ATMIA East: Big on security By Tracy Kitten, ATMMarketplace.com
 This story was originally published on ATMmarketplace.com, Feb. 21, 2006; reprinted with permission. © 2006 NetWorld Alliance LLC. All rights reserved. he weather was less than Florida-like the first part of the week. But for the more than 550 ATM Industry Association (ATMIA) Conference East attendees who made their way to Walt Disney World's posh Swan hotel last week, the trek was well worth the effort. Orlando, Fla., was host to ATMIA's seventh-annual East event, a conference that honed in on security from all angles.
A keynote from Frank Abagnale, the real-life fraudster depicted in Steven Spielberg's film Catch Me if You Can, and an opening address from New York State Police investigator Kevin Sullivan set the stage.
Abagnale, who has spent the last three decades working with the Federal Bureau of Investigation, is a recognized expert in the areas of identity theft, fraud and forgery. He also now works with Discover Network, helping Discover reduce its own risk and liability through consumer and customer education.
During a standing-room-only address Friday, Abagnale described the ease with which criminals defraud companies through stolen identities and simple scams. His insight was entertaining, and a bit frightening, as it highlighted how often consumers and companies make valuable information available for general consumption.
When the information is easy to find and duplicate, thieves use it to their advantage. "So why do you continue to give your information away?" he asked. That was a chord Abagnale carried from his keynote the night before, when he candidly spoke about his life on the run: A life he embarked upon at the ripe age of 16. With a matter-of-fact tone, Abagnale explained how a kid from Bronx, New York, turned into one of the FBI's most wanted, almost overnight.
Like Abagnale, Sullivan also is a self-educated fraud expert. After learning a few years ago how easy it was to get into the ATM game, Sullivan, a former narcotics cop, began his own ATM crime-fighting crusade. Sullivan now works closely with financial institutions, educating them about fraud-protection and liability.
During his opening address Thursday, Sullivan talked about fraud in a more ATM-centric way, paying special attention to money laundering. He encouraged deployers to approach financial fraud from a Six Sigma approach, by understanding how all financial channels, including the ATM, fit together.
"Who is monitoring the transactions at the ATM?" Sullivan asked. "And once you're monitoring them, are you looking at the right information; and are you telling the police or the proper authorities about suspicious transactions?"
It all sounds quite a bit easier than it is in practice. But with the looming enforcement of mandates and regulations, including the USA Patriot Act, Sullivan stressed the importance of a multichannel, inter-financial institution perspective. Fair Isaac Corp. Technology Operations Director Michael Urban and Celent LLC Analyst Madhavi Mantha echoed Sullivan's perspective.
Sprinkled in between Abagnale's and Sullivan's presentations were multichannel risk management and strategy analyses from Urban and Mantha, all of which leaned toward security, fraud and breaches.
According to information collected by Fair Isaac, U.S. PIN fraud is on the rise, Urban said. From 2001 to 2003, debit card fraud doubled. And from 2003 to 2004, it doubled again. By 2005, approximately 62,000 compromised debit cards had been identified in the United States. Mantha said the demand for more secure transactions is a given.
New rules tighten the industry
The networks are addressing security from a variety of angles, including Triple DES. Visa's new PLUS network operator agreement rules, whose first effects hit in November, are expected to tighten up the ISO business by virtue of their existence. At least that's the way Marilyn Kilcrease, President of Temecula, Calif.-based Creative Card Solutions LLC, sees it.
"If you have a criminal or someone with derogatory information [on file], you have to get rid of them," Kilcrease said. "If, when you're doing your checks, you find someone that has a problem, you have to get the ATM out of there. That's your responsibility under these new rules."
As they did at ATMIA West in September 2005, select EFT network members reviewed ISO regulations, such as PLUS' agreement rules, in a changing ATM world. The topic has yet to grow stale, since the next due-diligence deadline for all existing ATM owners is November 2006. (ISOs and FIs were required by Nov. 1, 2005, to have up-to-date records for all newly placed off-premise machines.)
Regardless of how long ago an ISO sold an ATM to a merchant, the ISO is still responsible for maintaining up-to-date files.
"The problem is that this has been a loosely guarded industry for a long time. ... But as the networks work more to know who their customers are, you're going to see [fewer] problems," said Kathie Taylor of First Data's Star network. "There are going to be less of those people out there who operate ATMs and have criminal and derogatory information on file about them."
