What intrigued me one headline, and this comment in the body.

But most consumer advocates would be delighted if the Commons finance committee succeeds in getting an ATM cost breakdown from the banks.

Source: TheStar.com – Business – Convenience at what cost?

If they saw the costs in running ATM’s, this would hurt not help their argument.  I would speculate that the costs would be in the billions when you aggregate all the Banks’ data.

If they were serious about ATM fees they should include the entire Canadian ATM fleet of 50K machines, not just the 16K Bank machines.  This would make the example more credible.

Some stats on Canadian ATM’s from the article:

ATM use across the country

Canadian banks operated 16,160 ATMs in 2004. That dropped to 15,960 in 2005, but rose to 16,190 last year.

The ATM network in Canada (including non-bank or “white label” machines) has expanded substantially. The total was 51,097 in 2005, up from 42,773 in 2000.

ATM cash withdrawals fell to 691.8 million in 2005 from 875.1 million in 2000, a decline of about 20 per cent.

Fewer ATM withdrawals are partly due to consumers using cash-back features at retail point-of-sale terminals, bankers say. Surveys show 65 per cent of people who used debit cards for purchases have asked for cash back, from 54 per cent in 2000.

If the banks gave up, or reduced, ATM fees, maybe implicitly Ottawa is saying, ‘We might look more favourably on you as an industry if you come to us looking for changes in the Bank Act,’ ” he said.

Source: Canadian Banks & Insurance

But all those arguments fall on deaf ears.  Especially in Canada, the weight of opinion will not hear that rationale, and especially not ordinary citizen opinion.

This is the ideal opportunity for a Bank(s) to break away from consolidating their views through the Canadian Bankers Association (CBA) and take a lead position.  Everyone is fighting for market share, and also fighting to retain revenue.  Will market share be improved by taking a common defense?

Question I would ask:  what is the market share benefit of elimination of fees?  This is an interesting business case.

Jim Flaherty, the Finance Minister, has asked for a “direct” answer from the CEOs of the country’s biggest banks regarding their ATM fee regime. But the best consumers can hope for is that Mr. Flaherty’s pressure will force the banks to roll back fees. That’s because Ottawa does not regulate the day-today pricing of financial services products

Source: Canadian Banks & Insurance

What a great opportunity for differentiation.  In Canada each Bank charges customers of any other Bank a $1.50 fee for using their ATM.  At first this seemed brilliant because the penalty is against the other Banks’ customers.  However as time goes by, the opposite happened as customers interpreted (subliminally) those fees as a sign of Bank oligarchy.

Need to find an ATM machine? 

A new cell phone service from MasterCard provides cardholders with a mobile, location-based search and directory service so they can request to have the location of the nearest ATM sent to their cellular phone via an SMS text message.  ….

The voice-activated ATM Locator application is provided by Convergys Corporation, which built the application for MasterCard. Hosted on Convergys’ SpeechPort ‘platform, incoming calls are received and processed. …

It then sends the caller’s coordinates to MasterCard, which in turn accesses and provides ATM locations from a central data bank.

Source: Bank Systems & Technology : Need Cash? Texting Service Locates ATMs

CIBC officials say that most of the 1,200 cash machines knocked offline yesterday are working again. But a few hundred machines, mostly in eastern Ontario and located in convenience stores are still out of order. The outage occurred during a routine upgrade of a software program, bank spokesperson Rob McLeod said.

Source: TheStar.com – CIBC ATM’s back online

I understand from sources, that the few hundred still down have to be individually visited to have a software change made at each individual location.  This highlights the need to have all machines networked over TCP/IP with central software management, which CIBC doesn’t have for these locations.  That means each ATM must be visited individually to correct their problem, causing costs, and delays.

Link to NatWest – Mobile Phone Top-up Demonstration

tags: flash+demo

Over the last two years, the search for a new model has prompted many deployers, particularly financial institutions, to re-evaluate the role of the ATM: is the ATM purely a cash dispenser, or is it a strategic customer delivery channel?

Source: New ATM Study Reveals Evolving Business Model, Diverging Strategies; Analysis of Bank, Credit Union and ISO Deployers Provides the Most Comprehensive Assessment of the State of the U.S. ATM Industry

A confluence of factors have driven Banks to re-consider their ATM strategy.

Deployment growth was outpacing transaction growth, resulting in declining per-ATM transaction levels — particularly foreign acquired transactions (i.e., revenue-producing transactions performed by another deployer’s cardholders). Declining revenues, coupled with fixed or increasing costs driven by regulatory requirements (e.g., Triple DES) and increased rent and cost of funds, were putting increasing pressure on ATM deployers’ profitability. As a result, the ATM industry was in search of a new model.

I would add to the list of factors contributing to the change, that of machine obsolescence and the cost of replacement. One network fleet I am familiar with is costing over 100 million dollars, and that network is in the smaller side.

The main factors can be summarised as:

• machine replacement costs
• regulatory costs, including triple DES, customer access, and chip card
• growth of third party ATM fleets (in Canada, third parties are 60% of the overall total of ATM’s
• software upgrade from Windows on the ATM’s to upgraded software on the switches
• changing customer behaviours resulting from surcharging

The survey goes on the make some some interesting points in detail.

1. ATM’s and Transaction Volumes

The average number of monthly transactions per ATM, a key industry metric, varies significantly depending on the type of ATM deployer and the location in which an ATM is placed. Financial institutions’ on-premise ATM’s currently average 3,651 transactions per ATM per month, compared to 1,807 for their off-premise ATM’s and 329 for ISO ATM’s.

2. ATM Functionality – Customer Relationship Management (CRM) & Check Imaging

Most of the advanced features currently offered by deployers are banking functions, with shared deposits, domestic account-to-account transfers and mini statements topping the list. Going forward, however, most deployers are focusing on advanced marketing and CRM functionality that will enable them to tailor the user experience to individual cardholders and strengthen their customer relationships and cross-selling capabilities. Deployers’ top three areas of interest for future advanced functionality are targeted marketing campaigns, product offers (e.g., credit card solicitations), and cardholder preferences.

3. Migration to Windows and Advanced Software

Although no longer sold, OS/2 continues to dominate the ATM landscape, with the majority of ATM’s — 58 percent — currently running on OS/2. The pervasiveness of OS/2 will not last much longer, however: 63 percent of ATM’s in the U.S. are projected to be running on Windows by 2008.

4. ATM Surcharge Rates

Deployers continue to increase the surcharge fees they charge to non-customers, currently averaging $1.74 at an on-premise ATM and $1.79 at an off-premise ATM.

5. ATM Economics

Deployers continue to face challenging ATM economics, as measured on a direct basis. Deployers currently earn an average of $1,104 per month at their on-premise ATM’s, and $1,013 at their off-premise ATM’s.

Finally some useful benchmark costs for your business casing.

On the expense side, deployers incur average monthly expenses of $1,444 per on-premise ATM, and $1,450 per off-premise ATM, although there is significant variation between deployer segments.

Monthly Per-ATM Expense by Deployer Segment

On-Premise ATM's          Off-Premise ATM's
--------------- ------------------------ -------------------------
Large Bank              $1,131                    $1,736
Other Bank              $1,313                    $1,256
Large CU                $1,976                    $2,549
Other CU                $1,912                    $2,578
Large ISO                 N/A                       $680
Other ISO                 N/A                       $522
Overall                 $1,444                    $1,450

Relevance to Bankwatch:

These factors shift the costs and the revenues associated with ATM’s. The opportunities exist to consider ATM’s are customer channels, or as sources of income, or both, but the bets are high because of the costs.

September 12, 2006 09:17 AM Eastern Time

New ATM Study Reveals Evolving Business Model, Diverging Strategies; Analysis of Bank, Credit Union and ISO Deployers Provides the Most Comprehensive Assessment of the State of the U.S. ATM Industry

BOSTON–(BUSINESS WIRE)–Sept. 12, 2006–As traditional metrics for measuring ATM performance decline, bank, credit union, and independent sales organization (ISO) ATM deployers are redefining how they manage the ATM channel. According to a new survey sponsored by the four leading electronic payments networks — CO-OP Financial Services(R), NYCE(R), PULSE(R), and STAR(R) — and conducted by Dove Consulting, a division of Hitachi Consulting, the ATM industry is becoming increasingly stratified.

Stratification of the ATM Industry

In 2004, findings from the ATM Deployer Study showed an industry at a cross roads. Deployment growth was outpacing transaction growth, resulting in declining per-ATM transaction levels — particularly foreign acquired transactions (i.e., revenue-producing transactions performed by another deployer’s cardholders). Declining revenues, coupled with fixed or increasing costs driven by regulatory requirements (e.g., Triple DES) and increased rent and cost of funds, were putting increasing pressure on ATM deployers’ profitability. As a result, the ATM industry was in search of a new model.

Over the last two years, the search for a new model has prompted many deployers, particularly financial institutions, to re-evaluate the role of the ATM: is the ATM purely a cash dispenser, or is it a strategic customer delivery channel?

How deployers answer that question underpins their ATM strategy, and determines how they manage their ATMs — from how many they deploy and where they deploy them, to what functionality they support and what software they run. As a result, we are now entering a third phase in the evolution of the ATM industry, one that is characterized by the stratification of deployers’ ATM strategies: the search for a new model has resulted not in one new model, but many new models, with deployers bifurcating along two dimensions: ATM access (proprietary vs. shared) and user experience (differentiated vs. undifferentiated).

The 2006 ATM Deployer Study provides an in-depth look at the industry’s key performance metrics (including transaction volumes, surcharge rates, and operating expenses), recent industry trends and developments (check imaging, ATM branding), and deployers’ strategies and priorities. It also presents an outlook for the ATM industry over the next few years, as the industry’s business model(s) evolve and deployers’ strategies diverge.

Some of the key findings from the study include:

1. ATMs and Transaction Volumes

The average number of monthly transactions per ATM, a key industry metric, varies significantly depending on the type of ATM deployer and the location in which an ATM is placed. Financial institutions’ on-premise ATMs currently average 3,651 transactions per ATM per month, compared to 1,807 for their off-premise ATMs and 329 for ISO ATMs.

Per-ATM Transaction Profiles

FI On-Premise   FI Off-Premise      ISO
------------------------ ---------------- --------------- ------------
Average Txns/ATM/month        3,651           1,807           329
% Foreign Acquired             20%              49%           100%
------------------------ ---------------- --------------- ------------

Based on transaction data provided by deployers and estimated segment shares, the study estimates that U.S. ATMs currently perform 8 billion transactions per year — representing $600 billion in dispensed cash.

