W H I T E P A P E R

ATM FRAUD AND SECURITY

Minimizing loss, mitigating risk

and maintaining consumer

confidence in the ATM channel.

Introduction

According to estimates by Retail Banking Research,there are over 1.5 million ATMs installed worldwide,with new ATMs being installed approximately every 5minutes. Millions of successful ATM transactions arecarried out each day, and the ATM has been used safelyfor more than three decades. Even so – like mostdevices designed to secure and dispense items of value– they are susceptible targets of fraud.

It’s easy to overestimate the scale of ATM fraud. ATMthefts, burglaries, and electronic fraud make greatheadlines, and it seems national and local media rarelymiss a chance to sound an alarm with regard to ATMattacks. After all, who could resist a story about twoguys, a pick-up truck, a chain, and an ATM — especiallywhen those two guys always seem to leave their licenseplates behind at the scene of the crime! >>

2

It’s important to note, though, that most of what themedia call “ATM Fraud” is actually Debit Card fraud –having much more to do with the compromise ofPersonal Identification Numbers (PINs) and fraudulentDebit Card use than with the integrity of ATM hardware systems.

In fact, the Global ATM Security Alliance reports thatjust .0016 percent of all ATM transactions are affectedby crime or fraud, worldwide.

Notwithstanding this record of secure transactions,ATM fraud and security have emerged as leadingtopics of interest among owners and operators ofATMs. Minimizing losses, mitigating risks, andmaintaining consumer confidence in the ATM channelare logical priorities for financial institutions and otherswho deploy ATMs.

This white paper contains a comprehensive overview ofATM fraud, security, and consumer safety issues facingthe self-service industry. It describes fraud techniquesand introduces management practices and devicesdesigned to keep ATMs secure.

Global Trends

In April of 2006, Russian police arrested a group ofcriminals accused of stealing at least $500,000 from USbank accounts in a cross border ATM scam. The gangobtained stolen account information and PINs fromorganized crime groups in the U.S., Canada, and Franceto make fraudulent cash withdrawals at ATMs inMoscow. The funds were stolen from the accounts ofU.S. citizens who had never been to Russia.

This case, like so many others, highlights theincreasingly global nature of ATM fraud. Criminals andvictims are often on different continents, and theproblems of one region become the problems ofanother. Here’s a look at geographical trends associated with ATM fraud.

Europe

Card skimming was the biggest crime affecting ATMs inEurope in the past year according to a survey of325,000 ATMs in 27 European countries by theEuropean ATM Security Team. Card skimming at ATMscaused losses of nearly EUR 44 million across Europe,and is a source of funding for Eastern Europeanorganized crime.

The good news is that the number of skimming attackshas dropped by 20 percent since 2004, and relatedlosses are down by 43 percent. These drops are likelyrelated to Europe’s implementation of anti-fraud devices– plus the migration of more than 50 percent ofEuropean ATM card readers away from magnetic stripecards to more secure EMV chip cards. In fact, France isbenefiting from its nine-year transition to chip cards,where ATM fraud is down by nearly 80%.

The bad news is that cash trapping and transactionreversal crimes are on the rise, especially in EasternEurope, as criminals look for other ways to steal money.In these cases, thieves fix a device to the cash-dispensing slot, causing notes to get stuck inside. Thecriminals return to remove the cash from inside thedispenser. Trapping attacks resulted in reported lossesof EUR 2 million in 2005.

Latin America

Latin America is one of the fastest growing ATMmarkets in the world – with deployment booming inBrazil, according to Frost & Sullivan Research. Manycountries in the region, such as Argentina, aredeploying highly advanced ATMs, where customers cantrade stocks and manage their personal finances.

Unfortunately, excessive fraud and corruption arehampering many financial institutions’ growth plans.ATM card fraud rose in Latin America by nearly 15percent in the past 5 years.

In response, the region is accelerating anti-fraudmeasures, especially with the use of EMV chip cards.Brazil leads this migration effort, where card fraud hasrecently fallen by more than 80 percent. However,smaller markets, such as Chile and Peru, are facing amuch slower transition.

3

Asia

China and India are also two of the fastest growingATM markets. China now has over 86,000 machines inuse, and the Indian ATM market is growing at a rate of100 percent year-on-year, according to Frost & SullivanResearch. And, due to the lower Internet adoption ratein some regions of Asia, Web-based ATMs are fillingthe void for online banking.

