• Home
  • Blogs
  • ATM Fraud hits Ugandan Banks – Customer Beware

ATM Fraud hits Ugandan Banks – Customer Beware

By James Wire

Added 19th October 2015 01:48 PM

Shamira (Name not real) received the long awaited call confirming her proggie with some friends that evening. Excitedly, she jumped into her Vitz and raced off to the nearest ATM for some money. On arrival, she inserts her card in the ATM, executes h

Shamira (Name not real) received the long awaited call confirming her proggie with some friends that evening. Excitedly, she jumped into her Vitz and raced off to the nearest ATM for some money. On arrival, she inserts her card in the ATM, executes her transaction and leaves smiling, looking forward to a fun filled evening.

A few metres from the ATM, a silver Subaru Forester with tinted windows is parked by the roadside and seated inside is a one Kasoma (Name not real). With a laptop and WiFi connection, he's monitoring the card Skimmer he had just inserted in the ATM machine's card entry slot. As Shamira inserts her card, the skimmer is able to extract relevant card data which he gets in real time. Then aided by a micro camera mounted inside the ATM closet, he's able to see the pin code Shamira types to access her money. That's all he needed. 

Kasoma proceeds to make a duplicate card which he feeds with data from Shamira's Card. He then uses the duplicate card to withdraw money from Shamira's account and upon her next visit, she gets welcomed by the famous message, “Unable to proceed with transaction due to insufficient funds on your account.”

For as low as US$ 200 you can buy an ATM skimmer on the internet and using a regular WiFi enabled laptop, all you need is identify ATMs that aren't tightly monitored and you're good to go.

This is the reality the banking customer is faced with today. A group of Bulgarians was convicted in 2012 after orchestrating this scam in Kampala thereby defrauding many ATM users. 

The recent fiasco with Centenary Bank that led to the nullification of all ATM card PINs followed by the Bank CEO's statement aimed at calming down the general public as well as silencing the speculation that arose shouldn't be taken lightly.

In a well calculated and crafted video message, the CEO attributed the bank's extreme action to a software update process that is ongoing. However, as someone who has dealt with Software and Hardware systems for many years, I am more than convinced that the bank is not being generous with the information it avails the public.

It is a fact that numerous banks are falling victim to electronic crime in Uganda and while some cases have been reported, most are dealt with under the hood for fear of alarming the public as well as diminishing their already strong brands based on trust. The situation is further complicated by the high level of insider dealing.

What is ATM Card Skimming? The copying of encoded information from the magnetic stripe of a legitimate card, making use of a card reader for fraudulent purposes. 

Card skimming seems to be the most wide spread form of ATM fraud going on but there are others like;
The Card Trapping devices; Where a thin ribbon of Xray tape is inserted into the card slot. The loop it has traps your card and makes it appear like the bank has repossessed it. A 'Good Samaritan' then offers to help you and advises you to type in your PIN Code in order to have the ATM card returned. When it fails, you walk away believing that your card has been captured. He then proceeds to remove your card and withdraw your money using the pin he saw you punch in.
The Exit Shutter Manipulation Fraud; In this one, you insert an ATM card and punch in the pin in order to get money, select the amount you need and as the dispensation of the funds begins, you place your hand on the money exit shutter for a few seconds triggering the  message that there is a fault with the shutter. This then causes the machine to reverse the transaction at the ATM switch by the amount requested thereby crediting your account once again. However, on release of the exit shutter after a few seconds, the ATM dispenses the amount previously requested since it was manually halted during the dispensation process.
The Matchstick hack: By inserting a matchstick in one of the keys on the ATM keypad like the Asterix (*), Clear or even Enter keys, a customer will come, insert their card, punch the PIN but fail to transact successfully since the keypad is kind of disabled. Meanwhile the criminal is nearby observing your PIN. Upon failing, the customer withdraws their card and moves on giving the criminal a chance to go to the ATM, remove the matchstick and punch in the customer's PIN. He then transacts on the ATM account even with the card withdrawn since the machine retains the card's details for some time.
By pressing a special sequence of buttons on the ATM keypad, some ATMs can be placed in the privileged 'Operator Mode.' While in this mode, numerous variables can be altered with the most prominent one determining the denomination of the bills loaded into the machine's currency cartridges. Once done, one then proceeds to make the ATM withdrawal and by fooling the ATM into dispensing Ushs 50,000/= notes instead of Ushs 10,000/= notes, one is able to get more money from the ATM than their actual recorded funds transaction request.

