European Journal of Economics, Finance and Administrative Sciences

ISSN 1450-2275 Issue 20 (2010)

© EuroJournals, Inc. 2010
http://www.eurojournals.com

ATM Risk Management and Controls

Devinaga Rasiah
Lecturer, multimedia university (Malacca Campus), Malaysia
E-mail: devinaga.rasiah@mmu.edu.my

Abstract

The aim of this study is to investigate risk management, security and controls in the
context of Automated teller machines (ATMs). In doing so, it adopts a non-technical
approach by investigating the interrelationship and effect of risk management and controls
in setting Automated Teller Machine security goals. The literature explores and discusses
the risk management and different controls of ATMs. To reduce the risk of fraudulent
activity, several controls can be integrated into the ATM processing environment.
However, the controls should not be considered a cure-all.

Keywords: ATMs, data security, risk, fraud, electronic banking, and controls.

ATM
An automated teller machine (also known as an ATM or Cash Machine), is a computerized device that
provides the customers of a financial institution with the ability to perform financial transactions
without the need for a human clerk or bank teller.
Crime at ATM’s has become a nationwide issue that faces not only customers, but also bank
operators. Security measures at banks can play a critical, contributory role in preventing attacks on
customers. These measures are of paramount importance when considering vulnerabilities and
causation in civil litigation and banks must meet certain standards in order to ensure a safe and secure
banking environment for their customers.
The Automated Teller machine is a terminal provided by bank or other financial institutions
which enables the customer to withdraw cash to make a balance enquiry, to order a statement, to make
a money transfer, or deposit cash. The ATMs are basically self-service banking terminals and are
aimed at providing fast and convenient service to customers.
Some of the new generations of ATMs are able to cash a check to the penny, dispense
traveller’s cheques and postage stamps, perform stock transfers, print discount coupons, issue phone
cards, and even sell concert tickets. Customers are grateful for these ATM features but they are also
very concerned with ATM crime and safety.

Background Studies
ATMs are generally designed for through-the –wall operations as well for use in lobbies. The Banker’s
magazine, September (1983), indicated that the ATMs provided convenient bank access to customers
accounts 24 hours a day, seven days a week including public holidays. The lobby machines which are
installed in the banking lobbies are only operational during banking hours. James Essinger (1987)
indicated that “ATM machines allow banks customers who have been issued with a card and a six digit
secret number known as a PIN number (Personal identification number) to perform their own banking
162 European Journal of Economics, Finance And Administrative Sciences - Issue 21(2010)

transactions”. The plastic card contains a magnetic stripe or a chip that contains a unique card number
and some security information, such as an expiration date and card validation code (CVC).
Kalakota and Whinston, (1996) mentioned that the financial services industry has been through
'structural and operational changes since the mid-1990s, and innovative use of new information
technology, electronic commerce. Hamelink, (2000) indicated that these associated cost reductions are
driving ongoing changes in banking New technology brings benefits and risks and new challenges for
human governance of the developments.
RCBC (2007), mentioned that authentication of the user is provided by the customer entering a
personal identification number (PIN). Miranda F, Cosa R and Barriuso (2006), highlighted that
customers transacting on these ATMs are guided by instructions displayed o the video screens. These
ATMs normally dispense two or more denominations of paper money. Customer’s advice slips are
automatically printed and dispensed except for balance enquires. All deposits have to be accounted for
by the bank staff, before they are credited to customers’ accounts.
Marcia Crosland of NCR Corp. (2010) indicated that aside from revenue generation and cost
savings, ATMs are becoming the face of many financial institutions. For many consumers, ATMs are
becoming the only interaction they have with their banks. In addition, ATMs are also becoming a
competitive mark for many banks. Therefore, it is imperative to ensure that the customer's experience
with the ATM is safe and secure.
Mike Fenton (2000), mentioned that over the past three decades consumers have come to
depend on and trust the ATM to conveniently meet their banking needs. In recent years there has been
a proliferation of ATM frauds across the globe. Managing the risk associated with ATM fraud as well
as diminishing its impact are important issues that face financial institutions as fraud techniques have
become more advanced with increased occurrences.
Diebold Inco. (2002) indicated that the ATM is only one of many electronic funds transfer
(EFT) devices that are vulnerable to fraud attacks. Card theft, or the theft of card data, is the primary
objective for potential thieves because the card contains all relevant account information needed to
access an account.
Recent global ATM consumer research indicates that one of the most important issues for
consumers when using an ATM was personal safety and security. As financial institutions use the
migration of cash transactions to self-service terminals as a primary method of increasing branch
efficiencies, the ATM experience must be as safe and accommodating as possible for consumers.
The industry has grave difficulty in measuring ATM fraud given the lack of a national
classification, the secrecy surrounding such frauds, and the unfortunate fact that one cannot know the
true cost of fraud until one is hit with it. Even low-cost solutions, such as customer awareness,
challenge banks that fear scaring customers away from the ATM, or worse, into the doors of a
competitor.