But as financial institutions rapidly expand their AsianATM base, they’re also seeing an increase in crime. Thetop ATM fraud in Asia is dispenser trapping.

Asia is also the origin of much of the world’s phishingattacks – although the victims are often on othercontinents. In these scams, “spoofed” e-mails, thatappear to be coming from a bank, lead consumers tocounterfeit web sites that trick them into giving theiraccount information and PIN numbers. These fake websites, that look identical to real bank web sites, are oftenhosted and routed through Chinese or Indian servers.

Criminals then use the stolen account information tocreate fake ATM cards and make withdrawals. Phishingattacks have been increasing over the past year,according to a recent Gartner study.

North America

North America is the largest ATM market in the world.Canada leads the world in per-consumer transactionvolumes, while the US has the largest installed base.But the widespread use of ATMs – with over 14 billioncash withdrawals in the US alone – makes NorthAmerica an attractive target for criminals around theglobe.

Physical attacks against ATMs are popular in NorthAmerica. Criminals attempt to remove the machinefrom its location, often by tying a chain to it anddetaching it with a truck. Once they succeed, they usemechanical tools, torches, and explosives to open thesafe door or make an opening in the safe walls.

In the US, ATM card-related fraud has risen sharply. InAugust 2005, Gartner estimated that about 3 million USconsumers had been affected by ATM card fraud in theprevious year – with annual losses of $2.75 billion, or$900 per incident. And these amounts excludesecondary losses, such as negative publicity for thefinancial institution and lost consumer confidence.

ATM card fraud in the US is expected to increasedramatically in the coming years. A major factor is the

fact that the transition to EMV chip cards is happeningthroughout Europe, Asia, Latin America, and Canada –but not the US. Chip-based cards are much moredifficult to counterfeit than magnetic stripe cards, whichare relatively cheap and easy to duplicate. As organizedcriminal groups become discouraged by othercountries’ antifraud measures, they are likely to view theUS as an increasingly attractive target.

A Global Problem

ATM Fraud is happening on a global scale. As theworld comes closer together, a bank customer inAustralia may have a run-in with a criminal in Bulgaria.And a scheme that works in France today may end upin Canada tomorrow.

With this in mind, the ATM industry must take a globalview of ATM fraud by tracking crimes against ATMs inevery part of the world and developing solutions toprevent their evolution.

Types of ATM Fraud

Card Fraud

Given the intense focus manufacturers are placing onsecurity-related engineering of ATMs, it’s not surprisingthat the most vulnerable component of any ATM systemcan’t be found on an ATM. Instead, it can be found inthe pockets, purses, and wallets of ATM customers. It’sthe ATM card. And once compromised, the data itcontains can lead to many of the most common typesof ATM fraud.

Armed with a customer’s Personal IdentificationNumber (PIN) – often obtained through casualobservation – a thief with data from a magnetic stripecan reproduce or clone ATM cards using inexpensive,commercially available equipment. And by takingprecautions to hide or obscure his or her identify from

video surveillance, such a fraudstercan immediately steall

small amounts ofmoney or easily

empty acustomer’sbank accountwithin a matterof days.

4

Operational Fraud

Bank fraud can also occur when ATMs are accidentallyor purposely stocked with currency in the wrongdenomination – thereby giving customers or criminalsmore money than should be dispensed.

As recently as September, 2006, WAVY-TV reported anincident in Virginia Beach, VA, where a hackerunlawfully obtained administrative privileges for a gasstation’s freestanding ATM. The hacker used this ill-gotten data to reprogram the ATM to operate as if itwere loaded with $5.00 U.S. bills instead of $20.00 U.S.bills – enabling himself and many other customers towalk away with four times the money requested forwithdrawal.

This fraud was made possible when factory-installeddefault passwords were left in place on an ATMconfigured to allow ATM administration through aconsumer-accessible interface. Apparently, the thieflearned his trade by downloading an online copy of theATM’s technical programming manual.

Equipment Fraud

Another concern for operators of ATMs is fraud relatedto fake ATM equipment. This ranges from add-ondevices such as fake card readers or skimmers to rusesinvolving false fascias or even bogus ATMs.