Total U.S. ATM Transactions

Average
                                       Transactions/    Total Annual
     Segment          Total ATMs         ATM/month       Transactions
----------------- ------------------ ----------------- ---------------
On-Premise             130,000            3,651            5.7 Bn
Off-Premise             71,000            1,807            1.5 Bn
ISO                    195,000              329            0.8 Bn
----------------- ------------------ ----------------- ---------------
     Total             396,000                             8.0 Bn
----------------- ------------------ ----------------- ---------------

Of note, while ISOs account for almost half of all ATM placements, they account for only 10 percent of the industry’s total ATM transaction volume.

2. ATM Functionality – Customer Relationship Management (CRM) & Check Imaging

Most of the advanced features currently offered by deployers are banking functions, with shared deposits, domestic account-to-account transfers and mini statements topping the list. Going forward, however, most deployers are focusing on advanced marketing and CRM functionality that will enable them to tailor the user experience to individual cardholders and strengthen their customer relationships and cross-selling capabilities. Deployers’ top three areas of interest for future advanced functionality are targeted marketing campaigns, product offers (e.g., credit card solicitations), and cardholder preferences.

One of the industry’s hottest topics is check imaging and ATM deposit automation. After three years of testing and pilots, it appears as though imaging ATMs are ready to hit the mainstream.

Image-enabled ATMs currently represent a very small portion of deployers’ ATMs, but this dynamic is set to change. Large banks that already have image-enabled ATMs project that, by 2008, imaging ATMs will make up 31 percent of their ATM networks; for large credit unions, imaging ATMs are projected to constitute 45 percent of their ATM mix by 2008.

3. Migration to Windows and Advanced Software

Although no longer sold, OS/2 continues to dominate the ATM landscape, with the majority of ATMs — 58 percent — currently running on OS/2. The pervasiveness of OS/2 will not last much longer, however: 63 percent of ATMs in the U.S. are projected to be running on Windows by 2008.

ATM Operating System Mix, 2006 vs. 2008

Operating System         2006             2008
--------------------- --------------- -----------------
DOS                          1%               1%
OS/2                        58%              22%
Windows                     26%              63%
Other                       15%              14%
--------------------- --------------- -----------------

ATM technology is poised to change significantly as deployers migrate from OS/2 to Windows and from proprietary software to open standards. For much of their thirty-year life, ATMs have been vertically integrated devices, combining hardware and software from one provider. As hardware and software become ‘decoupled’, deployers are no longer locked into the proprietary software that accompanies a terminal; as a result, selecting ATM software is becoming a strategic decision in its own right — and one that has significant implications for deployers’ future ATM capabilities.

4. ATM Surcharge Rates

Deployers continue to increase the surcharge fees they charge to non-customers, currently averaging $1.74 at an on-premise ATM and $1.79 at an off-premise ATM.

Average Surcharge Rates, 2001 - 2006

2001        2003          2006
------------------------ ----------- ----------- -------------
On-Premise ATMs               $1.45       $1.57         $1.74
Off-Premise ATMs              $1.48       $1.65         $1.79
------------------------ ----------- ----------- -------------

Combined with an average foreign fee of $1.27, consumers currently can pay more than $3.00 every time they use an ATM that is not deployed by their own FI. As the cost of using a foreign ATM increases, the value consumers place on having access to a large network of free ATMs increases — which means, from a competitive perspective, that a deployer’s ability to provide convenient fee-free access to ATMs is becoming an increasingly important part of their value proposition. To this end, many deployers are pursuing one or more of the following strategies to increase ATM access: participating in selective surcharge alliances, introducing surcharge reimbursement programs, and negotiating ATM branding agreements.

5. ATM Economics

Deployers continue to face challenging ATM economics, as measured on a direct basis. Deployers currently earn an average of $1,104 per month at their on-premise ATMs, and $1,013 at their off-premise ATMs.

On the expense side, deployers incur average monthly expenses of $1,444 per on-premise ATM, and $1,450 per off-premise ATM, although there is significant variation between deployer segments.

Monthly Per-ATM Expense by Deployer Segment

On-Premise ATMs          Off-Premise ATMs
--------------- ------------------------ -------------------------
Large Bank              $1,131                    $1,736
Other Bank              $1,313                    $1,256
Large CU                $1,976                    $2,549
Other CU                $1,912                    $2,578
Large ISO                 N/A                       $680
Other ISO                 N/A                       $522
Overall                 $1,444                    $1,450
--------------- ------------------------ -------------------------

Most segments, on average, lose money on their ATMs. As their profit margins deteriorate, many financial institutions are recalibrating their ATM strategies, shifting away from revenue generation and refocusing on meeting the needs of their customers.

About the 2006 ATM Deployer Study

The 2006 ATM Deployer Study is the fourth in a series of bi-annual studies sponsored by the leading EFT networks as part of their ongoing commitment to industry research. Conducted in the spring of 2006, this study tracks the ongoing evolution of the U.S. ATM industry and provides an in-depth look at current ATM performance metrics, recent industry trends and developments, and deployers’ strategies.

The findings presented in the 2006 ATM Deployer Study are based on survey responses from a nationally representative sample of 161 bank, credit union, and ISO deployers. Study participants include 26 of the top 50 retail banks (and 8 of the top 10), 12 of the top 25 credit unions, and 3 of the top 10 ISO ATM owners. As of March 2006, study participants had deployed 134,110 ATMs, representing 34 percent of ATMs deployed in the U.S.

The 2006 ATM Deployer Study is available exclusively through the study sponsors. For more information, please contact:

CO-OP Financial Services            NYCE
James Hanisch                       Hope Collins
909-948-2620                        303-702-5662
jim.hanisch@co-opfs.org             Hope_Collins@nyce.net

PULSE                               STAR
Mary Brown                          Donna Pennington
832-214-0111                        402-222-6178
mbrown@pulse-eft.com                donna.pennington@firstdatacorp.com

About the Study Sponsors

CO-OP Financial Services (formerly CO-OP Network) is wholly-owned by its credit union shareholders and provides volume discounts on products and services that include ATM network access, ATM processing, debit/card services and shared branching. With nearly 2,000 credit union members, more than 25,000 surcharge-free ATMs (including 6,000 deposit-taking), 100 million-plus monthly transactions and 24 million cardholders, CO-OP Financial Services is the No. 1 credit union EFT network and processor in the U.S. financial services industry. CO-OP Financial Services’ membership has access to over 800,000 ATMs worldwide through links to NYCE, STAR, Cirrus, Pulse and Plus.

The NYCE(R) Network provides consumers with secure, real-time access to their money, connecting the accounts of more than 74 million cards with 275,000 ATMs, and 1.2 million point-of-sale locations nationwide. NYCE helps its clients grow with innovative new products and strategic alliances that enable them to capitalize on the efficiency, consumer convenience and security of electronic real-time payments. Headquartered in Secaucus, N.J., NYCE Payments Network, LLC (www.nyce.net) is a Metavante company.

PULSE(R) is one of the nation’s leading ATM/debit networks, currently serving more than 4,200 banks, credit unions and savings institutions across the country. PULSE is owned by Discover Financial Services LLC, a business unit of Morgan Stanley (NYSE:MS). The network links cardholders with nearly 250,000 ATMs and approximately 3.4 million POS terminals at retail locations nationwide. The company is also a valued resource for consumer research related to electronic payments and is committed to providing its participants with education on evolving products, services and trends in the payments industry. For more information, visit www.pulse-eft.com.

First Data Corp.’s STAR(R) Network is a coast-to-coast electronic payments network and an expert in secure, real-time electronic transactions. Financial institutions rely on the STAR Network to deliver ATM access, PIN-secured debit purchasing, deposit sharing and surcharge-free ATM access programs to their cardholders. The STAR Network is a leader in developing check debit, Internet and telephone bill payments, small-value payments, deposit risk management and ATM check imaging products. The STAR Network serves more than 5,700 financial institutions across the U.S. and provides cardholders with account access at approximately 1.9 million ATM and retail locations. There are approximately more than 140 million cards carrying the STAR logo. STAR has a broad footprint of distribution points across the United States including the acceptance of the STAR card at approximately 5.1 million POS terminals. For more information, visit our Web sites at www.firstdata.com and www.star.com.

About Dove Consulting

Dove Consulting, a division of Hitachi Consulting, is a Boston-based consulting practice specializing in strategy and organizational effectiveness. The practice’s Financial Services Group is a leader in developing retail payments, distribution and customer strategies for banks, payment networks, and government entities. Dove’s consulting work is supported by an ongoing commitment to industry research spanning consumer payment preferences, ATM deployment, and card issuers and remittance processors. For more information, visit www.doveconsulting.com or call (617) 482-2100.

About Hitachi Consulting

As Hitachi, Ltd.’s (NYSE:HIT) global consulting company, with operations in the US, Europe and Asia, Hitachi Consulting is a recognized leader in delivering proven business and IT solutions to Global 2000 companies across many industries. We leverage decades of business process, vertical industry, and leading-edge technology experience to understand each company’s unique business needs. From business strategy development through application deployment, our consultants are committed to helping clients quickly realize measurable business value and achieve sustainable ROI.

Hitachi Consulting’s client base includes nearly 35 percent of the Fortune 100 and 25 percent of the Global 100 as well as many leading mid-market companies. We offer a client-focused, collaborative approach and transfer knowledge throughout each engagement. For more information, call 1.877.664.0010 or visit www.hitachiconsulting.com.

Hitachi Consulting — Inspiring your next success! (R)

About Hitachi

Hitachi, Ltd. (NYSE:HIT) (TOKYO:6501), headquartered in Tokyo, Japan, is a leading global electronics company, with approximately 356,000 employees worldwide. Fiscal 2005 (ended March 31, 2006) consolidated sales totaled 9, 464 billion yen ($80.9 billion). The company offers a wide range of systems, products and services in market sectors including information systems, electronic devices, power and industrial systems, consumer products, materials and financial services. For more information on Hitachi, please visit the company’s Web site at http://www.hitachi.com.

For more information on Hitachi, please visit the company’s Website at http://www.hitachi.com.

Canada with 32 million population does 1.1 billion ATM transactions annually, just for perspective.  So Saudi is doing 8 times that much, with half the population!

The same report indicates this activity is handled through a mere 5K ATM machines,vs Canada with 50K ATM’s. 

ATM’s are relativley new in Saudi, and cash remains the preferred method of payment.  But the industry is enhancing rapidly, with real time clearing implemented, and cheque truncation expected later this year (2006).

albawaba.com middle east news information::Saudi ATM statistics

The Saudi Arabian Monetary Agency (SAMA) announced that Saudis had withdrawn SR 68 billion worth of cash through the available ATM’s networks in the Kingdom through the first half of 2006.

According to Al-Yaum newspaper, citing SAMA report, Saudis had also executed 4,320,474,149 transactions through the available ATM’s networks in the Kingdom through the first half of 2006. The report added that the Saudi banks had issued 359,117,900 ATM cards through the first half of 2006.