ATMs Transactions in Malaysia 2000 – 2004

Automated Teller Machines 2000 2001 2001 2003 2004
Number of ATMs 3,944 4,161 4,213 5,241 5,565
Volume of cash withdrawals in (million) 146.1 174.9 193.5 215.6 264.3
Value of cash withdrawals (RM billion) 62.0 71.8 77.6 86.3 110.8
Bank Negara Malaysia 2004.Figures in 2000-2002 comprises domestic commercial banks, LIFBs, Islamic banks and
finance companies. Figures in 2003-2004 include the DFLs. Figures in 2000-2003 represent transactions involving the
domestic commercial banks ,LIFBs and finance companies. Figures include Islamic banks transactions.

Number of EFTPOS Terminals MALAYSIA

as at end of period 2004 2005 2006 2007 2008 2009
Unit
International brand payment cards1 n.a. 83,100 93,368 119,490 144,897 160,585
ATM card2 n.a. 20,052 21,592 34,754 67,581 88,808
163 European Journal of Economics, Finance And Administrative Sciences - Issue 21(2010)
E-money 16,642 18,198 28,115 28,771 29,236 30,198
1
MasterCard, Visa, American Express and Diners Club
2
Domestic PIN-based debit card scheme
n.a Not available
Note: Data is collected on a quarterly basis
Number of Cards/Users of Payment Instruments

as at end of period 2004 2005 2006 2007 2008 2009

'000
Credit card 6,583.0 7,815.5 8,833.0 9,901.3 10,812.4 10,817.6
Charge card 286.3 244.5 272.1 245.6 285.6 285.2
Debit card1 10,237.2 15,676.7 18,861.4 21,887.3 24,436.6 30,847.6
E-money 34,174.1 44,034.8 46,874.7 53,150.4 61,534.1 68,461.8
Includes international Brand debit card and ATM card
Source: BNM Annual Report (2004 – 2009)* refers to commercial banks only, also excludes Islamic Banks

