Several people across, the country, have reported being victims of ATM fraud within the last few weeks.
Some reported that amounts of Rs. 80, 000 and more, were missing from their accounts. Banks, (to their credit - no pun intended), during the same period, took steps to cancel the defrauded ATM cards and inform the victims that the missing amounts will be deposited to their accounts within a week. The Sunday Observer learns that according to the information received by the CID, on January 20 one suspect of Chinese nationality, was arrested in the Colombo Fort Police Division on Chatham Street. The following day yet another Chinese suspect was arrested in the Wellawatta area.
Following their trail, in the early hours of February 3, a Romanian national was also arrested in Panadura, in connection with the same case. The Criminal Investigations Department (CID) was able to recover over 200 forged ATM cards, cash amounting to around Rs. 1.2 million in their possession, and two gadgets used to steal information from ATM machines, from these suspects. The two Chinese suspects have been remanded till February 13, after being presented to the Colombo Fort Magistrate while the Romanian was remanded till February 18 on the orders of the Panadura Magistrate. The trio had concealed their identities from the CCTV machines by using caps.
When Indrajith Kumar *, an IT professional from Wellawatte, attempted to withdraw money from his account he was perplexed to see his ATM card being blocked. It was Wednesday, February 6 morning and he was on his way to work. He then checked his previous transactions on SMS banking alerts he has subscribed to. He was shocked to see the most recent transaction. “ My heart sank. Rs. 80,000 was withdrawn from my account, and I didn’t do it,” he said. The transaction was made on Sunday at 8.48 am from RITZ Borella RM, Colombo. Kumar immediately called his bank, and the official he was transferred to said there had been a fraudulent transaction, assured him that the full amount will be deposited into his account within a few days, and promised a new ATM card in place of the old one. That day Kumar had to borrow money from his colleagues for his day’s expenses. “ATM scams (or frauds) happened in the country in the past, but now we see that the criminals are using newer technologies to hack into people’s accounts,” says Ministry of Digital Infrastructure and Information Technology’s Information Security Engineer, Ravindu Meegasmulla. He said that banks and ATM card users need to be more vigilant of such illegal activities to protect themselves. “These criminals involved in cyber thefts are several steps ahead of the government or regulatory Bodies. They use new technologies that can bypass security systems used by banks,” claims Group Executive Director of the Center for Integrated Communication Research and Advocacy(CICRA) Vasana Wickremesena. He said that although ATM thefts were reported in the country in the past, the much-advanced hacking mechanisms now used, are likely brought into the country by foreign nationals. Cyber crimes using new technologies have increased along with the hike in the number of of foreigners visiting the island.Most often criminals are likely to wear helmets or jackets (any clothing that would conceal their faces), and hang around near ATM machines, to observe their victims as they enter their pin numbers when making withdrawals.
The criminals would then steal the same ATM card to make the fraudulent transaction. In other instances, criminals would pose as ATM machine operators, offer to assist the victims to make their transaction. Record the data, and later use the same data to withdraw money from the accounts. Both these techniques are still being used by criminals. However, now ATM frauds have evolved with the flood of new technologies and equipment.
Wickremesena of CICRA explains how ATM crimes are carried out- hackers or criminals would buy duplicate cards that are available in the market. (These cards are available for legitimate reasons, such as duplicating a hotel room’s keycard). The criminals will use various methods to collect ATM card information. They fix a piece of equipment (also known as skimming devices or skimmers, or malicious card readers), at the payment terminal.
Whenever a victim enters the ATM card into the terminal the skimmer will harvest the information and store it. A tiny camera is fixed near the payment terminal, usually on a leaflet holder or close to the keypad itself to record the pin number.Using the data stored in the skimmer the criminals will duplicate or clone the ATM card, and use the recorded pin number to make withdrawals.
Police Spokesman SP Ruwan Gunasekara said the CID commenced an investigation several weeks ago after receiving information that a group of individuals were stealing security information of both ATM and Debit Cards in a bid to defraud card owners. (He is referring to the recent theft where the two Chinese nationals and Ukrainian were involved).
“They were attaching a gadget (skimmers) on to the cash points similar to that of the portal used to enter cards into the ATM machines. The gadget would record the security information including the Pin number and card number.
This information would then be transferred to the mobile phones of the suspects who were then making fake ATM cards with the stolen information, in order to steal money from the accounts of the unsuspecting card holders.”
He advises the public to inform the closest Police officer or Police station if they come across any individuals acting in a suspicious manner near ATM locations. In addition, it is advisable to activate the SMS banking alert system where the user will be notified about any transaction that takes place through a certain account via a text message. “One also needs to keep a close eye open for skimming devices. They are usually fixed near the keypad of the ATM machine, and also for cameras. They are fixed on leaflet holders or somewhere on top of the keypad,” advises Financial Sector Computer Security Incident Response Team (FINCSIRT)’s Manager Loshan Wickramasekara. He says people should avoid using public wifi or internet services, as hackers can easily access private information through unprotected internet systems.
Sri Lanka Computer Emergency Rendiness Team (SLCERT’s) Ravindu Meegasmulla says, “Another thing people should stop doing is using credit or debit cards to make payments at hotels or petrol stations. They trust a worker at these places and hand over the card, and stay inside the car, or at the table, till the transaction is done.
These are situations that can be used by criminals to record Card data.” He further adds that the customers have the right to see how the card is being used at such places. “ATM scams can happen to anyone, the best thing to do is be vigilant and use protective measures”.
Issuing a press release mid -week the Central Bank of Sri Lanka stated, to mitigate efforts made by criminals to ‘steal customer funds from their accounts’, ‘international Payment Card security standards and best practices have been adopted in Sri Lanka’s ATM’s. The banks are opting to issue cards with an electronic chip known as the EMV.The Central Bank further advised that, “The EMV enabled cards carry an electronic chip which is visible at the front of the card,” and “if the card used by a customer is not EMV enabled, a request can be made from the relevant bank to issue an EMV enabled card.”
k Name changed upon the request of the source.