The first recorded instance of using fake ATMs dates allthe way back to 1993, when a criminal gang known asthe Buckland Boys installed a fake ATM at a shoppingmall in Manchester, CT. Like most fake equipment, it

was not designed to steal money. Instead, the fake ATMappeared to customers as if it did not work – all thewhile stealing card data from everyone who attemptedto use it.

Digital Fraud

The migration from proprietary operating systems toMicrosoft Windows® technology has led to greaterconnectivity and interconnectivity of ATMs. Vastnetworks – including ATMs, branch systems, phonesystems, ticketing systems, and other infrastructureconnected via the World Wide Web – are susceptible toa new kind of threat, a threat to digital security.

Digital attackers include vandals who author viruses orworms intended to exploit an ATM’s operating systemand criminal hackers attempting to violate theconfidentiality, integrity, or authenticity of transaction-related data.

Types of ATM Security

Digital Security

ATM digital security systems should be designed toprevent intrusion, defy hackers, and stop digital crimebefore it begins. ATM security experts recommend astrong firewall featuring multiple layers of security.An important first step is to lock down, or “harden,” theATM. This means making all electronic points of entryinvisible or unavailable to hackers, viruses, and worms.This technique is made possible through a combinationof a strong firewall and software designed to monitor,analyzes, and authenticate any external sourceattempting to connect to an ATM. This solution shouldbe designed to block any unauthorized user or patternof data.

In fact, an good digital security system should be ableto analyze and compare patterns of data to those ofknown attacks and send alerts upon detectingsuspicious activity.

Patch management is another important component ofany digital security system. From time to time,Microsoft releases security patches – security-relatedupdates to its operating system – designed to eliminateknown problems with its operating system. ATM digitalsecurity systems should be designed to identifyappropriate patches and to quickly deploy themthroughout an ATM network in an effort to protectagainst viruses, worms, and other digital exploitation.

On-screen warning concerning potential fraud.

5

Physical Security

Since their invention, ATMs have been designed toresist physical attacks. Yet that hasn’t completelystopped concerns over physical security.

Many physical attacks are designed to steal the entireATM and to transport it to a location where its safe canbe laboriously penetrated and its contents removed.Other methods of attack, such as ram raiding, aresimply brute force attacks designed to effectivelydemolish ATMs and steal cash. Since the late 1990s, forexample, organized groups of criminals in Japan haveimproved ram-raiding techniques by using heavyweighttrucks or heavy construction equipment to uproot anddestroy ATMs before removing their contents.

Another physical attack method is to seal everyopening of an ATM with silicone before filling the vaultwith combustible or explosive gas. In this manner, ATMshave been compromised when explosions from withinhave distorted or opened their vaults sufficiently forremoving their contents.

As a result, more modern approaches to physicalsecurity, including the use of ink dye systems designedto render currency useless, have gained in popularity asa mechanism for deterring physical attacks.

Transactional Integrity & Security

The security of ATM transactions relies not only uponthe level of secrecy employed by individual ATM users,but also upon the secure operation of encrypted,trusted microprocessors.

Most countries have laws requiring data encryption atATMs. In the U.S., sensitive data at ATMs wastraditionally encrypted using a Data EncryptionStandard (DES) or information processing standardmandates by the federal government. Today, however,DES is considered by most cryptographers to beinsufficient for protecting ATM transactional data, and anew standard known as Triple DES has emerged.

With each new wave of electronic crime perpetrated onATMs, their operators, and their users, manufacturers ofATMs must increase research, development, andengineering efforts aimed at guaranteeing the securityand integrity of ATM transactions.

Device Operation & Security

In most countries, financial institutions are liable whenATM systems fail. This simple fact suggests ATM ownersand operators need to take great care to secure andensure proper functionality of ATMs.

With this in mind, modern ATMengineering has resulted in improvedfascia design, weather and vandal-resistant construction materials,shutters, and other devices designed toprotect and ensure the integrity of ATMcomponents.

Customer Identity Security

While ATM operators are certainly concerned withprotecting the identity, account information, andpersonal data of their customers, it’s important to notethat identity theft cannot be committed through ATMs.

There is insufficient personal information available tofraudsters during breaches of ATM security to commitoffenses such as setting up false bank accounts orattempting to “prove” a false, personal identity.

Consumer Safety at the ATM

An April 2006 poll by Harris Interactive found that 37percent of adults who have a bank account are moreconcerned than they used to be about using ATMs for

Vandalized ATM in Spain

6

reasons relating to security. Not surprisingly, then,consumer safety has become a leading consideration inthe manufacture, deployment, and management ofATM networks.

