Friday, July 24, 2009

NYC Woman Accused of ATM Fraud at Pa. Slots Parlor

http://www.philly.com/philly/wires/ap/news/state/pennsylvania/20090723_ap_nycwomanaccusedofatmfraudatpaslotsparlor.html

The Associated Press

EASTON, Pa. - Authorities in eastern Pennsylvania say an illegal immigrant from China bilked casino patrons out of as much as $10,000 last month.

Northampton County District Attorney John Morganelli says 56-year-old Shoumin Chai scammed casino patrons who used an ATM at the Sands Casino Resort in Bethlehem last month. Surveillance footage allegedly shows Chai offering to assist two dozen people with their withdrawals and double-swiping their cards to access their accounts.

Morganelli says three people have already come forward claiming $1,100 in loses.

Chai, a New York City resident, faces more than a hundred charges. Her bail was increased to $200,000 on Wednesday.

Morganelli says Chai has a history of fraud convictions and was banned from Atlantic City casinos in May. Immigration officials say they have begun deportation proceedings.

Posted by NAAIO at 14:11:46 | Permalink | No Comments »

Customers File 9 Federal Lawsuits Seeking ATM Fee Payback

http://www.pittsburghlive.com/x/pittsburghtrib/news/pittsburgh/s_627580.html

By Jason Cato | TRIBUNE-REVIEW | Monday, June 1, 2009

ATM transactions might cost a number of financial institutions and operators in Western Pennsylvania more than a nominal fee if they lose a rash of lawsuits filed in federal court in Pittsburgh.

Customers filed nine lawsuits during a two-week period claiming they used automated-teller machines that violated the Electronic Funds Transfer Act because “no notice was posted ‘on or at’ the ATM,” as federal law requires. The law requires notifying customers of fees by signs located on or near the machines and on-screen before transactions are completed.

Each lawsuit alleges there was no sign, although customers were notified on the screen of fees ranging from $1 to $2.

“Go to 20 ATMs, and I think you’ll see that people tear the stickers off everyone’s machines,” said Tom Ronalo, president of ATM Cash World in Green Tree.

Ronalo’s company is being sued by a Wexford man who claims a machine in a Coraopolis convenience store violates the law. Dale Holland said he was illegally assessed a $2 fee. Other defendants include Clearview Credit Union, Northwest Savings Bank and Allegheny Valley Bank of Pittsburgh.

“We’ve got a thousand machines,” Ronalo said. “People tamper with them. I don’t see how anybody can be damaged by that.”

Congress saw differently when it made several amendments to the law in the 1990s, though lawmakers placed a $500,000 limit on the amount a company can lose through a class-action lawsuit.

“The overwhelming majority of financial institutions and ATM operators are in compliance with the law,” said Bruce Carlson, a Sewickley lawyer whose firm filed the nine lawsuits and seeks class-action status for them. “But the law speaks for itself. The requirements are unambiguous.”

Carlson said legislators encouraged lawsuits as an enforcement tactic because the government lacks the resources to make sure each machine complies with the law.

“These lawsuits and publicity will make sure everyone soon is in compliance,” Carlson said.

Class-action lawsuits often recoup minimal losses for many people, said Jonathan Klick, a University of Pennsylvania law professor.

“Individually, you would never bring your own case if it cost $5,000 to win $1,000,” Klick said. “If we didn’t have these cases litigated, these companies would have nothing to worry about and no reason to change.”

A Chicago bank this year settled a similar lawsuit for $75,000 after it was sued for charging customers $3 per transaction instead of the $2 it told them they would be charged. Of the settlement money, the person who sued received $3,000 and his lawyers took $31,000. The remaining $41,000 will be split among the class-action members, with each getting up to $75.

Posted by NAAIO at 14:07:59 | Permalink | No Comments »

Wachovia Offering Reward in Stolen ATM Incident

http://www.onlineathens.com/stories/072309/new_468131411.shtml

Well-equipped thieves take ATM

With stolen forklift, bank robbers pull off a hoist

By Joe Johnson  |  joe.johnson@onlineathens.com

Wachovia has posted a reward after thieves stole an ATM this week from the drive-thru of the bank’s Mitchell Bridge Road branch.

The thieves boosted a forklift from an Atlanta Highway construction site early Monday morning, drove it to the bank about a mile and a half away, then used it to rip the ATM from the ground and load it into a pickup, Athens-Clarke police said.

As officers responded to a silent bank alarm at 4:24 a.m. a witness called 911 to report she saw the driverless forklift rolling across the parking lot of Athens Promenade shopping center on Atlanta Highway, which is adjacent to the bank.

Officers barely missed the thieves, arriving soon after the forklift crashed into a tree at the shopping center, according to police.