The total number of the ATM machines in the Kingdom amounted to 5,377 machines. © 2006 Mean Report (www.menareport.com)

Technorati Tags: ATM

The core point here is that the Bank  needs to know each customer real time.  It is no surprise the customer used the the ATM,to make their deposit. 85% of all transactions are handled electronically nowadays.  So the focus of development should not be on the branch anymore;  it needs to be on the place the customer spends their time … the electronic channels.

So its essential that CRM systems can identify which customers like this one, are no risk, and should not have a hold placed.  The system needs to know this when the customer makes the deposit, quietly and unobtrosively behind the scenes.

vieriberretti.com » BMO

Today I deposited a couple of cheques at my bank, Bank of Montreal, using an ATM. Normally, that’s how I use the bank. Before today, I hadn’t spoken to a teller for a few years. After depositing the cheque I decided that I needed to transfer some of the funds from one account to another; the ATM wouldn’t let me, something about a hold. So I went in to see what the problem was. The very nice teller explained that I had a one-day hold on the cheques as they needed to be verified before the hold could be taken off. Of course, I was a little incensed, I have a mortgage with the bank, have never been late with a payment, never bounced a cheque, have a line of credit, been banking with them for 20 years, hell I know the loan officer by name, why do I have a hold?

Technorati Tags: customer+experience

Millions at risk from chip and Pin | This is Money

Security experts say there is a one in five chance that a terminal in a shop or garage will not spot a ‘cloned’ card. It means criminals who copy people’s cards can go on shopping sprees and spend thousands of pounds. The alarming gap in security is being blamed on the issuing banks, for choosing the cheapest version of the new cards. Banks in France and some other countries are already using a more secure system.

The cloning seems ridiculously easy.

Some experts warned soon after the launch of the system in February that criminals could clone the new cards using equipment readily available over the Internet and costing only some £300 or £400.

And the results are horrendous!

Last month the Daily Mail revealed that criminals had stolen more than £1m after using copied cards to withdraw money from cash machines abroad.

This is because repeated transactions at these terminals no longer register with banks’ head offices as a suspicious pattern of withdrawals.

The root cause appears to lie in the choice of technology by certain banks.

Now it emerges that there may be a similar absence of protection on transactions in this country. The reason is that more than 140m credit, debit and charge cards issued in the UK over the last few years use a technology known as SDA, which stands for ‘static data authentication’.

This is the cheapest option that could have been chosen by the big five banks, which made profits of £33bn last year, and other card issuers. Banks abroad, however, prefer the safer option of the DDA system, which stands for ‘dynamic data authentication’.

Relevance to Bankwatch:
Nothing is simple.  The criminals are very capable, and shortcuts in this space will be devastating.

Technorati Tags: chip+card, fraud, DDA, SDA

We have to understand this dynamic, and both individual banks, and industry groups need to get on top of it.

MoneyExpert.com – Financial news article

“Chip and pin security is fallible,” a spokesman for credit payments association Apacs, which conducted the survey, told the Times. Recent research has suggested that cash machines are not always able to discern the difference between genuine cards and cards that have been cloned.

Relevance to Bankwatch:
Its been assumed as part of the business case for chip that fraud could be successfully managed down.  So while enormous cost has gone into the introduction of chip, yet consumers remain sceptical.

Key point in my mind, and why the smart companies are using Wincor's is that they are entirely open, based on open standards. Their ATM's are just (I say "just" lightly) IBM P4 PC's. The interfaces, connections, and hardware are all standard off the shelf stuff. This makes their machines cheaper, simpler, and easily extendible to web services. You can use their application software or your own, such as Phoenix. The old days, where ATM manufacturers (and telephone applications too) relied on proprietary software, hard coded into the hardware are long gone.

In a multi channel environment, where you want to extend your brand experience into the channel, and be consistent across channels, they have a winning product.

Wincor Nixdorf – Company

Wincor Nixdorf is one of the world’s leading providers of IT solutions to retailers and retail banking. The Company’s extensive portfolio, which consists of hardware, software, consulting services, system maintenance and other services, is centered around the business processes at work within banks and retail chains which operate extensive branch networks, and is aimed at optimizing costs, reducing complexity and improving service to the end customer. Wincor Nixdorf uses the expertise in its core business with banks and retailers to diversify into other sectors. These include lottery companies, service station operators, hospitality and corporate restaurant businesses and large industrial companies.

Technorati Tags: wincor, nixdorf, atm, multi_channel

Finextra: Wells Fargo introduces envelope-free ATM deposit system

• Envelope-Free ATMs offer customers some important benefits:

• Faster and easier ATM deposits – customers can deposit stacks of bills (up to 30 bills in different denominations) and checks (up to 10) directly into the machine at one time.
• Assurance that checks or cash deposits have been received – customers can see on-screen check images and a count of each denomination for cash deposits.
• Proof-positive receipts – customers receive a check image of deposited checks on their receipt and an itemized listing of deposited bills.
• Instant credit for cash deposits – funds are immediately credited to the customer’s account, just as if they made a cash deposit at the teller window.
• Same day credit for check deposits – the deposit cut-off time has been extended from 4:00 p.m. to 7:00 p.m. (weekdays), giving customers same-day credit for deposits even after the banking store has closed.
• ATM does the math for you – customers insert cash and a listing of every deposited bill is provided on-screen. Customers insert checks and the character recognition software reads and posts an image of the check and the amount on the screen.
• Saves trees – by making envelope-free deposits, Wells Fargo customers are helping to reduce unnecessary waste – potentially saving more than a thousand trees per year and reducing air pollutants by more than a quarter million tons of CO(2) equivalents.

WSJ.com – The Envelope-Free ATM

In Russia, a consumer can put rubles into an automated-teller machine and get U.S. dollars in return. In Brazil and Venezuela, the machines print checks. And banking customers in Indonesia can use an ATM to schedule and pay for the ritual sacrifice of a goat.

However something as simple as envelopeless cheque depositing which sounds cool, is not necessarily a good use of investment.

Unlike traditional machines that swallow an envelope and require the customer to key in the deposited amount, the new versions read checks and count cash themselves. They can display an image of the check on the screen, and also print an image of the deposited check on a customer’s receipt. Bank executives literally “oohed” and “aahed” when a representative of ATM maker NCR Corp. demonstrated the technology at an industry conference last fall.

The costs of the cameras and cheque handing, to achieve this are significant, and given cheques are going away, does this make sense?  Perhaps the North Americans have this part right.

Relevance to Bankwatch:
The ATM manufacturers find it easy to wow Bank Executives in the ATM space because those folks generally haven’t been engaged in the online banking space.  The online bankers know innovation, and understand the importance (now, post dot com crash) of not getting caught up in the technology, and remaining focussed on the customers needs.

Banks Are Testing Versions
To Read Checks, Count Cash;
Twizzlers Wrapper Is Rejected
By ROBIN SIDEL and IAN MCDONALD
May 6, 2006

In Russia, a consumer can put rubles into an automated-teller machine and get U.S. dollars in return. In Brazil and Venezuela, the machines print checks. And banking customers in Indonesia can use an ATM to schedule and pay for the ritual sacrifice of a goat.

In the U.S., ATMs don’t do any of those things. Despite a slew of predictions a few years ago that U.S. consumers would use ATMs to apply for loans, buy ski-lift tickets and receive coupons for soft drinks, today’s bank machines pretty much just spit out greenbacks because that’s the service U.S. bank customers typically want.

Now, the biggest makers of ATMs are trying to sell a new generation of machines. Instead of razzle-dazzle features that turn the machines into mini-media centers, however, they allow customers to do something far less glamorous: deposit cash or checks without an envelope.

Unlike traditional machines that swallow an envelope and require the customer to key in the deposited amount, the new versions read checks and count cash themselves. They can display an image of the check on the screen, and also print an image of the deposited check on a customer’s receipt. Bank executives literally “oohed” and “aahed” when a representative of ATM maker NCR Corp. demonstrated the technology at an industry conference last fall.

In addition to looking slick, the new machines could ultimately save banks millions of dollars by scanning images of the checks and eliminating the need to haul physical pieces of paper around the country for processing. Consulting firm TowerGroup, a unit of MasterCard International Inc., last year estimated that envelope deposits made at ATMs and by tellers cost about $1.70 each to process, while electronically scanned versions cost 40 cents. The checks also clear faster for customers.

Eliminating the envelope also is expected to reduce the number of fraudulent transactions that occur when swindlers claim to have deposited money, but merely feed an empty envelope into the machine.

“Deposit automation will have huge and positive ramifications for banks and their customers,” says Tom Swidarski, chief executive of Diebold Inc., another big maker of ATMs.

It’s been 30 years since ATMs became ubiquitous in American life. The first ATM in the world was installed at a Chemical Bank branch in Long Island, N.Y., in 1969.

Of the 10.5 billion ATM transactions last year in the U.S., about 80% involved cash withdrawals, according to industry data. Deposits accounted for less than 10% of the activity — an amount that has remained fairly constant over the past decade even as check usage is declining due to the popularity of direct-deposit and online bill payment. The rest covers such things as balance inquiries and account transfers.

While new to most consumers, ATM-makers and banks have been experimenting with envelope-free check deposits for more than a decade. The technology recently received a boost from a new federal law, known as “Check 21,” which permits banks to process checks by exchanging digital images. Of the more than 400,000 ATMs in use in the U.S., only a little more than 1% accept “no-envelope” check deposits, according to Diebold and NCR.

So far, most big banks are still experimenting with the technology in small pilot tests, but the new machines are expected to start showing up more frequently later this year as banks upgrade their “back-office” operations to accommodate the new electronic images.

The slow rate of adoption is partly due to the cost: check-scanning versions can add 30% or more to the price of a traditional ATM, which typically run about $25,000. As it is, banks are already expected to spend more than $340 million on basic ATM hardware in 2007, up 20% from this year, according to TowerGroup.

Bank of America Corp., which has nearly 17,000 ATMs around the country, promotes the technology in television commercials and plans to introduce some 1,500 of the machines nationwide by the end of the year. The big bank operates 50 of the machines in North and South Carolina and plans to soon expand the test in other markets nationwide.

Wells Fargo & Co. has been experimenting with the envelope-free ATMs since 2002 and has 61 of them in northern California. “We are definitely going to be putting more in the market this year,” says Jonathan Velline, senior vice president of ATM banking at Wells Fargo. Deposits represent 20% of Wells Fargo’s ATM transactions; some 20% of the deposits are in cash.

In Jersey City, N.J., customers who deposit a check in the ATM at a local branch of PNC Financial Services Corp. can choose between an envelope or envelope-free transaction. Checks without envelopes are inserted face-up into a slot in the machine. An image of the check quickly pops up on the screen, and the customer then selects the account in which the funds are to be deposited. The image isn’t printed on the receipt. Of the 197 deposits made at the ATM on Feb. 24, 56 didn’t include an envelope.