Manufacturers have experimented with mirrors, betterlighting, emergency call buttons, video surveillance,and other devices intended to provide a more secureenvironment surrounding ATMs. Financial institutionsare more carefully evaluating ATM locations, more oftenstressing the importance of consumer awareness, andhave gone so far as to arrange for security patrols athigh crime, high traffic locations.

ATM Fraud Techniques

Card Theft

Beyond obvious approaches such as mugging orstealing from mailboxes, criminals use a variety oftechniques aimed at stealing ATM cards. Most of theseattempts involve a technique known to security expertsas “card trapping.”

Card trapping involves placing a device directly over orinto an ATM’s card reader slot. Such devices aredesigned to retain cards after customers insert them.Often, a “helpful” thief will then suggest a customer re-enter his or her PIN in an effort to attempt the card’sreturn – of course, to no avail.

Later, after the unsuspecting customer has departed,the thief can remove the trapping device or fish out

the card. Then, byentering the PIN that thethief has just observed,the thief can access andwithdraw funds from thecustomer’s account.

One variant of thisapproach is to trap thecard inside the ATM’scard reader with a device often referred to as aLebanese Loop. When a customer walks away,frustrated by not getting the card back, the criminal isable to remove the card and withdraw cash from thecustomer’s account.

This method is often combined with the “droplet”method of stealing a customer’s PIN. With this method,small drops of oil are placed on PIN pad keys. After acustomer uses an ATM, the oil makes it obvious whichkeys have been pressed and easy to quickly discern theentered PIN.

Card Skimming

Another method of accessing a consumer’s accountinformation is to skim the information off of the card.

Skimmers are devices used bycrooks to capture data from themagnetic stripe on the back of anATM card. These devices – smallerthan a deck of cards andresembling a hand-held credit cardscanner – are often fastened inclose proximity to or over top of anATM’s factory-installed card reader.When removed from the ATM, askimmer allows thedownload of personaldata belonging toeveryone who used it toswipe an ATM card.

An inexpensive,commercially-availableskimmer can capture andretain the informationfrom more than 200 ATMcards before being re-used. Such personal informationincludes account numbers, balances, and verificationcodes associated with each cardholder.

Typically, these devices are used to fool consumers intobelieving that the skimmers are part of the ATM

In an effort to provide increased safety and to minimizeshoulder surfing, some financial institutions have indicatedprivacy areas by painting or otherwise marking the floorbeneath their ATMs.

A Lebanese Loop

Card skimmers

7

equipment. The boldest of thieves have gone so far as toplace signs on ATMs instruction cardholders to “swipehere first” before continuing with transactions. Anotherfraudulent method is to portray the additional cardreader as a “card cleaner” designed to extend the lifeand improve the performance of ATM magnetic stripes.

Shoulder Surfing

Shoulder surfing isnothing more than the actof direct observation as aperson taps onto an ATMPIN pad. Criminalstypically positionthemselves close – butnot in direct proximity –to legitimate ATMcustomers and watchcovertly as the customerenters his or her PIN.

A more sophisticated takeon shoulder surfing is accomplished through theinstallation and use of miniature video cameras aimedto record PIN entry.

Fake PIN Pad Overlays & Other Fake Equipment

This criminal technique involves the placement of a fakePIN pad directly over top ofan ATM’s original PIN pad.

This overlay captures andstores PIN data with eachtransaction. The fake PIN padis later removed, recordedPINs are downloaded, andthe information is combinedwith counterfeit ATM cards toobtain funds illegally fromlegitimate customer accounts.

Fake PIN pads are often identical in appearance andsize to original equipment. Furthermore, they are oftenrazor thin or transparent, making detection nearlyimpossible for consumers. With these types of PIN padoverlays, transactions actually proceed in a normal way.

Criminals also attach portable monitors and cardreaders to ATMs. Fake card readers and PIN padsrecord the requisite information for illegal withdrawalswhile fake monitors provide bogus screens explainingthat transactions cannot be completed.

PIN Interception

This high-tech approach to stealing PIN informationresults from the capture of data through an electronicdata recorder. This is possible from within the ATMterminal or as PIN data is transmitted for onlineverification. Either approach requires access to theinside of an ATM; therefore, this type of crime is oftenperpetrated by organized “professionals” at off-premises ATM locations.