The forklift was stolen from Adcock Furniture Co., 4220 Atlanta Highway, but police don’t know if the thieves drove it to the bank at 1200 Mitchell Bridge Road or loaded it into another vehicle.

Thieves began using forklifts and other construction equipment to steal ATMs in metro Atlanta about five years ago, but the technique is just reaching Clarke County, police said.

The trend began in the summer of 2004, officials said, when police arrested a heavy equipment operator at his home in Conyers in connection with seven ATM thefts over a five-week period.

More recently and closer to home, ATM thieves struck in Banks County two months ago.

Athens-Clarke police Detective Sean McCauley plans to compare notes with authorities there who are investigating an attempted ATM theft on May 2 from Northeast Georgia Bank on U.S. Highway 441 in Commerce.

The thieves stole a forklift from a construction site on the other side of the road, drove it to the bank and plunged the forks into the ATM, tearing it from the ground and placing it in a pickup truck’s bed, Banks County Sheriff Charles Chapman said.

When bank’s alarm went off, the startled thieves rushed to get away. They didn’t secure the ATM and the machine fell into the bank’s parking lot.

They abandoned the pickup - which was stolen in Gwinnett County - in Jefferson, not far from Interstate 85.

A Banks County investigator met with officers from the Peachtree City area, where thieves used the same method to steal 11 ATMs.

“They all happened between 3 and 5 in the morning, and they all used stolen construction equipment to put the ATM machines into stolen vehicles,” Chapman said.

“It’s probably going to be the same perpetrators,” he said. “It may or may not be a large group of them, but they’re going to be one and the same.”

The thieves in Monday’s heist probably used a stolen truck, and the vehicle will turn up abandoned over the next few days, Chapman predicted.

Wachovia is offering up to $20,000 in reward money for information leading to the arrest of the thieves.

Anyone with information can call McCauley at (706) 353-4218, extension 141, or use the Crime Stoppers confidential tip line, at (706) 613-3342.

Editor’s note: Due to incorrect information provided to the Banner-Herald, the amount of award money offered by Wachovia Bank was incorrect in a previous version of this story.

Originally published in the Athens Banner-Herald on Thursday, July 23, 2009
Posted by NAAIO at 14:03:36 | Permalink | No Comments »

Wednesday, April 29, 2009

Remote Key Loading: The Next In ATM Security for ISOs

Dennis “Abe” Abraham has spent the last five years waiting for remote key loading to reach a tipping point. The president of Concord, N.C.-based Trusted Security Solutions Inc., developer of the A98 remote key loading system, says the timing for RKL is finally right, and independent sales organizations are now seriously considering their options.
 
     Though complicated by complex algorithms and multiple levels of encryption, the function of remote key loading is simple. Basically, RKL eliminates the need for ATM technicians to physically visit ATMs for manual key changes - thus eliminating expense and the possibility for human error.


     After completing their investments in Triple DES upgrades, ATM deployers are now finally able to focus some time and money on RKL. Up to this point, financial institutions have expressed interest in RKL, but few have made large investments. In the ISO space, movement has been, by and large, non-existent.
 
     And there are a few reasons for that.
 
     Deployers of off-premises ATMs have not been as diligent about ensuring their keys are changed. In fact, before the October 2008 release of version 1.2 of the Payment Card Industry Council Data Security Standard, no definitive requirements for key changing existed. ATM deployers were required to change keys if and when audited, but audits were not mandated across the board.
 
     Under version 1.2, keys must be changed every 12 months, and the networks are watching, says Chuck Hayes, product development manager for Long Beach, Miss.-based Triton Systems of Delaware. That PCI push has encouraged manufacturers like Triton to start marketing RKL as part of the overall ATM offering.
 
      “It’s a differentiator for us,” Hayes said. “It’s the first time an RKL solution has been brought to market for the off-premises space, and that’s helping us enjoy a competitive advantage.”
 
     Triton’s patent-pending RKL offer may only require a software upgrade, if the ATM already has Triton’s upgraded encrypting PIN pad.
 
     For an ISO that acquires and needs to merge a fleet of remote-key capable ATMs with an existing fleet of ATMs that aren’t remote-key ready, the Triton solution calls for a mere switch of the host for transaction processing, Hayes says.
 
“The business case for ISOs is simple: less key handling,” he said. “That’s an advantage. If an ATM key was corrupted, the host could rekey that ATM within minutes, rather than having to go through the manual process of sending someone out, which takes time and expense.”

A case for ISOs and FIs
 
RKL adoption is definitely picking up, Abraham says, from the FI and ISO sides of the business.
 
“In today’s economy, the price of labor is going up and the number of people is diminishing,” Abraham said. “Everybody is looking for more efficient ways of doing things.”
 