PNC, a regional bank based in Pittsburgh, first introduced the envelope-free machine in 1992. Of the bank’s 1,000 ATMs that accept deposits, 400 of them accept checks without an envelope today.

“We started to do this because it is a lot easier to deal with the deposit,” says James Walker, a PNC senior vice president who is responsible for the bank’s network of 3,600 ATMs. He says the digital method takes about 10 seconds to process versus a minute for the manual method, which requires bank employees to open the envelope, separate the check and verify that it matches the amount keyed into the machine by the customer.

But not all banks are embracing the technology. They gripe that multiple versions of the machines can confuse customers, delay transactions and don’t justify the expense of the new machines. Indeed, some of the ATMs accept multiple checks at a time and others require checks to be fed individually. PNC’s machines, for instance, don’t accept cash deposits without an envelope.

“There is an inconsistency perspective that we have concerns about. One ATM works one way and another works another way,” says Dominic Venturo, senior vice president for products and marketing at U.S. Bancorp. The Minneapolis-based bank has about 5,000 ATMs.

When J.P. Morgan Chase & Co. ordered 1,300 new ATMs from Diebold earlier this year, it didn’t buy the new models. The big bank, which has about 7,300 ATMs, has been testing about 20 of the envelope-free type in Ohio, Indiana and Kentucky for about two years. “We have stuck with the meat-and-potato variety because everything else slows people down,” says Thomas Kelly, a spokesman for the bank.

At Diebold’s headquarters in North Canton, Ohio, a team of engineers is working to ensure that the new ATMs work. Last month, senior engineer Dean Abraham repeatedly folded and crumpled a check for $101.30 before feeding it into a machine. The ATM accepted the crinkled paper, scanned it and read the amount correctly. Then he pushed a stack of more than three dozen bills — a mix of ones, fives, 10s, and 20s facing in different directions — into the machine, which accurately sorted and counted the money. In another recent test, Diebold engineers fed a Twizzlers candy wrapper into the ATM, which recognized that it wasn’t a check and spit it out without a jam.

Despite the hesitancy, most bank executives acknowledge that the new machines will ultimately become standard for the industry. Says Bob Tramontano, head of global marketing and engineering for NCR’s financial solutions division: “When no one has it, no one needs it, but that’s changing because consumers like it.”

Technorati Tags: ATM

City's bank card system collapses

SHANGHAI'S major department stores, restaurants and some automatic teller machines failed to accept bank cards since noon today because of a network breakdown at China Unionpay, the country's integrated system for bank cards transactions.

While the card base is enormous, the ATM base is smaller than I'd expect.

China has issued more than 920 million bank cards, including debit
cards and credit cards since the end of last year, up 142 percent from
2002, the year when China Unionpay was set up.There are 86,000 automatic teller machines and 406,000 point of sales machines in the country so far.

Technorati Tags: debit_card, china

London Free Press – Business – Bank branches take a back seat to Net, drive-through

An annual research study released recently by research organization TNS Canadian Facts shows just more half of Canadians (54 per cent) visited a bank branch last fall, the lowest level of branch banking since the tracking study began in 1994.

In other parts of the study, here are some numbers:

By the numbers:

– 16 per cent of Canadians usually go to a branch to conduct a transaction with staff at least once a week

– 91 per cent of Canadians have a card that gives them access to a self-service banking machine

– 78 per cent of Canadians made transactions at automated banking machines last fall

– 80 per cent of Canadians report that they have made an Interac Direct Payment

– 34 per cent of Canadians claim to be signed up for phone banking

- 73 per cent of Canadians reported having access to online banking
compared to 67 per cent in 2004. Most — 65 per cent — have access at
home

– 40 per cent of Canadians have registered for online banking

- Seven per cent of Canadians not signed up for online banking indicate
being very or fairly likely to register for it in the next six months

– 80 per cent of Canadian adults hold a credit card of some sort and 66 per cent used it the month of the survey

– 66 per cent of Canadians claim to have written at least one cheque in the month of the survey.

Full article about the study:
Tue, April 18, 2006
By P.J. HARSTON, BUSINESS EDITOR

Canadians are abandoning their traditional branch-banking habits, turning instead to e-banking and bank machines.

An annual research study released recently by research organization TNS
Canadian Facts shows just more half of Canadians (54 per cent) visited
a bank branch last fall, the lowest level of branch banking since the
tracking study began in 1994.

The study also shows the number of monthly visits for those who go to a branch has steadily fallen.

“As people become increasingly comfortable doing their day-to-day
transactions through electronic channels such as Internet banking and
bank machines, visiting the branch is becoming less necessary, but it
is certainly not irrelevant,” said Rhonda Grunier, a vice-president at
TNS Canadian Facts.

“Canadians still demand choice in the ways they handle their everyday
finances, so they can use the channel that best suits their needs.

“Financial product purchases, such as opening accounts or acquiring
loans, continue to be primarily done at the branch,” Grunier added.

Online banking appears to be maturing, with only modest growth over the last two years.

Last fall, 34 per cent of Canadians reported using an online banking
service, compared to 33 per cent in 2003. More than half of Canadians
with Internet access have signed up for online banking.

Telephone banking continues to decrease in popularity as more people go online for their banking needs.

Just 19 per cent of Canadians had used a telephone banking service last
fall, the study said, down from its peak of 26 per cent in 2001.

Internet banking, the study shows, is primarily used for
paying bills, checking account balances and transferring money between
accounts. About a quarter of those who bank online use an electronic
bill presentment service to receive their bills directly to their
computer.

“Convenience is a major factor behind the popularity of
online banking. The main reason why non-users are not interested in
adopting online banking is that other channels are available which
adequately meet their needs,” Grunier said.

By the numbers:

– 16 per cent of Canadians usually go to a branch to conduct a transaction with staff at least once a week

– 91 per cent of Canadians have a card that gives them access to a self-service banking machine

– 78 per cent of Canadians made transactions at automated banking machines last fall

– 80 per cent of Canadians report that they have made an Interac Direct Payment

– 34 per cent of Canadians claim to be signed up for phone banking

- 73 per cent of Canadians reported having access to online banking
compared to 67 per cent in 2004. Most — 65 per cent — have access at
home

– 40 per cent of Canadians have registered for online banking

- Seven per cent of Canadians not signed up for online banking indicate
being very or fairly likely to register for it in the next six months

– 80 per cent of Canadian adults hold a credit card of some sort and 66 per cent used it the month of the survey

– 66 per cent of Canadians claim to have written at least one cheque in the month of the survey.

They are responsive, and continually improving the product. Best of all, they are real people behind the "code" and that point is very obvious to users of WordPress.

Good luck Matt, and thank you for WordPress. Philosophically you are pinko (in the nicest possible way).

Photo Matt » A Little Funding

The best thing that can ever happen to a web service is to have passionate users. Users that notice and email you the second there’s a database problem, users that really push the limits of what you can provide, and users that are phenomally successful and bring thousands of others to your doors.

Information from ATM cards skimmed in Auckland used in Canada to fleece accounts of thousands

(IRN News Via Thomson Dialog NewsEdge)There has been a third case of skimming of money cards at an Auckland ATM machine.This time it is at a BNZ machine at Pakuranga Plaza.

Information is thought to have been stolen from 60 cards.

That information has been used in Toronto in Canada with the fraudsters taking a total of $49,000.

It was only when card holders queried transactions that the BNZ realised its ATM machine at Pakuranga Plaza had been tampered with.

The BNZ is urging anyone who may have used the Pakuranga machine in March to check their accounts for irregularities.

This paper issued by Redspin Inc. is based on their experience conducting internal security audits for US banks. Their key point is found here:

ATM_Vulnerabilities_04_10_06.pdf

Given the current application protocol, confidentiality of user account information is clearly a significant issue. While the PIN is encrypted, the card number, expiration date and current balance are not. How valuable is that information? It can be used to create a duplicate physical card to be used for signature-based transactions or on-line purchases.

This is something each bank must do to ensure the security internally transmitted data is adequately secured. The surprise for this Bank that was audited, was that after implementing Triple DES (Visa requirement), they assumed that they were at end of job.
Redspins conclusion:

ATMs are not immune from this trend because they share the very same network and similar protocols as POS devices. While this paper has focused on the smaller to mid-sized bank architectures, even larger banks with TCP/IP ATMs are vulnerable without the proper controls. All of these devices use the same application layer protocol with sensitive customer information transmitted in the clear.

Relevance to Bankwatch:

In this case the bank was obviously small, however all banks must perform regular security audits to ensure they are providing the right level of service and security for their customers.

TheFivePromisesofSelf-Service.pdf

There is a new generation of ATM like machines that are available to Banks. These machines will perform additional functions, and are only limited by the Banks' imagination and technology constraints. These ATM's can provide "assisted self service". Customers can perform the bulk of the transaction, (commercial deposit, wire transfer, purchase a draft) at the ATM, and complete with the CSR.

This provides greater efficiency to the CSR team, and speed and control to the customer.

Examples:

Source Technologies

IBM

NCR

Relevance to Bankwatch:

Banks in Japan and Europe already have ATM's inside the branch. There are a new generation of machines with enhanced functionality that offer significant advantages to Banks' to (semi) automate complex in-branch transactions.

"Some of these arrest were linked to recent nationwide compromises of debit-card customer information and PINs involving a number of retailers and debit card issuers,"

 What is intriguiing, is that the investigation began on something else, and landed on the "Citi" thing as part of that broader investigation.

Operation Rolling Stone, which originally did not focus on the epidemic of debit-card fraud, has at least exposed some new leads, Cherry said.

Here is the detail, thanks to SecurityFocus. 

Relevance to Bankwatch:

 Stated quite eloquently in the article: "Moreover, the companies that are the source of the breaches should acknowledge the incidents and take responsibility". 

 _________________________________________________

Robert Lemos, SecurityFocus 2006-03-31

The U.S. Secret Service arrested seven people across the nation this week as part of an ongoing investigation that has turned up links to the massive debit-card breaches that have worried banks and consumers.

The investigation, dubbed Operation Rolling Stone, has resulted in 21 arrests in the last three months and involves local, state and international law enforcement. The online uncover operation targets Internet criminal groups that "threaten our financial infrastructure," Jonathan Cherry, spokesman for the U.S. Secret Service, told SecurityFocus.

"Rolling Stone is an ongoing and active operation in its initial phase with future coordinated arrests expected as the operation continues," Cherry said.

The operation could also shed some light on–and even lead to the perpetrators of–several massive debit-card data breaches that have left millions of consumer bank accounts at risk. Over the past two months, widespread debit-card fraud has led to a search for the sources of the breaches. Three major incidents in the last six months–a breach associated with OfficeMax, another with Sam's Club and a third compromising an ATM network–have likely all contributed to the current uptick in fraud.

