriously than ever in view of the over-whelming influx of electronic frauds. In Its guidelines issued in June 2020, the CBN requires
Review physical security to prevent introduction of malware.
Review access log register into the ATM room (Indicating times when entry and exit take place into the ATM room) – adequacy of footprints of operators or cash officers.
Review the availability, adequacy, functionality of a surveillance system via closed circuit television (CCTV).
Review measures to establish proper customer identification and maintenance of their confidentiality.
Review file maintenance and retention system to trace transactions.
Review exception report to provide an audit trail.
Review daily reconciliation of ATM transactions (get ATM e-journal from ATM Support at the Head Office).
Review Segregation of duties (SoD) in the opening and of the ATM and loading of sorted cash notes, key combinations etc)
Review procedures made for trapped cum retained cards destruction.
Deposit Money Banks to ensure the following for which non-compliance would attract financial sanctions, and possible seizure of fit-and-proper approval to deploy automated terminals. These requirements of the CBN are broken down into ATM security and ATM regulatory Returns:
ATM SECURITY – (VIOLATIONS TO BE DESIGNATED AS NON-CONFORMITIES BY INTERNAL AUDITORS)
¥ All ATMs must be located in a manner that guarantees safety and security of users and confidentiality of their transactions.
¥ ATMs should not be placed outside buildings unless such ATM is bolted to the floor and surrounded by structures in order to prevent removal.
¥ Additional precaution must be taken to ensure that any network connectivity from the ATM o the Bank or switch is protected to prevent connection of other devices to the network point.
¥ Where the user of an ATM blocks his image from being captured by the camera, the ATM shall be capable of aborting the transactions. (Auditors to test self-transactions by blocking the camera, where the ATM still dispenses, then, non-conformities should be escalated).
¥ All ATMs are required to be installed with anti-skimming devices that would ensure effective mitigation against fraudulent incidents arising from external monsters or dark-web actors.
¥ Every ATM shall have cameras, which shall view and record all persons using the machines and every activity of the ATM, including but not limited to card insertions, transaction selections, cash withdrawals, card taking etc.
¥ Please note that deployed camera must not have the capabilities to record customers’ key strokes.
¥ Where a surveillance camera is deployed, it should be kept hidden from the banking public, to avoid removal or damage/compromise.
¥ Networks used for the transmission of ATM transactions must be demonstrated to have
data confidentiality and integrity.
REGULATORY RETURNS ON ATMs DEPLOYMENT
¥ The CBN shall conduct onsite checks of ATM with a view to ensuring compliance with cash and service availability. No ATM cash out is permitted beyond 48 hours.
¥ System downtime at the ATM is also not permissible as the CBN picks same as non- conformity during onsite examinations.
¥ Any institution which operates an automated teller machine shall file an updated list of such ATMs, including the detail location of their addresses with the DIRECTOR, BANKING & PAYMENTS SYSTEMS DEPARTMENT, CENTRAL BANK OF NIGERIA.
¥ Bank shall report volume and value (VAV) of transactions on monthly basis to the Director too – (monthly renditions).
CONCLUSION
The pace of fraudulent crimes associated with E- channels globally especially Nigeria deserves a concerted effort of all stakeholders. As shown within this presentation, Internal Auditors of today and the future, ought to know what the bank operators know and even beyond as well as developing strategies towards combating possible gaps before becoming critical thus leading to income leakages for the organization, as staff members due to lack of contentment and extreme pressure from the society become our MONSTERS WITHIN to be sceptical about at the ATM back-end.
Between 2019 to 2020, recorded overall fraud attempts in Nigeria increased by 187%, according to a 2021 fraud report from the NIBSS — with web (47%), mobile (26%), ATM terminals (19%), and POS terminals (7%) being the leading sources of fraud in 2020. Internal Auditors should therefore adopt a more critical cum system-based approach towards planning for the audit of branches with ATMs presence in Nigerian banks