Accessing Cash with False Presenters

This fraud is performed through the addition of billtraps or false presenters in front of ATM dispensers.These traps are placed over to disguise the normaldispensing operation of the ATM.

During the course of an otherwise normal transaction,an ATM will dispense notes into the trap; however,those notes are never presented to the customer.Assuming the ATM has malfunctioned, the customerleaves. After that, the criminal returns, removes the billtrap or false presenter, and leaves with cash that wasintended for the customer.

The simplest form of bill trap involves the placement ofadhesive tape in a manner which blocks the cashdispenser, holds delivered banknotes, and preventscash retraction. A more sophisticated approachemploys a motorized device designed to deliverbanknotes into a dedicated, hidden bin, thus simulatinga more natural, “real” withdrawal of banknotes.

Another method begins with a legitimate cashwithdrawal transaction – possibly with a stolen card. Inthis method, the criminal does not take the note stackwhen presented. Instead, the criminal allows the notesto retract after a certain period of time – as if they wereforgotten. For a brief period of time, those notes sit inthe ATM’s presenter before being diverted into a“retain” bin. By prying open the presenter door andgrabbing the retracted notes at exactly the right time,criminals can obtain the cash, but the transaction is stillreversed and no funds are debited to the accountassociated with the “legitimate” transaction.

Transaction Reversal

Transaction reversal scams use a variety of methods tocreate an error condition at the ATM that result in atransaction reversal by the host processor due to thereported inability to dispense cash. Meanwhile, thecash has been taken through accessibility or force.

Miniature Video Camerarecords PIN entry

fake PIN pad recordsPIN entry

8

Here’s an example. An ATM user requests a withdraw of$100; however, when the note stack is presented, theuser carefully removes only a portion of the banknotesin the stack. A few moments later, the transaction timesout and the remaining notes are returned to the ATM.Since the ATM cannot count how many banknotes areretracted, it will often (depending upon host softwareand bank policies) reverse the entire transaction –leaving the user with some of the cash withdrawn butwith no corresponding debit.

Burglaries

Physical attacks are sometimes attempted on safes insideof ATMs, through mechanical or thermal means. The goalof these attacks is to penetrate the ATM to open the safedoor or to make an opening sufficient to remove cash.

Operational Fraud

Operational fraud, typically, is perpetrated from within.Employees responsible for ATM management canaccidentally expose ATMs to fraud by making sensitiveinformation readily available to fraudsters. Or worse,employees with unfettered access to ATMs and relatedcustomer information can use that access to commitcrimes that are difficult to detect.

Fighting Fraud & Securing the ATM

Video Surveillance

The primary method used to increase awareness anddeter fraud attempts at the ATM is the installation ofClosed Circuit Television Cameras mounted in plainview on or near the ATM.

Nowhere does this sort of digitalsecurity offer more benefit thanin the surveillance of off-premises ATMs, which presentobvious challenges with regardto maintenance and security.

Cameras can be easilyintegrated into the fascia ofmost ATM machines, and improved security can beachieved by installing additional site cameras on andaround the premises.

The availability of remote video surveillance servicesmakes digital video an even more attractive securityoption, because many ATMs and their surrounding areascan be directly monitored from a single, central location.

Remote Monitoring

Remote diagnostic services provide an automatedmeans to monitor and manage ATM networks. Remotemonitoring can communicate important messages thatmay indicate tampering with a machine.

Remote diagnostics, monitoring, and managementprovide improved uptime and reduced risk. Theseservices promote dispatch avoidance and enable a groupof central support associates to control keyboard andmouse operations of ATMs directly from remote PCs.

Through ATM monitoring capabilities, status messagesfrom an ATM can be sent to a central location wherethose messages are acted upon based upon a pre-defined plan. Central support associates can quicklyidentify problems and security concerns based uponthe messages they receive. For example, the continualnotification of acard reader failureor a drastic declinein transactions at anotherwise busylocation might bean indication oftampering.

Remote diagnosticservices alsocontribute to thesafety and securityof personnel assigned to work on ATMs, by givingthese associates remote access and the ability tomanage events from a secure location.