Operation Rolling Stone, which originally did not focus on the epidemic of debit-card fraud, has at least exposed some new leads, Cherry said.

"Some of these arrest were linked to recent nationwide compromises of debit-card customer information and PINs involving a number of retailers and debit card issuers," he said.

Over the past two months, a spate of debit-card fraud has worried consumers and banks. While no company has come forward to claim responsibility as the source of the data fueling the fraud, three major breaches in the last six months are likely responsible, according to sources in the banking industry.

A breach at a California office-supply chain last year resulted in the leak of an estimated 200,000 ATM and debit account numbers along with the associated personal identification numbers, or PINs. A rash of fraud that started in February was blamed on the leak, and media reports pointed at OfficeMax as the source. In its annual report published last earlier in March, OfficeMax warned investors that the situation could hurt its results.

"There is an ongoing federal investigation relating to ATM fraud involving legitimate debit card use at various retailers that was later tied to fraudulent transactions outside the U.S.," the company stated in the filing to the Securities and Exchange Commission. "While we have no knowledge of a security breach at OfficeMax, it is possible that information security compromises involving OfficeMax customer data, including breaches that occur at third party processors, may damage our reputation."

Last December, Sam's Club, a subsidiary of Wal-Mart, acknowledged that it was cooperating with an investigation into 600 cases of fraudulent transactions using credit cards and debit cards at its gas stations. While the retailer has only acknowledged those cases, the incident has led to credit-card companies issuing warnings to banks for, what is likely, millions of cards, according to banking executives. A Sam's Club statement stressed that the company does not believe its in-store or online systems were breached.

"If any compromise occurred, it appears to be limited to the Sam's Club fuel station point-of-sale system," Mark Goodman, executive vice president for Sam's Club, said in a statement released on March 3.

In early March, Visa and Mastercard warned banks of the most recent incident–a breach of an ATM network, according to financial industry insiders. Sources have said that data indicates the total number of accounts involved in the breach could number in the millions. Representatives at Visa and Mastercard International have not commented on the issue. However, Citibank released a statement confirming the ATM network breach, but not naming the company responsible for the network.

The latest Operation Rolling Stone arrests took place in five states and the District of Columbia on Tuesday. The names of the suspects are currently being withheld, because the investigation is ongoing, the U.S. Secret Service's Cherry said.

The federal and international operation is not linked to the arrests of more than a dozen people in New York and New Jersey that allegedly conspired on credit- and debit-card fraud, said Edward DeFazio, the prosecutor for Hudson County, New Jersey.

"We had gotten the Secret Service involved in our case–they were the ones who were going to follow up with the international connections," DeFazio said.

While the arrests are a good sign, legislators need to respond the the debit-card data breaches with stronger consumer protections, because ATM debit cards have not historically had as strong defenses in place for account holders as credit cards, Chris Hoofnagle, the director and senior counsel for the Electronic Privacy Information Center's West Coast bureau.

"It has always been assumed that the ATM is more secure because of the PINs, but debit cards are being used everywhere so the PINs are everywhere," Hoofnagle said.

Moreover, the companies that are the source of the breaches should acknowledge the incidents and take responsibility, he said.

"The problem with the ATM breaches is that notice is even more important in these cases," he said.

• Worldwide acceptance of Visa while accessing your own savings. You can make purchases online, over the phone and at more than 24 million outlets around the world.
• No credit application necessary.
• Your choice of card design. Your ANZ Everyday Visa Debit comes in three unique designs you can choose from. Unlimited ANZ transactions for $6 a month.
• This includes ANZ ATMs, EFTPOS, ANZ Phone and Internet Banking and ANZ branches.
• ANZ's Online Guarantee for greater protection on Internet purchases plus ANZ Falcon™ monitoring for suspicious transactions.

However, generally, this is one of the next payment frontiers, and it has banks confused. Visa debit. Its expected that Visa will offer this in North America shortly, and that will be in competition with Bank's own debit offer, unlike the Australian situation above.

Expect to see some Banks offer Visa/ Credit/ debit all on one card, specifically on a chip carrd. Now that really is an interesting offer, and although it might be confusing for customers, some will appreciate the convenience of one card for all. Its also confusing for banks, because the marketing of credit is traditionally separate from banking, and thats a distinction that needs to be blurred.
Relevance to Bankwatch:

Banks have to figure out the value of the customer offer with Visa debit, how they manage that offer alongside credit card offerings, and in conjunction with chip.

Payments News: More About NACHA's "Credit Push" Initiative – March 24, 2006

if the pilot can prove the service to be an net enabler of additional eCommerce growth. …."The real key", according to Samantha, "is what impact credit push will have on the payments mix"."

There are several things going on at the same time here:

1. introduction of "debit" activity to the ecommerce space
2. introduction of chip cards (debit and credit)
3. introduction of PIN verification for credit cards

1. Introduction of "debit" activity to the ecommerce space

For a variety of reasons, credit cards owned the ecommerce space until now. A key contributing factor was the easy sell, that you can call your credit card company and claim the purchase was not yours, and generally, you will be refunded. This fit well with the doubts and misconceptions about the early days of internet.

Since that time, ecommerce has come a long way, and despite consumers concerns about privacy and security, its well embedded in todays world. So its timely for Banks to offer consumers a choice relative to their purchases, exactly as occurs in bricks and mortar stores.

From other channel experience, we know that channel use profilerates as channels are added. Consumers tend to migrate less than use everything available based on their needs.

2. introduction of chip cards

Chip cards are the proverbial "spanner in the works". This will be disruptive technology, and of that there is little doubt. Banks are deploying chip to counter fraud, primarily at the ATM, but that is just the beginning.

The first obvious disruption will be micropayments and stored value. Smart Banks will soon offer ability to make small payments, say up to $25/50 and this will promote cash displacement. Handy for consumers, and cost reduction for Banks.

But chip also provides security, and as PC's gain chip readers, and they become as pervasive as floppy disk drives used to be, then there is no reason chip cards cannot authorise payment activity online.

3. introduction of PIN verification for credit cards

Back to 1. above, one of the early reasons for credit card adoption for online purchases was the $50 limit on liability for purchases. This provided consumers with the confidence that if the merchant did not come through with the purchase, they had an out. Consumers don't worry about the likes of Amazon delivering any more.
But the introdcution of PIN verification is accompanied with shift of liability to the consumer. This will mean that once the PIN is entered, the consumer is liable for the transaction, because no-one else could have performed the transaction if the PIN has been kept securely. We don't necessarily know how this will play out, because that liability shift was developed before phishing was prevalent. I know the answer will be that chip cards cannot be replicated, but it all gets confused in the consumers mind, and there may be marketing opportunites to manage that liability shift differently.

In any event, the sum of all of the above, brings us to the point that there is little difference between the channels (store and online) and little difference between the cards (credit and debit). Consumers will determine how they spend based on their preceptions of risk, and their financial standing.

The Canadian experience with Interac Online Debit suggests the answer is twofold:

1. customers will use this new function for smaller amounts and continue to use credit cards for larger purchases.
2. a new e-commerce market opportunity is presented for those without credit cards

So the first results in canabilisation of credit card transactions, while the second is a new market. In time this mix may shift once we feel the impact of credit card PIN verification. We don't really know how consumers will react to that, coupled with the liability shift to the consumer which accompanies PIN.

Relevance to Bankwatch:

Banks can never go wrong by offering consumers a choice. But consumers will use everything, so pricing is key.

An insider’s look … from Palm Desert, Calif. | ATM Marketplace News

One program to which PDNB pays special attention is debit. Often a behind-the-scenes player, PDNB is taking a lead role in spear-heading the prepaid debit-card effort.

One alternative noted here at Palm Desert National Bank’s annual partner conference is prepaid debit.

Similar to efforts launched with Portland, Ore.-based financial solutions provider Vero Inc., the outside-the-box financial institution is working to identify and capture a market stronghold in diversified products that cater not only to underbanked segments but fill a void in the financial services space.

In fact, Tingey expects the overall debit and prepaid market to grow between 100 percent and 150 percent over the next 12 to18 months.

“I think the industry as a whole is just scratching the surface with prepaid products,” Nutting said, in between bites at the corner cafe. “By focusing only on the underbanked, you miss a lot of opportunity for some prepaid products that cater to the already banked. The banks are the ones that already understand these cards and how to use them, and to ignore them is one-sighted.”

So what is the potential for prepaid debit?

Wachovia have a commercial product, sold to facilitate relocation expenses, or petty cash disbursements. PrepaidDebitCardBrochure.pdf

Prepaid MasterCard, such as Western Union.

Starbucks prepaid cards, now with loyalty points. While Banks traditionally resist small transactions, and they and traditional merchants charge extra (refer note below), Starbucks recognise the reality of cheap networking and are encouraging small transactions. So why do Starbucks see an advantage for small payments, and yet Banks do not? Someone must have it right.

Vendors:

• Metavante
• Cardis
• Netspend

Note re small transactions from Forbes.

It wasn’t that long ago that small-ticket retailers–such as convenience stores, delis and local restaurants–had a minimum charge for credit cards to cover the costs associated with running the transaction. The credit card associations, like MasterCard or Visa, or cards like Morgan Stanley‘s (nyse: MWD – news – people ) Discover or the American Express (nyse: AXP – news – people ) card, often charge a base rate per transaction plus a percent of the total each time a card is swiped.

Early conclusions:

1. Credit cards are winning this battle hands down and banks are allowing them. I judge this by a simple Google search for prepaid debit, and all that shows up are credit cards.
2. Prepaid have two primary benefits, a) card solutions for the unbanked, and b) cash replacement for small transactions (micropayments)
3. Starbucks and other merchants (Sears etc) have figured out the value of prepaid, but banks have not.

Relevance to Bankwatch:

A great opportunity exists for Banks to get into prepaid debit for the mass market. such cards can be toppped up at the ATM. This will produce revenue from card sales and transaction revenue. This eliminates cash handling costs, because there will be less cash in circulation.

Anyhow, I presume this is the last on the Citi ATM fraud.  However its not the last time we will hear of this issue, and I would rather see Visa (is MasterCard there ??) make a statement about the other software applications used be merchants.

Finextra: Visa warns of PoS software bug

Visa USA is warning that two versions of Fujitsu’s point-of-sale software may inadvertantly store customer data, including PIN numbers, during debit card transactions.
……
The issue came to a head recently following a security breach at an unspecified merchant that forced a number of US banks to re-issue debit cards to customers after it transpired that decrypted PIN codes were being used on cloned ATM cards.

Relevance to Bankwatch:
The connections between Banks and payment networks are a critical component of todays financial processes.  How many more Fujitsu’s are there out there, that are retaining confidential and critical customer information that is intended to be encrypted or not stored?