Wes Dunn, the director of business development for Hayward, Calif.-based Tranax Technologies, says adoption of remote key loading will be critical for ISOs in the coming the months.
 
“The ISOs are the ones that lose out on this deal, because if they have to go out and change those keys manually — especially when we are already in a business of pennies — and have to do it once a year, it’s going to get very expensive. The ISO is going to have to bear the cost, because the retailer is not going to understand why the keys need to be changed and is not going to pay for it.”
 
Tranax expects to launch its own RKL solution by the end of the year.
 
“We understand the importance of it,” Dunn said. “With all of the regulation, it’s going to become a very hot topic very fast, and the financial implications of not doing remote key could be potentially devastating.”
 
Like ISOs, the business case for RKL also is reaching a tipping point for more FI adoption.
 
“Up until now, there have been a lot of other things going on in the financial space, and many banks didn’t see that they were losing too much money in this area — at least not enough to make it worth an investment,” Abraham said. “Besides, up until recently, many ATMs out there weren’t even capable of doing remote key. Now that Visa requires all new ATMs to be remote-key capable, the market’s perception is changing.”
 
Trusted Security now works with Triton, Wincor Nixdorf, Diebold Inc. and NCR Corp. on remote key solutions. But some hurdles still need to be jumped.
 
For one, Abraham says, many PCI auditors and rule makers are not educated well enough about RKL to conduct audits and set policy.
 
“They are trying to connect symmetric cryptography to asymmetric public key cryptography, and there is no connection there,” Abraham said. “There are a lot of rules being made that don’t make sense. We have a need for a lot of education.”
 
Diebold’s patent raises eyebrows
 
RKL can be handled in one of two ways: either through a signature-based protocol or a certificate-based protocol. NCR and Wincor Nixdorf International rely on the signature-based method. Diebold uses certificate-based protocol.
 
With signature-based protocol, the data structure is very simple. It’s a structure of information that has a digital signature attached to it, such as a public key.
 
With certificate-based protocol, the data structure is much more complex. The data being transmitted is much larger, so it’s not easily transported over dial-up networks. And the certificates themselves contain much more information.
 
“Because of that complexity, implementation for Diebold CBP (certificate-based protocol) would not work on a Triton CBP,” Abraham said. “They each have differences; so consequently, we end up implementing different protocols.”
 
What concerns other manufacturers and bankers, as it relates to Diebold’s certificate-based protocol, Abraham says, is that because the solution is patented, permission must be granted by Diebold to utilize the protocol. Everyone is worried about a lawsuit.
 
Some manufacturers have developed their own key loading solutions. Others, like Triton, are working with third parties like Trusted Security.
 
“In our system, we treat everything as a data transport, so the ATM deployer doesn’t have to worry about the difference in CBP or SBP,” Abraham said. “We do all of that stuff internally.”

Posted by NAAIO at 12:28:26 | Permalink | No Comments »

Wednesday, March 25, 2009

Alert! Use Caution When Purchasing or Deploying Pin Entry Devices (PEDs)

    In the past, Pin Entry Device (PED) security requirements originated from Visa, MasterCard and JCB.  That is no longer true.  Currently, the five major payment brands (American Express, Discover, JCB, MasterCard and Visa) have come together to form the Payment Card Industry Security Standards Council, commonly known as PCI.
 
      Until PCI came along, Visa maintained on its web-site a listing of compliant point of sale devices and encrypting pin pads, but Visa’s listing (today referred to as the Pre-PCI device listing) expired on December 31, 2007.   The Visa Pre-PCI device listing was replaced by the PCI listing now available on the PCI website at www.pcisecuritystandards.org.
 
      According to Visa, all Pre-PCI device approvals have expired as of December 31, 2007 and Pre-PCI devices cannot be purchased after their approval expiration date.  Pre-PCI devices can be deployed after December 31, 2007 only if purchased before December 31, 2007.    
 
      Why is this important to ATM ISOs and Operators?    As ATM ISOs and Operators shop for PEDs to be used as replacements or upgrades in their ATMs, they need to be cautious of sellers who offer devices for sale that are not on the current PCI PED approval list.   For example, be cautious of advertisements or listings that make no mention of PCI PED approval.   And be cautious of ads that might state products as “Visa approved.”  You might be buying obsolete products that will expose you to liability according to network rules.  
 
      In order to avoid liability associated with the compromise of a personal identification number (PIN), it is the obligation of every ATM ISO or Operator to make sure they purchase and deploy PEDs on their ATMs that are PCI PED approved.
 