Preventing Card Theft

Card readers with the capability to detect if an ATM’scard reader shutter is closed completely can provide anindication that a fishing device may have been insertedinto the card reader. By using remote diagnostics tomonitor the ATM, error codes generated by the cardreader can be tracked. An increase in the occurrence oferror codes related to card readers could be anindication that a fraud attempt is in progress.

Preventing Card Skimming

There are a variety of methods that may be employedto deter card skimming. To begin with, awarenessamong consumers, branch personnel, and ATM servicetechnicians can result in the detection of devices addedto an ATM fascia. Visual clues such as tape residue near

Place video surveillance equipment near ATM.

Remote management centerskeep things going from a centrallocation.

9

or on a card reader may indicate the former presenceof a skimming device.

In addition, the following anti-skimming solutions canbe introduced.

• Jittering. Jittering is a process that controls andvaries the speed of movement of a card as it’s swipedthrough a card reader, making it difficult – if notimpossible – to read card data by the externaldevice.

• Alert systems. These systems monitor routinepatterns of withdrawals and notify operators orfinancial institutions in the event of suspicious activity.

• Chip-based cards. These cards house data onmicrochips instead of magnetic stripes, making datamore difficult to steal and cards more difficult toreproduce.

• Foreign object detection. ATMs equipped with thistype of technology can alert owners, operators, orlaw enforcement in the event that a skimming deviceis added on the fascia of an ATM.

Preventing Shoulder Surfing

Consumer awareness mirrors are the most effectivemethod for deterring or detecting shoulder surfing. Inaddition, mirrors can be affixed to the fascia of an ATM,allowing users to easily see behind them as they enterdata. Furthermore, PIN pad shields can be used toobscure data entry.

The ergonomic design of an ATM can also play animportant role in preventing shoulder surfing. Techniquessuch as positioning the keyboard in the center of thefascia or recessing the display more deeply within theterminal can also make shoulder surfing more difficult.

Preventing Fake Equipment

Consumer education and ATM monitoring services arethe best ways to prevent the application of fakeequipment on or near legitimate ATMs.

Consumers should be taught awareness of the look andlocation of ATM components, such as PIN pads, cardreaders, monitors, and dispensers.

ATM monitoring services are designed to notify ownersof repetitive time out messages during PIN entry.

Foreign object detection technology can also play a

role in identifying fake equipment. Hidden from view,this type of technology actively monitors the ATM’sfascia. When abnormalities are detected, ATMs cannotify authorities and even shut down until problemsare resolved.

Preventing PIN Interception

Encrypted PIN pad technology is the key to preventingPIN interception. Encrypted PIN pads “scramble” databefore transmission so that no raw PIN numbers areaccessible to electronic hackers.

Preventing Transaction Reversals

Many financial institutions deter this fraud by alwaysdebiting the account for the full amount of atransaction, dealing with legitimate short-dispenseclaims as they arise. Other techniques includemonitoring “time out on withdrawal” error messages. Ifthis message occurs repeatedly and is associated with aspecific cardholder, this may be an indication of criminalactivity.

Finally, using a retract bin with separate compartments– each dedicated to a single retract operation – canallow financial institutions to associate specific,retracted banknotes with specific transactions.

Preventing Burglaries

There are a variety of mechanical and physical factorsthan can inhibit attacks to ATM safes. The certificationlevel of a safe, for example, can determine how difficulta safe is to penetrate. A certification level of UL291Level 1 is recommended as a minimum for ATMs placedin unsecured, unmonitored locations.”

Alarms and sensors also reduce exposure to risks.

Further, the best defense against potential litigation bycrime victims is a proven track record of policies aimedat crime prevention. Following are practices to considerfor educating consumers, deterring crimes, andimproving the security of ATM premises.

Consumer Education

• Make safety and security educational materialsavailable.

• Provide safety information directly on ATM screens.

• Print safety and security reminders on ATM receipts.

10

Crime Prevention

• Videotape customers and ATM transactions.

• Provide video surveillance of parking lots and otherareas surrounding ATMs

• Provide an emergency call button or telephone atATMs.

• Document requests to local police to patrol areassurrounding ATMs.

• Increase security measures in areas of frequent crime.

• Use contracted security guards as patrols or assentinels.

• Maintain records relating to security complaints;document action taken as a result of each complaint.

• Maintain record of proper security equipmentmaintenance.

Premises Protection

• Locate ATMs in highly visible, well-traveled areas.

• Employ high-intensity lighting at and around ATMs.

