ATM Scheme Spurs Government ActionSingapore Banking Regulators Demand Stronger Fraud Controls
Authorities in Singapore have added more charges to two men arrested for their alleged roles in a $1 million [U.S. $774,594.06] ATM-skimming scheme that hit nearly 700 DBS Bank customers. [See ATM Fraud Prompts Text Alerts .]
Loke Siew Fei and H'ng Gaik Chin were arrested Jan. 12, after a hotel raid conducted by the Commercial Affairs Department. Authorities busted the two men for a skimming device they are accused of placing on an ATM located in nearby Bugis Village.
Now authorities in Singapore say Fei and Chin also created counterfeit cards for fraudulent ATM cash withdrawals, then used skimmed card details to access DBS customer data. The two had already been linked to numerous unauthorized withdrawals made earlier in the year, which authorities now believe totaled at least $23,000.
Each could be fined up to $50,000 and ordered to spend up to 10 years in prison.
Shortly after the attacks and outcry from the public, DBS, one of the largest retail banks in Southeast Asia, launched an SMS/text alert service. The service aims to notify customers when transactions hit their accounts. Shortly after DBS's announcement, other banks in Singapore followed suit.
Tom Wills, a fraud analyst for Javelin Strategy & Research who's based in Singapore, says the compromise of the account data was a so-called "residual" effect. The compromised information used came from the same batch of stolen card numbers used for the fraudulent withdrawals.
Nevertheless, regulators in Singapore are taking the issue seriously.
Singapore Government Takes Action
In January, the DBS incident spurred the Association of Banks in Singapore to push adoption of the Europay MasterCard Visa chip standard. All card-issuing banks in Singapore have now been directed to replace magnetic-stripe cards with more secure chip technology. The migration is expected to take place over the next two years.
ATMs and POS systems will be upgraded as well - a move that is expected to significantly cut losses linked to ATM skimming.
Earlier this month, Singapore's Parliament asked the Monetary Authority of Singapore what banks in the country were doing to address fraud in the wake of the DBS ATM attacks. The MAS says all financial institutions in Singapore must have risk management processes and security controls in place to safeguard their systems and operating capabilities.
"Banks are putting in place additional layers of security to enhance the protection of their customers' bank accounts," the MAS said in its reply to Parliament. "These include disabling overseas withdrawals, unless requested by the customer, SMS alerts for cash withdrawals above a certain threshold, and replacing ATM cards that are assessed to be at risk. Banks are also strengthening their internal surveillance. MAS has urged banks to implement the new measures as soon as they can."
Wills says most banks in Singapore are making moves to comply, and many have already responded by launching SMS/text alerts for ATM withdrawals. On the EMV front, migration will be a bit slower.
"That takes time," Wills says. "The security hole is still open until then."
While Singapore's card market is small, Wills says other markets should learn from the DBS example. "Offering SMS alerts to customers for ATM withdrawals is a smart move for any financial institution," he says. "It takes advantage of the strengthened transaction security that mobile out-of-band messaging offers."
That said, Wills is quick to point out that payments fraud in Singapore remains relatively low, especially when compared with the U.S., where the prevalence of cards and ATMs is more widespread.
Wills talks about opportunities for mobile SMS/text alerts in a webinar hosted with BankInfoSecurity earlier this year, Fraud Prevention: Utilizing Mobile Technology for Authentication & Transaction Verification.