Currently, the one and only place to verify whether a PED is approved is the PCI website.  Click here if you’d like to verify your equipment

IMPORTANT PCI LINK: https://www.pcisecuritystandards.org/education/prioritized.shtml

Posted by NAAIO at 22:00:14 | Permalink | No Comments »

NAAIO Has Second Meeting with MasterCard

On February 24, 2009, representatives of NAAIO met with MasterCard for a second time at MC’s headquarters in Purchase, NY.  NAAIO representatives included Steve Burns (E-Cash; NAAIO Board member and NAAIO President), Ray Varcho (WRG Services Inc; NAAIO Board member), and Darryl Ware (WWS ATM; NAAIO Board member).   The meeting was coordinated and attended by Kendall Harsch of MetaBank, a leading ISO sponsoring financial institution.
 
      NAAIO, on behalf of its membership, welcomed the invitation to sit down with top decision makers who hold responsibility for ATM program management.  As a continuation of the introductory meeting held in November of 2008, significant effort was devoted to a discussion of the typical ISO ATM business model, as compared and contrasted with the financial institution ATM model.  The discussion included the current state of the ATM ISO industry and the challenges related to surcharge, interchange, equipment pricing, service, and ancillary products and services such as co-branding.  NAAIO and MC are exploring ways to foster ATM transactional growth.
 
      Other topics of discussion included educational and public relations efforts, as well as frivolous chargeback activity, non-compliant operators, and non-compliant ATMs.
 
      A third meeting with MC is being planned. In preparation for that meeting NAAIO welcomes comments and suggestions from all its members, whether ISOs, Operators or Vendors.  NAAIO encourages each of its members to get involved.  Let your voice be heard.
Posted by NAAIO at 21:50:57 | Permalink | No Comments »

NAAIO Has Joined the PCI Security Standards Council

Last month, at our annual meeting, we announced that NAAIO has been accepted to the PCI Security Standards Council. You may be wondering just what this means to you, the NAAIO member.
 
      First, it gives us at NAAIO the option of nominating a member to the Board of Advisors. This person, if elected, would have direct input to the new PCI standards. NAAIO has nominated Daryl Ware to sit on this board and we’ll keep you posted as to his election on the board.
 
     Second, and more importantly, NAAIO’s acceptance to the PCI Security Standards Council means that you, the NAAIO member have direct access to any and all information that NAAIO receives from membership in this council - at no added cost to you. As a valued member of NAAIO, we believe that your voice and needs as an ISO are important. If you have questions, if you want to be heard, NAAIO will make sure that you are.
 
      Through NAAIO’s membership in the PCI Security Standards Council, YOU are a member of the PCI Security Standards Council.
Posted by NAAIO at 21:44:40 | Permalink | No Comments »

Friday, February 20, 2009

Second Meeting with MasterCard set for February

NAAIO President Steve Burns, along with members Ray Varcho, Kendall Harsch and Darryl Ware will be having their second meeting with Mastercard later this month.  The first meeting took place in November, 2008. “We’re excited about this second meeting,” says new Tier 3 Board Representative Ray Varcho of WRG.  “It reinforces both groups desire to work together.”
Posted by NAAIO at 18:19:43 | Permalink | No Comments »

Monday, February 9, 2009

Share Your Top Ten Tips for Surviving in This Economy

Is your company struggling to survive the economic downturn? What tips and tricks have you implemented to stay afloat and maybe even prosper? What are you doing to help drive business to your ATMs? Share your thoughts with fellow NAAIO ISOs.
Posted by NAAIO at 19:09:45 | Permalink | No Comments »

Saturday, January 31, 2009

ATM Security - One ISO’s Story

     We are constantly bombarded with news reports of ATM’s being ripped out of the ground, “smash and grab” jobs,  ATM’s  being walked off with, and hackers planting devices to capture card and pin data. But the ATM scam that we experienced takes the cake.
     Recently we received a call from one of our merchants in a placement location. They were calling to report that a man had approached them, claiming to be a service tech, and told them that he was there to remove the ATM for repairs. Remove the ATM!!! Sounds pretty obvious to you or me but what about the merchant? How many of them are as aware as ours was in suspecting that this was a scam and not allowing this man access to the ATM?
     We, as a company, have decided to take the time to keep our merchants informed of the many types of security issues that they need to be aware of in order to safeguard their ATMs.  In this case, we sent a letter out to all of our merchants informing them of the attempted scam and reminding them that if they ever suspect anyone who comes to service their ATMs that they, as merchants, have the right to ask for ID (all of our technicians are required to carry it), deny that person access to the ATM, and to call us to confirm that we have, in fact, sent a technician to their site.
    We also keep our merchants informed through monthly mailings, reminding them of the types of scams out there and what to look for such as a person attempting to withdraw cash with more than one card or a new display topper suddenly appearing on their ATM with no warning from us. Keeping our merchants informed is just good business.
Posted by NAAIO at 03:25:15 | Permalink | Comments (1) »