• Designate parking spaces dedicated to “ATM UseOnly”.

• Keep trees, shrubs, and other greenery well-trimmed;remove other obstacles that may obscure the view ofATMs and the areas around them.

Preventing Operational Fraud

The best defense against operational fraud is toestablish and follow rigorous internal policies andprocedures that limit access to ATMs and relatedpasswords by branch personnel. Consider offeringrewards for information regarding criminal activity, andensure that bank employees know the consequences ofoperational fraud.

The Virginia Beach incident, described above, could havebeen prevented with good procedures in place, such aschanging default passwords on every new ATM, or evenavoiding the purchase of any ATM configured to allowadministration through a consumer-accessible interface.

To ensure the highest level of protection againstoperational fraud, Fair Isaac CardAlert servicesrecommends the following practices:

• Immediately verify that every ATM operated by yourfinancial institutions has security codes that are notoriginal manufacturer default settings. Leaving factorydefault settings is very common; however, it is anunsafe practice.

• ATM safe combinations should also be changed fromoriginal manufacturer’s settings.

• Consult ATM user guides to ensure optimumoperating standards, since ATM equipment varies bymanufacturer.

• Ensure that sub layers within ATM security settingshave also been reset to unique passwords or accesscodes.

• Balance your ATMs daily or as frequently as possible.

• Reconcile settlement account deposits with actualATM balances to identify possible irregularities.

• Increase security around all ATM equipment.

• Make sure all video equipment is working properly.Date your video surveillance tapes and keep themsecure for 60 days when possible, in case you needto refer back to them.

Conclusion

Fraud attacks on ATM networks are a worldwidephenomenon, yet they are of particular concern in theU.S., where the market is larger, transaction volumegreater, and the use of chip cards is not yet widespread.

In August 2005,Gartner estimated that about 3 millionUS consumers had been affected by ATM card fraud inthe previous year - with annual losses of $2.75 billion,or $900 per incident. These amounts exclude secondarylosses, such as negative publicity for the financialinstitution and lost consumer confidence.

ATM fraud is growing because it produces cash and isfairly low risk relative to other crimes. The necessaryequipment for criminal activity is inexpensive, readilyavailable, and expendable.

ATM fraud also lends itself to organized crime. The fraudis repeatable. It is profitable. And it is not likely to end.

Even so, consumer confidence in ATMs remains high,and industry efforts to combat fraud, increase consumerawareness, and promote ATM security seem to beoutpacing the growth rate of criminal activity.

New technologies such as video surveillance, remote ATMmanagement, and foreign object detection – combinedwith common sense management practices aimed atdeterring crime – are providing manufacturers with anedge in the fight against fraud and keeping the self-service industry at least one step ahead of the criminals.

11

About Diebold

From the Great Chicago Fire of 1871 to the presentday, Diebold has been protecting the assets of financialinstitutions around the world. Diebold continues toevolve, protecting each facet of the banking industry;from branches, vaults and tellers to advanced selfservice terminals.

As the industry's leading integrator of security products,Diebold understands better than anyone what thefinancial industry’s service and security support needsare now and will be in the future. Diebold is thepremier company in the world that can provideenhanced security for ATMs.

Diebold ‘s prominence in the financial security businessfor over 100 years allows our customers to depend onDiebold to provide solutions and recommendedapproaches to contain such issues as ATM fraud.Diebold boasts a world-class service organization withprofessional ATM service technicians that are trained tobe cognizant of the new ATM fraud techniques and toconduct a detailed evaluation of key ATM componentsto ensure there has been no tampering or additions tothe fascia.

We Won’t Rest until our customers’ customer feelssecure throughout their ATM experience!

While Diebold has tried to be complete in the preparationof this material, it must be recognized that the criminalcommunity too is ever expanding its knowledge and meth-ods of defeating security features. Accordingly, the use orimplementation of some or all of the methods describedherein cannot be considered to be a guarantee that thesecurity of any ATM cannot be compromised or that thesecurity features in or around an ATM will operate continu-ously or error free at all times.

©Diebold, Incorporated 2006. All rights reserved.

Rev10.06 File No. 79-853

Contact Information:Diebold, IncorporatedPost Office Box 3077Dept. 9-B-16North Canton, Ohio44720-8077

Call on Diebold to offer you the latest in product, service and security solutions.Since 1859, Diebold has put its customers first.