I would like to share with you this insightful paper of an ATM fraud case study of a commercial bank in Pakistan co-written by former Joint Director Payment System-Policy and Regulation Division of State Bank of Pakistan, Mr. Aijaz Shaikh (currently Assistant Professor at Sukkur Institute of Business Administration), who spoke at Digital ID World Asia 2012.
In this paper, a mapping flaw in the ATM Controller (commonly known as financial middleware), which allows the ATM card holders of various banks to fraudulently withdraw cash from the ATMs was investigated & demonstrated. The flaw remained undetected for nearly 3 months and deprived the bank of more than 21 million Pakistani Rupees.
The paper concluded that the banks’ internal control system had failed to detect the implantation of the mapping bug. In addition, higher management’s lack of understanding on the systems & procedures
supporting ATM Infrastructure played a significant role in this incident.
Considering the nature of the fraud and the degree of losses incurred, this paper has recommended strong internal controls implementation over the payment system applications. A detailed review of fraud screening strategy as well as turnkey ATM solution were also recommended to ensure that the security tools are optimised for their particular product or service.