Triple DES ... still a hot topic
In case you thought it was safe to stop talking [and thinking] Triple DES, think again. Like the due diligence required by the new agreement rules, Visa and MasterCard pushed Triple DES as a way to reduce security breaches. Although deadlines have been pushed, industry experts say processors are really starting to pull for compliance.
"Over the last three months, we have really seen Triple DES upgrades pick up," said Wayne Vandekraak, President and Chief Executive of Beaverton, Ore.-based
Solvport LLC. "We are currently upgrading 10,000 units [for ISOs], and I'd say we get a call at least every two weeks about more upgrades. We think the processors are finally putting the heat on, and it's working."
John Del Giudice of Atlanta-based processor RBS Lynk agreed that Triple DES is still a hot topic. "I definitely don't think it's a dead issue. We've been talking about it for a long time, but we are really pushing the Triple DES issue. And we're going to keep getting the word out that it's a mandate, a requirement, so that we can work with ISOs on a compliance migration plan."
Wireless tech
On the exhibit floor, the show's 51 exhibitors didn't show off anything too new or different. For the most part, the technology reflected what was showcased at similar shows, such as November's Bank Administration Institute's (BAI) Retail Delivery Conference & Expo. And like BAI, wireless tech was definitely abuzz.
Kent Phillips, Vice President of Self-Service Solutions for Frisco, Texas-based Transaction Network Services Inc., said that he expects the presence of wireless ATMs in the United States to hit about 5,000 over the next six months. The tech is catching on, and so is the interest. "We had a lot of interest at this show," Phillips said. "This is the best [ATMIA] we've had by far. ... I think this will be a big year for wireless."
Other vendors, like Columbia Falls, Mont.-based Triton distributor Bancard Systems, expressed similar satisfaction with the show and its ISO attendees. Others praised ATMIA for successfully breaking the conference into two tracks, one for FIs, one for ISOs, an undertaking conference organizers spearheaded last year.
In addition to TNS, wireless tech was a highlight at Bancard's and Systech Corp.'s booths, to name a couple. While San Diego-based Systech showed off an inexpensive router-like solution that converts a dial-up ATM connection to Internet protocol, Bancard showed off built-in wireless connectivity that it's taking to the street for temporary placements.
"There's no spoofing," said Bancard's Todd Donnella. "This is built-in wireless on a Triton machine." Bancard's towering Ben Franklin unit, a weatherized ATM enclosure, was a floor-stopper. Even ATMmarketplace had to stop in and take a peak.
The unbanked ...
An aisle or two down from Bancard was Portland, Ore.-based Vero Inc., a financial services technology provider that announced its partnership with Fremont, Calif. based Tranax Technologies Inc. for a check-cashing solution during the show.
The new kiosk, which is expected to hit the market later this year, is a multifunction ATM built by Tranax that runs Vero's proprietary fraud engine for check cashing.
Reaching unbanked consumers in the retail and FI space is an expected focus for both companies in the coming year. The United States is a planned target, but so are neighboring countries like Mexico, other show attendees said.
In 2006, the presence of U.S. companies in Mexico is expected to show substantial increase, said Jorge Fernandez, President of Level Four Americas LLC. "Interchange has decreased in Mexico over the last two years. Now, with surcharging being implemented and allowed, we will probably see some growth."
One hang-up in Mexico: the ATM registration cost for ISOs. In Latin America, under the current model, an ISO pays $25,000 to register each of its ATMs with Visa. "That's because the networks don't differentiate between FI and ISO ATMs, at least not at the moment," Fernandez said.
... and beyond
Other vendors like De La Rue, La Gard and Kaba Mas showed off their usual respective wares: notes and media dispensers and electronic locks.
But Carson, Calif.-based MagTek, a 30-year-old supplier in the card-reader space, showcased something a little different: its MagnePrint magnetic-stripe reader. The MagnePrint pulls more data, reading not only tracks 1, 2 and 3, but also the status, serial number and transaction counter of the reader itself.
"Card compromise could happen at many different locations, so you need to have logical security that will allow you to determine if the card is real or false. The mag-stripe is like a fingerprint, a true authentication process," said MagTek's Kiran Gandhi.
Awards
And finally, drum roll please, the awards. This year's Conference East marked the first at which awards were given. The presentation was reportedly well-received: This year's banquet pulled more attendees than any held previously, ATMIA Chief Executive Officer Mike Lee said. The winners:
| 
