Bank staff likely at fault for ATM frauds

Even as the rising number of ATM (automated teller machine) related frauds has raised serious questions about the safety of bank deposits, there are suggestions that bank staff themselves are perhaps to blame for most, if not all, such incidents.

And like in any security situation, the enemies within comprise the representatives of hardware and software vendors who have a free access to banks' information systems.

For instance, in a recent case of withdrawl of Rs 29 lakh from a bank ATM, the culprit "" an engineer with the vendor which had supplied the ATM "" cracked the codes, used accounts not frequently operated and drained the credit balances.

While there is no limit to how far a scamsters can go, observers feel there are certain areas banks need to address to set their houses in order.

"There are many flaws when it comes to the ATM-related software and systems, as well as the practices in bank branches," said an official who has been auditing bank software for the last few years, on condition of anonymity.

"Most instances are of inadequate systems knowledge, negligence and lethargy on part of the bank staff," she said.

Pointing at the frequent visits of hardware staff or software vendors to ATMs centres to solve problems, the software auditor said these men simply enter ATMs, perform their work and walk away.

"There is a rule that requires a bank person to always accompany the IT vendor's staff each time, the vendor's staff to enter in a register what he did on each visit and the bank official putting his signature next to this entry. This procedure is hardly followed," she said.

Such dual control is a directive of the Reserve Bank of India (RBI), as any ATM-related work must be performed in the presence of two authorised bank officers, she added.

The RBI has laid down that the ATM software must be audited by systems auditors before implementation, a rule scarcely adhered to by banks. Even on the operative side, the access control has to be restricted according to the nature of work each terminal user is handling.

Thus, clerks, officers and managers will have a different level of access to the software. Any sensitive user function has to be attended to by two officials to ensure safety. However, this is not strictly observed, leading to a great possibility of misuse.

The official further said the work of a systems administrator is extremely critical yet most neglected at a bank branch level.

"A system administrator is responsible for creating user identities and enabling and disabling them as per the work requirement. Even the vendor staff's user ID should be disabled as soon as he has finished his work and should be re-enabled it when the need arises. This is rarely done. In fact, one observes many unnecessary user IDs including dummies created in the system," she said.

A banking solutions vendor, who did not want to be named, said the vendor is not always at fault. Bank managers are expected to check transactions on the ATM attached to their branch on a daily basis, he said.

"This will disclose the unusual transactions; if there are any changes in the master data, who has authorised these changes and many more things," he said.

The software auditor concurred, saying each software has a audit trail option built in and the manager must check these audit trails from time to time as a precautionary measure. Not all bank officers are blind to the goings on. Warnings from such officers are hardly ever heeded. A lady officer with a nationalised bank once sent a note to her seniors detailing the lacunae in the use of software in her branch.

Among them were vendor staff not having time to reach the branch and passing on instructions "" including the codes "" on the phone and trying to fix a problem in software or access codes of officers transferred from a branch not being disabled for a long time after the transfer.

"If I am transferred from a branch my password there must be dead immediately. If this does not happen, I am sure to spend sleepless nights thinking about who could be doing what using my access information," she said, adding there are instances of transactions not being authorised by the empowered officers but by clerks who know the officers' passwords.

"This may be happening as the officer is under pressure and trusts the clerk with the password, but it is a very serious security lapse."

Branch managers admit to most of these things happening but prefer to blame it on the lack of manpower.

"We are seriously understaffed and won't be able to give proper services to customers if we follow these directives strictly," they said. "We have to rely on the trust that exists between the officers and the staff," they added.

"That may be true, but these ATM thefts and other frauds are coming to light just when banks are talking about e-banking and mobile banking. We can't progress on that front unless we have addressed these security issues," the software auditor said.