There are many more frauds out there and as their complexity increases, so does the pressure on the financial institutions increase too. Ugandan banks need to wake up and start protecting their customers. 
The largest perpetrators of these ATM scams are organised criminal gangs from Western Europe and as they find it ever harder to penetrate banking systems in Europe and America, they are going to shift their focus onto softer targets in Africa where the uptake of technology is spiralling albeit haphazardly.

How can you protect yourself from ATM fraud as a customer?
Familiarise yourself with the ATM machines of your bank especially the card slot entry area. This will help you notice anything that is out of the ordinary before you transact. Keenly observing the ATM machine and its surroundings should be top on your priority list before transacting.
As you punch in your PIN, shield your hand and the keypad with your body or the other hand to ensure that any installed cameras do not capture your PIN details. In some cases, heat sensitive thermal Cameras are used which can detect the keys you punched long after you've finished putting in the PIN. So, to be safe, you can go the extra mile and cover some form of tissue or cloth on your finger as you input the details.
Use familiar ATMs. Be careful which ATM machines you go to. In case you're not comfortable with the area an ATM is located, then do not transact. ATMs in dimly lit areas or visited late in the night might be more susceptible to fraud.
When distracted during an ATM transaction, immediately cancel your transaction and collect your card before responding to anyone who has distracted you.
Always change the Card's PIN from the original number given to you (this number may sometimes be part of the data on the magnetic strip and could be discovered by thieves who have stolen your card).
Do not accept assistance or guidance form anyone however helpful they may seem.
If your card is trapped or swallowed by an ATM, do no leave the ATM immediately. Call the bank or even better wait until you can see someone else successfully transact from the very ATM machine you've used before you can prove that it wasn't a mere fabricated blockade.
Feel the Card entry slot. If you detect anything loose around it, then you have reason to suspect that a skimmer could have been inserted. Call and report your findings to the bank.

In case you've already fallen victim, try any of the following;
When you discover a card reader or card-trapping device, don't remove it. Call the bank authorities or Police ASAP because the crooks may be watching the ATM and want to recover their equipment.
In case of a lost card, immediately notify your bank and terminate any further transactions on your account.
When approached by someone suspicious at the ATM, calmly observe them and keep track of whatever possible detail you can come up with then proceed to submit a report to the bank or the Police.

As for the banks, there is a need to;
Setup a Joint ATM Security Team: ATM fraud can't be addressed in isolation. Ugandan banks need to appreciate this and swallow humble pie. The more they work together to confront this challenge the higher the chances of registering success. Such an effort needs to be complemented by other agencies like the Police CyberCrime unit, the National IT Authority among others.
Train ATM Fraud Experts: From basic card skimming to malware use, ATM hacking is scaling greater heights by the day. The banks need to avail specialised training to some of their staff to tackle ATM fraud.
Install Machine Alarms. These help alert when the ATM shell is tampered with.
Upgrade Cards. From the simple magnetic ATM cards, banks need to make upgrades to the Chip and PIN technology since currently most fraudsters can only compromise the magnetic stripe on the card and not the chip.
Raise Customer and Staff awareness of ATM Fraud. This can be done through posters, screen messages and inserts in mailings to customers. Just like openness worked a great deal in combating the HIV/Aids scourge in Uganda, the same could apply to the ATM fraud challenge which is likely to grow in leaps.

Shamira and You can help avert the looming ATM hacking crisis but above all, we need the banks to cooperate and be more open about this problem.
Twitter: @wirejames

Shamira (Name not real) received the long awaited call confirming her proggie with some friends that evening. Excitedly, she jumped into her Vitz and raced off to the nearest ATM for some money. On arrival, she inserts her card in the ATM, executes h

More From The Author