Visa warns software may store customer data | CNET News.com

A popular software that retailers use to control debit-card transactions may inadvertently store sensitive customer information, including PIN codes, says Visa.

Relevance to Bankwatch:
Banks have to worry about information as much (more) than they do about money. Banks need Chief Information Officers, and corporate principles to govern storage, and use of information.  This includes specific rules surrounding authentication, and authorisation of services. These principles must be applied to third parties including service providers, and payments services.

Lessons to Learn From Citi Data Breach

Yet experts say two important points to keep in mind when examining this situation are
1) the breach occurred at a third party, not the bank, and
2) this incident is not about PIN technology itself, but the way the data was stored.

In order for this to be the case, the merchant would have to be storing:
a) PIN
b) complete replica of the mag strip data

I still suspect there is more to it, in what is clearly an inside job.

However, if that is all there is to it, then ….

Relevance to Bankwatch:

• Banks have to be accountable for the data that is shared with
  private networks, and merchants; its unacceptable to blame all the links in the chain, because there are so many.
• Customers will (rightly) look to the issuing bank to protect their information
• Technology allows for sufficient data sharing to complete a transaction, without sharing all the customers authentication
  credentials (e.g. public key encryption). Anything short of that is technological laziness

Lessons to Learn From Citi Data Breach

Yet experts say two important points to keep in mind when examining this situation are
1) the breach occurred at a third party, not the bank, and
2) this incident is not about PIN technology itself, but the way the data was stored.”This issue isn’t about the [strength] of PINs—it’s about the
merchants and how they store this data,” says Bruce Cundiff, an analyst
with Pleasanton, Calif.-based Javelin Strategy & Research.

Jon Gossels, founder of SystemExperts (Sudbury, Mass.), agrees.
“PIN wasn’t the problem [in the Citibank case]. Having a card and
typing a PIN is perfectly adequate authentication,” he says. “It was
the data that was stolen internally.”

_______________________

Lessons to Learn From Citi Data Breach
Questions around security policy arise in aftermath.
By Maria Bruno-Britz
March 14, 2006

When thousands of PINs and other account information of Citibank (New York) customers were pilfered from the database of an as yet unnamed merchant, the industry’s perception of the invincibility of PIN technology was shattered. Some insiders are even encouraging people not to use PIN cards at the point of sale at all.

Yet experts say two important points to keep in mind when examining this situation are 1) the breach occurred at a third party, not the bank, and 2) this incident is not about PIN technology itself, but the way the data was stored.

“This issue isn’t about the [strength] of PINs—it’s about the merchants and how they store this data,” says Bruce Cundiff, an analyst with Pleasanton, Calif.-based Javelin Strategy & Research.

Jon Gossels, founder of SystemExperts (Sudbury, Mass.), agrees. “PIN wasn’t the problem [in the Citibank case]. Having a card and typing a PIN is perfectly adequate authentication,” he says. “It was the data that was stolen internally.”

According to George Tubin, a senior analyst with Needham, Mass.-based TowerGroup, this security incident is really an old story with a new twist. “We’ve seen this in the past. The difference with the Citi incident is [the hackers] obtained files with user names and passwords instead of obtaining it through phishing. It’s an old crime with a new method.”

Third parties, such as merchants, are usually discouraged from saving customers’ card account information after transactions have been processed. Some, as recent cases have illustrated, choose not to discard this data for one reason or another. Therefore, it is vital that banks stay on top of their third-party partners, whether retailers or service bureaus, to make sure they are upholding their contractual obligations on data management.

“This was the merchant’s fault,” Tubin says of the Citibank case. “No one should keep a single file of names and passwords. Part of data security is not to keep pieces of information together that can be used to commit fraud. This is a basic tenet of information security, which the merchant didn’t follow.”

Gossels says this case highlights the need for organizations to carefully establish their relationships with third parties. “It became clear that third parties aren’t doing a good job of applying the same standards of stewardship of consumer data as the banks,” he remarks. “Financial institutions have to be very careful about the kind of information they share with them. They should just send the bare minimum of data to make an application work. Third parties are traditionally the weak link in the chain, whether they’re merchants or data processors.”

Also under the gun here are the card networks, says Cundiff. “It is important to look at the security of the networks, such as STAR and the PIN networks, in addition to Visa and MasterCard. They are hugely affected by this. The networks have to shore up their merchants and put them through more rigorous audit processes.”

Yet placing greater liability upon the merchants is not necessarily the answer either, says Gossels, since the manner in which they handle security depends largely on their size. “Your local dry cleaner doesn’t have a security officer on staff, so they rely on outside providers to do this. Major national brands, however, are more sophisticated about security. We expect better of them because they have the IT staff that should know better. In the case with Citi, [sources] are saying it was a major retailer.

Although Cundiff thinks the growing hysteria about not performing PIN transactions at the POS is a bit overblown, he also believes that chip cards could have prevented the ensuing chaos of the data breach. “This situation brings together a perfect storm of issues —mag stripe vs. chip, PIN vs. signature debit, and merchant storage of data,” comments Cundiff. “I think this is potentially the beginning of building a business case for chip cards in the U.S.”

He explains that replicating a physical smart card, while not entirely impossible, is certainly more difficult than manufacturing bogus mag stripe cards. The U.S. market never saw the use for chip cards since fraud rates on signature transactions have not been large enough to warrant the investment necessary to switch over to chip. “But this case shows the fraudsters have caught up. I’m wondering if this is the tipping point for adopting chip cards in the U.S.,” he says.

SystemExpert’s Gossels is not so sure about this. “It is important to focus on what the problem is that you’re trying to solve,” he explains. “Smart cards would not have solved this particular problem. Look at the way credit cards are used over the phone. You give your name and account number to the person on the other line. It doesn’t matter if they have your card, as long as they have your data.”

Further, he says the availability of smart card manufacturing equipment is becoming increasingly more available and user friendly. “Smart card equipment is not much more expensive that magnetic stripe equipment.”

Aside from policing their partners better, Gossels says another means for banks to prevent data breaches is by taking steps to improve the strength of PINs by setting standards on their length and quality.

USATODAY.com – Security breaks could curtail debit card use

PIN-based debit card transactions have been seen as more secure than signature-based debit card purchases

The assumption has been that PIN will eliminate ‘card present’ fraud.  The combination of a chip card that can’t be replicated and a PIN is the panacea.  However the Citi ATM situation just validates what your internal security guys will always tell you.  The best you can do is manage fraud;  you cannot eliminate it because the bad guys are always one step ahead of you, and have already factored your new security into their plans.
Some things are clear, and this varies a little between Europe and North America, but not much:

Relevance to Bankwatch:

1. Simple introduction of PIN and shift of liability to the consumer could be an unmitigated disaster, without consumer support from the banks – consumers look to banks to provide security, not excuses
2. The management of concurrent mag stripe/ chip, and signature/ PIN could result in the worst of both worlds.  Increased operating costs, and increased fraud.
   

Security breaks could curtail debit card use

By Kathy Chu, USA TODAY

A recent spate of fraudulent bank card transactions is complicating a question that arises each time you reach the checkout register: debit or credit?

Citibank, Wells Fargo and Bank of America are among the banks that have reissued U.S. debit cards in recent months after a third-party security breach allowed fraudsters to obtain bank card information — including some customers’ personal identification numbers, or PINs.

The banks haven’t identified the source of the breach or how many cards have been reissued.

But as more people become aware of the incidents, “I think consumers will think twice before they enter a PIN anywhere,” says Avivah Litan, an analyst at Gartner.

Some consumers could decide it’s safer to sign for bank card purchases with a Visa or MasterCard logo, Litan says.

At the least, “People may be more leery about making sure that no one’s behind them when they type in their PIN numbers,” says Chris Allen of Dove Consulting, a research firm.

The security breach comes as consumers are increasingly using debit cards to pay at the cash register. Debit transactions are the fastest-growing form of electronic payments; they nearly doubled, to 15.6 billion transactions, in 2003 compared with 2000, according to the most recent Federal Reserve data.

Much of the growth of debit cards in that period came from signature transactions, rather than PIN-based ones.

Historically, though, PIN-based debit card transactions have been seen as more secure than signature-based debit card purchases. A 2005 study by Pulse, a debit card network, showed that a PIN debit card transaction was about 15 times safer than its signature counterpart, based on losses per transaction and per sales volume.

That’s because fraudsters who obtain a traditional ATM card — without a MasterCard or Visa logo — would have to know the PIN to make a purchase. But the recent breaches could shake public confidence in the security, Litan says.

Also, the industry may have to rethink how it detects fraud, because, “Systems around PIN debit are not as advanced as the ones around signature debit,” she says. “There was never a need.”

If fraud occurs in a credit card transaction, you usually have no liability. Signature debit card transactions often enjoy the same protection. But if fraud occurs with a PIN debit card transaction, the consumer’s protection can vary by bank.

Wells Fargo, Bank of America and Citibank say customers have zero liability from fraudulent debit card transactions, whether signature or PIN-based. Consumers should notify the banks, however, within 60 days of when the statement is mailed.

By law, banks must limit debit card liability to $50 if you notify them within two business days after a debit card has been lost or stolen.

If you notify your bank within 60 days of when the statement is mailed, you could be liable for $500. Wait longer than that, and you could lose much more.

Relevance to Bankwatch:

Banks have to get used to bad guys doing bad things, and get their minds around guarantees to customers.  Its like the Rolls Royce story – they never break down, and banks should be the same.

Guarantee your customers that their money is safe.  Eliminate the subtext and condition that bankers always leave as an out, just in case customers try to defraud them.  But how many actually try to do that?  Its time to manage to the majority that are honest customers who simply want to rely on their bank.

From Techweb:

But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president. The scam — and scandal — has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have re-issued debit cards in recent weeks.

Here is what Citibank said:

Citibank, the consumer and corporate banking arm of Citigroup Inc., confirmed Wednesday that the bank and its customers were the victims of a third-party company information breach that has forced the bank to block PIN-based transactions for customers in Canada, Russia, and the U.K.

And finally, here is how the US banks are co-operating to try and stem risk from reliance on third parties.

These highly publicized embarrassments are beginning to have some affect on how companies handle customer data. In February, Citigroup, Bank of America Corp., Bank of New York Co., J.P. Morgan Chase & Co., U.S. Bancorp, and Wells Fargo & Co., plus major auditors and service providers, released a common methodology that financial services companies could use to assess service-provider security. BITS, a consortium backed by the financial-services industry, developed the methodology after studying service providers including Acxiom, First Data, IBM, Viewpointe Archive Services, and Yodlee. The goal is to give service providers consistent demands and make them live up to them. Banks are cooperating because they know the alternative: fines, lawsuits, and a tarnished image that can’t be easily fixed.

Full Techweb report:

By Gregg Keizer, TechWeb News

The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs “the worst consumer scam to date.”Wednesday, Citibank confirmed that an ongoing fraud had forced it to reissue debit cards and block PIN-based transactions for users in Canada, Russia, and the U.K.

But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president. The scam — and scandal — has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have re-issued debit cards in recent weeks.

“This is the worst hack ever,” Litan maintained. “It’s significant because not only is it a really wide-spread breach, but it affects debit cards, which everyone thought were immune to these kinds of things.”

Unlike credit cards, debit cards offer an additional level of security: the password-like Personal Identification Number, or PIN.

“That’s the irony, the PIN was supposed to make debit cards secure,” Litan said. “Up until this breach, everyone thought ATMS and PINs could never be compromised.”

Litan’s sources in the financial industry have told her that thieves hacked into a as-yet-unknown system, and made off with data stored on debit cards’ magnetic stripes, the associated “PIN blocks,” or encrypted PIN data, and the key for that encrypted data.

The problem, she continued, is that retailers improperly store PIN numbers after they’ve been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.In this case, Litan said, the thieves used the information to crank out counterfeit debit cards, then emptied accounts at ATMs. She estimated that they absconded with “at least a couple of thousand records, maybe more” and have cashed out to the tune of “millions already.”

The victim of the hack attack isn’t yet known, although some banks have pointed fingers at OfficeMax, which has denied that its system was penetrated.

Litan believes it much more likely that a third-party processor or terminal supplier was involved; the silence about the victim could point to a processor, she said, because they have the most to lose by the negative publicity.

Last summer, credit card processor CardSystems was hit with a massive breach that involved millions of accounts; CardSystems essentially sank under the publicity, and was later bought by Pay By Touch. In February 2006, the FTC reached a settlement with CardSystems that require it to adopt more stringent security measures, but the company remains open to consumer lawsuits that could mean millions in payouts.

No matter who is to blame, the bank industry is only about halfway through cleaning up the breach, said Litan. And more of the same is on the way.

“This will become a trend with criminals,” she bet. “Hackers will do this as much as they can” because it’s far easier to empty checking accounts at ATMs than to buy goods with purloined credit cards, then sell the goods to generate cash.

So what’s a consumer to do?

“Security is tight at the ATM, but point-of-sale is a whole other story,” said Litan. “Look at your [debit card] account on a regular basis, and don’t use a PIN-based debit card at point-of-sale,” she recommended. “I never do.”

_________________________

The bad guys continue to send out the emails, and about 13% of customers receiving those emails respond (Forrester), but the Banks catch them mid stream too.  As much as the bad guys are smart, the Banks fraud pattern recognition systems are getting pretty good too.  Its hard to believe a customer can make a debit transaction in Edinburgh and a ATM transaction in New York at the same time, so its pretty easy to build models to watch for that pattern.

This pattern recognition, will drive the bad guys to go deep on the weak links, such as PIN/ debit card before we go to chip card.

InformationWeek | E-Fraud | PIN Scandal ‘Worst Hack Ever’; Citibank Only The Start | March 9, 2006

The scam has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, all of which have re-issued debit cards in recent weeks, says a Gartner research vice president.

By Gregg Keizer
TechWeb News

Mar 9, 2006 04:35 PM

The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs “the worst consumer scam to date.”

Wednesday, Citibank confirmed that an ongoing fraud had forced it to reissue debit cards and block PIN-based transactions for users in Canada, Russia, and the U.K.

But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president. The scam — and scandal — has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have re-issued debit cards in recent weeks.

“This is the worst hack ever,” Litan maintained. “It’s significant because not only is it a really wide-spread breach, but it affects debit cards, which everyone thought were immune to these kinds of things.”

Unlike credit cards, debit cards offer an additional level of security: the password-like Personal Identification Number, or PIN.

“That’s the irony, the PIN was supposed to make debit cards secure,” Litan said. “Up until this breach, everyone thought ATMS and PINs could never be compromised.”

Litan’s sources in the financial industry have told her that thieves hacked into a as-yet-unknown system, and made off with data stored on debit cards’ magnetic stripes, the associated “PIN blocks,” or encrypted PIN data, and the key for that encrypted data.

he problem, she continued, is that retailers improperly store PIN
numbers after they’ve been entered, rather than erase them at the
PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often
stored on the same network as the PINs themselves, making a single
successful hack a potential goldmine for criminals: they get the PIN
data and the key to read it.

In this case, Litan said, the thieves used the information to
crank out counterfeit debit cards, then emptied accounts at ATMs. She
estimated that they absconded with “at least a couple of thousand
records, maybe more” and have cashed out to the tune of “millions
already.”

The victim of the hack attack isn’t yet known, although some
banks have pointed fingers at OfficeMax, which has denied that its
system was penetrated.

Litan believes it much more likely that a third-party processor
or terminal supplier was involved; the silence about the victim could
point to a processor, she said, because they have the most to lose by
the negative publicity.

Last summer, credit card processor CardSystems was hit with a massive
breach that involved millions of accounts; CardSystems essentially sank
under the publicity, and was later bought by Pay By Touch. In February
2006, the FTC reached a settlement with CardSystems that require it to
adopt more stringent security measures, but the company remains open to
consumer lawsuits that could mean millions in payouts.

No matter who is to blame, the bank industry is only about halfway
through cleaning up the breach, said Litan. And more of the same is on
the way.

“This will become a trend with criminals,” she bet. “Hackers
will do this as much as they can” because it’s far easier to empty
checking accounts at ATMs than to buy goods with purloined credit
cards, then sell the goods to generate cash.

So what’s a consumer to do?

“Security is tight at the ATM, but point-of-sale is a whole
other story,” said Litan. “Look at your [debit card] account on a
regular basis, and don’t use a PIN-based debit card at point-of-sale,”
she recommended. “I never do.”

Citibank card fraud – magnetic strip to blame? – Financial Services – Breaking Business and Technology News at silicon.com

Citibank this week admitted that hundreds of its US customers had been affected when hackers broke into the ATM network through a retail store server and stole a “block” of PINs and the keys to decrypt them.

The article goes on to quote an expert, that Chip cards are better than mag stripe.  This article makes me still think that its a mistake to offer Chip and mag stripe on the same card.  As long as the stripe is there, the vulnerability is there.  I think there could be a case for chip only cards, and then offer lower value mag stripe cards for travellers to countries that don’t have chip. 

The analyst said the crime reflects the largest PIN theft to date
and the financial industry will be hit by more PIN-block fraud in the
future.

She said: “Phishing was last year but banks have
wised up to that, so now it’s the PIN block fraud. Certainly this is a
pot of gold for them.

“What’s better – going for cards or
going for the details? This is the simplest way – breaking into the
bank using the ATM system. With the UK it was because Americans go
there and use the magnetic stripe [on their cards].”

Citibank refused to tell me anymore details beyond saying a group of illegal
crackers had generated a bunch of account numbers and also generated a
bunch of pin numbers.

It all began this way….

I first attempted to use my ATM card at 4:42PM to access $100 from my
checking account. I was at a small local market, not a bank. To my
surprise, the ATM machine rejected the transaction and urged me to
contact my financial institution. The machine also reported on the
receipt "INELIGIBLE ACCOUNT." Thinking I'd merely made a mistake,
perhaps even in balancing my checking account, I attempted to withdraw
the same amount of money from my savings account. I know that I
correctly typed my pin number in but again, I was rejected and urged to
contact my financial institution. I assumed those messages about
rejection were just custom to the machine and there was some issue with
that machine.At this point, I was pretty sure that something was amiss but I decided
to defer judgment until I'd visited a real bank of some sort. It could
just be the ATM machine I'd used. I walked down the road to a Royal Bank
of Canada and I attempted to use my ATM card again. Having absolutely
zero Canadian cash with me, I was hopeful this would work. Much to my
dismay, it did not. Attempting to withdraw from my checking account
resulted in a similar "INVALID ACCOUNT" message. The same of my savings
account. An attempt to withdraw from my credit card tied to my ATM
account also failed.

Here
is the entire account. From a customer perspective this service level
is precisely why Banks have a bad reputation. It may not be the
customers fault, but the opportunity to make this one loyal customer is
lost forever now.

This is a short account of dealing with Citibank on Saturday March 4th.

All times are in Eastern Standard Time. I'm currently in Toronto, Ontario, Canada.

I first attempted to use my ATM card at 4:42PM to access $100 from my
checking account. I was at a small local market, not a bank. To my
surprise, the ATM machine rejected the transaction and urged me to
contact my financial institution. The machine also reported on the
receipt "INELIGIBLE ACCOUNT." Thinking I'd merely made a mistake,
perhaps even in balancing my checking account, I attempted to withdraw
the same amount of money from my savings account. I know that I
correctly typed my pin number in but again, I was rejected and urged to
contact my financial institution. I assumed those messages about
rejection were just custom to the machine and there was some issue with
that machine.

At this point, I was pretty sure that something was amiss but I decided
to defer judgment until I'd visited a real bank of some sort. It could
just be the ATM machine I'd used. I walked down the road to a Royal Bank
of Canada and I attempted to use my ATM card again. Having absolutely
zero Canadian cash with me, I was hopeful this would work. Much to my
dismay, it did not. Attempting to withdraw from my checking account
resulted in a similar "INVALID ACCOUNT" message. The same of my savings
account. An attempt to withdraw from my credit card tied to my ATM
account also failed.

I think I was a bit miffed at this point because it was cold and I had
no money. I was late and highly inconvenienced by this. I walked back to
my girlfriends apartment and called my bank collect. The number I called
was 210-677-0065 as is printed on the back of my card. At this point it
was around 5:10pm.

After waiting on hold for sometime, I spoke to a representative who
verified my account. I explained that I wanted to know why I'd been
locked out of my accounts. He verified that I had my card. He also
verified that I was in Canada. He had no idea what was wrong with my
account. He suggested that perhaps I was unable to type my pin in
correctly each and every time. I suggested he was mistaken and that I
wasn't going to have any nonsense about this being my fault. He put me
on hold for the better part of ten minutes and eventually I was
transferred to his supervisor.

The supervisor identified herself as a manager named Carla ID#CRU194. I
identified myself as an upset customer whose account was locked for some
unknown reason. She asked me a few questions about my location, my issue
and then informed me that my card was suspected of fraud.

Naturally, I perked my ears up and asked for details of any fraud. She
informed me that there had been no direct fraudulent transactions on my
account. Rather, she informed me that the ATM networks of Canada, Russia
and the United Kingdom have been compromised. I used the term class
break as a question and she repeated that there has been a class break
of the ATM networks in those countries. The ATM network in Canada has
been compromised and as a result, using my ATM card over the Canadian
network locked my account automatically. She informed me that this has
been an ongoing issue for the last two weeks. When I asked why there was
no media attention, she said she wasn't sure. I said it was a pretty big
deal and she agreed.

She informed me that I would have to return to the United States to
change my pin number before my card would be valid and in a usable state
again. When I informed her that I would be traveling outside of the
United States for at least a few months, possibly up to six, she
repeated that I would have to re-enter the United States to fix the
problem.

I found this to be entirely unacceptable and I asked that my account be
unlocked. It was locked upon the first usage in Canada not one hour
previously and there was no fraud reported on my account. She refused
and said that their system had a series of checks and balances she could
not reset. She suggested a method to reset the flag on my account that
involved mailing me a new ATM card to my home in California and
suggested that I have a local friend mail it to me in Toronto. She also
refused to mail me a card in Toronto. She could only mail it to my
registered home address in the USA. I explained that I wasn't planning
to be back in California anytime soon and she still refused to unlock my
account.

She suggested that I could get money by asking for a cash advance
against the Mastercard portion of my ATM card. She instructed me to go
into any bank and simply ask for "emergency money" with my passport and
ATM card. When I pointed out the fact that it was Saturday and after
5:00pm, she said I'd just have to wait until Monday. When I again
explained that I had no money and that's why I was visiting an ATM, she
suggested I go into a bank again. We went back and forth for awhile like
this and she conceded that until Monday, I was out of luck. So now that
we'd confirmed I was out of luck until Monday for so called "emergency"
funds, she tried to explain methods for me to continue to get money
until I returned to the USA. She upped my limit for a daily withdraw to
$7000 and suggested that I just take out as much as I think I'd need.
Once the banks were open next week of course. Just carry around six
months worth of cash with you, then it's not our problem Sir!

I decided that mailing a new card should be the best way to solve this
issue. She again told me that she couldn't mail it to me in Toronto and
that it would have to go to my home address where my bank statements are
mailed. I asked her what assurances she could offer me with regard to my
card actually working once it had been re-mailed to me from California
to Toronto. She informed that they offered none (!) and that I should
simply take out a large sum of money in the case that my card was
automatically frozen again! This is of course assuming that my card even
works the first time! She couldn't even assure me that it would work
once!

Aiieeeeee!

That was the best solution she offered me. I can wait until banks open
and take out large sums of money. They don't care that I'm left up the
creek without a paddle until Monday morning. The follow up to that
solution being that I could request a new card that might have the same
issue. She also informed me that the Mastercard portion of my ATM card
should work (should?!) and will not be canceled until I activate my soon
to be mailed card. I can live off of my credit card until I get my
perhaps new working ATM card, maybe.

My girlfriend asked "How does this affect me?" She's a Canadian and
wants to know about how her countries ATM network has been compromised.

Citibank refused to tell me anymore details beyond saying a group of
illegal crackers had generated a bunch of account numbers and also
generated a bunch of pin numbers. They didn't tell me if my card was one
of the numbers generated, they just told me that I was lucky. Carla
said: "Other people have lost everything. They've got it much harder
than you."

I was pretty infuriated and informed her that the customers had lost
nothing unless they had over $100,000USD. Everyone is FDIC insured and
they're simply covering their own assets. They're giving everyone a
difficult time because they're covering the profits of their corporation
at the cost of their customers. She agreed that the FDIC does cover them
and that no, they'd not lost everything. Amazing way to frame it. "We've
been owned, you lose everything! Terrible! So sorry!" Telling me I'm
lucky because others have lost everything. Amazing! What a stance for a
company to take, telling its customers that they've lost everything when
Citibank has been compromised in someway that's not even remotely
related to the customer!

Anyway, I'm a resident of California. I believe there is a security law
that requires Citibank to notify all of their customers in California of
an account compromise. Does this apply to my account now? If so, when
will Citibank comply with this? When will I get a detailed report of the
compromise from Citibank? Why didn't Citibank alert me when they know I
travel frequently? Especially when I informed them I'd be in Canada over
the next few months to avoid the fraud department from locking my
account? I'd called them in January to inform them of my travels between
the USA and Canada for the next several months.

After I got off the phone, I confirmed that the Mastercard portion of my
card does work for purchases. I can't get any cash from a merchant but I
can live off of my credit card until I find a way to get cash. Anything
that requires cash is entirely inaccessible for me until banks open, so
much for my plans to take public transit, attend a cash only concert and
ironically, use a photobooth for a friends birthday. I can't ride the
streetcars or subways unless I find someplace to let me buy tickets with
my credit card, I'm not even sure if that's possible in this city let
alone on the weekend. I guess I'll find out! I can't even buy food
unless I meet some minimum credit card purchase price. Citibank doesn't
care about these issues, they refused to unlock my ATM card when I
presented them with my dilemma. They only care about their bottom line
and they attempt to make their customers feel bad, as if we've done
something wrong!

As asked here, "So what’s really going on? Is there a security breach or a vendor issue?"

Given there are now two Banks involved, I would suggest there must have been a compromise at a payment / acquirer centre, probably in the US, and there will be more Banks involved before this is over.

More to come!

Massive Citibank Alert: UPDATE – Consumerist

UPDATE: Bill Hansley told BoingBoing that the Royal Bank of Canada is having similar issues.I’m a US customer of Royal Bank of Canada / Centura, and they’re having similar issues. The word from them was that Visa corp told them that several thousand (65,000 according to the service desk people at my grocery store, who knew about this as well) *cards* (not accounts) had been compromised and were cancelled Saturday and replacements mailed. My card was affected, my wife’s, who’s on the same account, was not. I wonder how many other banks were affected?

Seems there is more to this problem, with worldwide Citibank. Citi are not handling this very well … more to come.

Relevance to Bankwatch:

• Banks are judged more on they manage and address problems, and lack of transparency makes it worse.

Massive Citibank Alert: UPDATE – Consumerist

They’ve known about the problem for a month. Citibank alleges that the service shutdown is not due to class break or security fault, but is because some of the various interlocking ATM networks are not accepting transactions initiated by Citibank customers. He said that he was unable to specify which networks were affected as Citibank didn’t know either. The rep confirmed that the problem only affects Canada, UK and Russia.

So with that rant out of the way, on with the ATM fraud story; some fact, case studies, and hopefully some perspective.

• Banks take ATM fraud very seriously. If its troublesome for the individual consumer, consider how difficult it is for the Bank to communicate with customers, issue new cards, new bank accounts, re-instate stolen funds, and get that customer back on track again. Believe me the costs are such, that the profitability experts will likely say that customer is now mathematically a loss leader possible for ever. So … Banks take ATM fraud very seriously.
• The number of occasions that fraud occurs is low relative to the number of transactions that take place. Of course its never low enough, but each Bank does several hundred million ATM transactions annually. For all banks in Canada for example, here are the stats from the CBA. They haven’t got 2005 status up yet, but they will be similar, with slight drop. Note that is 750 million cash withdrawals. There are only 32 million people in Canada and of those, some 20 – 25 million old enough, or have bank accounts.

• Number of transactions at bank-owned ABMs

• There are guidelines for using your debit card, and Canada has some very good advice on that for consumers, again at the CBA.  I would add a couple of my own:-
• Think before you skim your card anywhere.  e.g. do not use your debit card to open the ATM vestibule – use your library card, or air miles card.  There could be a skimming device in the door opener.
• Take a look at the merchant before you skim you card for a $5 item … carry some cash for small transactions

ATM fraud examples:

Some examples.  Note these examples are dated, but remain relevant as to style and MO.

1. Police arrest Russina – 2002 skimming case
2. Two women sentenced – 2002
3. Skimmers hit Bank ATM’s – 2002
4. Lebanese Loop – wikipedia
5. “In fact, McGrath also told W-FIVE that the Canadian Bankers Association does not consider debit card fraud to be a major crime despite the fact that about 27,000 Canadians have been victims of this crime to the tune of $44 million in 2003.” – CTV
6. New York Feb 2006 – At home, he had 105 more cards and nearly $70,000 in cash and goods.”
7. Dominican republic:  Automated Teller Machines (ATM’s) are present throughout Santo Domingo and other major cities. However, as with credit cards, the use of ATM’s should be minimized as a means of avoiding theft or misuse. One local ATM fraud scheme involves sticking photographic film or pieces of paper in the card feeder of the ATM so that an inserted card becomes jammed. Once the card owner has concluded the card is irretrievable, the thieves extract both the jamming material and the card, which they then use.
8. Fraud trends – Credit Association of Greater Toronto

Some conclusions:

• ATM fraud is highly sophisticated involving some very smart technology people
• ATM fraud is highly targetted – A big bank ATM is likely to be safer than that white label machine in the pub, or corner store.
• ATM fraud requires two things to happen
• Skim your card in order to make a copy of it
• Steal your PIN.
• MORAL:  Do not EVER let anyone or anything see you key your PIN – protect it at all costs

The future:

Chip cards are coming soon.  They are being developed and in place in many countries.  In Canada, pilots will be running in 2007, and full rollout for 2008 and beyond for debit cards.  All Credit Cards will be chip enabled by 2010.

Chip cards cannot be copied.  So in the “two things have to happen” above, chip eliminates the first problem.  Of course the bad guys will then try to steal cards, but as long as you protect your PIN, your card remains safe.

Aside from how well Citi handled this, I think this it is more plausible that this customer used a machine at a specific ATM location that had some fraud perpetrated. I am not aware of any situation where an entire country is under suspicion as the article seems to suggest. I know the customer is frustrated, but the issue here is actually broader in many respects – its a worldwide issue and everyone should go to great lengths to protect their PIN every single time they use it at a merchant, or at an ATM.

The post links also to this related story, which resulted in cards being cancelled after fraud was perpetrated on US machines.

Boing Boing: Citibank under fraud attack, customers locked out of accounts

ake called Citibank's international customer support number, and soon learned that the lockout was part of a much larger fraud crisis — by no means the only data security issue at Citibank in recent months.and ….

Rather, she informed me that the ATM networks of
Canada, Russia and the United Kingdom have been compromised. I used the
term class break as a question and she repeated that there has been a
class break of the ATM networks in those countries.

Relevance to Bankwatch:

How Banks handle customer fraud is a determinant in customer loyalty, and strategic differentiation.

1. Old hardware that needs to be replaced
2. Regulatory pressures to provide Triple DES encryption
3. Fraud from card skimming, driving to EMV readiness

This is incredibly expensive, with a typical decent sized bank fleet renewal running to US $200 million plus. But this doesn’t get you anything new; just the typical depsoit withdrawal, bill payment that exists today.

The real benefit arises when you get into new applications for the ATM that lever the fact you have secure hardware deployment at convenient consumer locations across the country.

Three strong examples:

1. loyalty points
2. cell phone top up
3. Transit/ tube/ subway card

Thinking this way will start to see a business model around ATM’s evolve that views them as a profit centre, not as a sunk cost.