Frauds at ATMs
Diebold Inco. (2002), indicated that fraud at the ATM although more difficult than at a POS, has
recently become more widespread. Recent occurrences of ATM fraud range from techniques such as
shoulder surfing and card skimming to highly advanced techniques involving software tampering
and/or hardware modifications to divert, or trap the dispensed currency.
Recent Global ATM consumer research indicates that one of the most important issues for
consumers when using an ATM was personal safety and security*. As financial institutions use the
migration of cash transactions to self service terminals as a primary method of increasing branch
efficiencies, the ATM experience must be as safe and accommodating as possible for consumers.
The magazine (1991), published that the UK consumer Association reported a case pf phantom
withdrawals. In 1989, 570 pounds was wrongly deducted from John Allans’ Bank of Scotland account.
A total of 8 cash withdrawals were carried out, three of them when he was away with his card in
Andorra. Complaining to the bank was fruitless and later Mr Allan was going to sue the bank of
Scotland. The day before the case was due to come to court, the bank reached an out –of court
settlement with him. The magazine concludes that this case marks a breakthrough because the bank
acknowledged that money can get debited to a account without the use of the card plus the PIN.
This risk exists in each product and service offered. The level of transaction risk is affected by
the structure of the institution’s processing environment, including the types of services offered and the
complexity of the processes and supporting technology.
ISACA (2007), highlighted that the key to controlling transaction risk lies in adapting effective
polices, procedures, and controls to meet the new risk exposures introduced by e-banking. Basic
internal controls including segregation of duties, dual controls, and reconcilements remain important.
Information security controls, in particular, become more significant requiring additional processes,
tools, expertise, and testing. Institutions should determine the appropriate level of security controls
based on their assessment of the sensitivity of the information to the customer and to the institution and
on the institution’s established risk tolerance level.
There are three basic types of ATM attacks:
• Attempts to steal a customer‘s bank card information;
• Computer and Network attacks against ATM‘s to gather bank card information;
• Physical attacks against the ATM.

THEFT OF CUSTOMER‘S BANK CARD INFORMATION

Card Skimming
Fake ATM machines
Card Trapping/Card Swapping
164 European Journal of Economics, Finance And Administrative Sciences - Issue 21(2010)

Distraction theft or ‘manual’ skimming

Shoulder Surfing
Leaving transaction ‘Live’
Cash trapping
COMPUTER AND NETWORK ATTACKS
Network attacks against ATMs
Viruses and malicious software
Phishing
PIN cash-out attacks
Utilizing a Fake PIN pad overlay
PIN Interception
PHYSICAL ATM ATTACKS
Ram Raid Attacks
Theft of ATMs
Smash and Grab of ATMs
Safe cutting/Safe Breaking
Explosive Attacks

The other most common cash dispenser fraud has become known as the "Lebanese loop"
because criminals of Lebanese origin apparently first used it. This has many variations but usually
involves the cash machine being tampered with so that your card is not returned to you and is then
removed by the criminals: alternatively if you get your card back a device has recorded the details of
your magnetic stripe. The crooks have also captured your PIN number though some variation of
shoulder surfing. It is this problem that has led to banks putting posters and other warnings on ATMs
advising customers to visually inspect the machine to see if it has been altered or tampered with.

Types of Errors
So far the ATMs have been the most widely spread application of electronic banking. There are various
types of errors which can occur due to mechanical failure at the ATM terminal leading to the following
problems:-
• ATM dispenses less cash to the customer but the account is debited correctly.
• The customer’s account is debited twice but the cash is only dispensed once by the ATM.
• The customer’s account is debited but the cash is not dispensed by the ATM.
Normally errors can occur at any time, even when the ATM accepts cash and cheques deposits.
There have also been cases of phantom withdrawals and the card-holder denying being responsible for
those cash withdrawals, although the computer records showed that a genuine transaction had taken
place.

Reputational Risks
This is considerably heightened for banks using the Internet. For example the Internet allows for the
rapid dissemination of information which means that any incident, either good or bad, is common
knowledge within a short space of time. The speed of the Internet considerably cuts the optimal
response times for both banks and regulators to any incident.
Any problems encountered by one firm in this new environment may affect the business of
another, as it may affect confidence in the Internet as a whole. There is therefore a risk that one rogue
e-bank could cause significant problems for all banks providing services via the Internet. This is a new
type of systemic risk and is causing concern to e-banking providers. Overall, the Internet puts an
emphasis on reputational risks. Banks need to be sure those customers’ rights and information needs
are adequately safeguarded and provided for.
165 European Journal of Economics, Finance And Administrative Sciences - Issue 21(2010)

Management Risk Analysis

Management risk analysis identifies the nature of risk involved in detail. This evaluation helps the
financial institution to decide whether it is necessary to have controls to overcome losses which may
arise from various risks associated with the ATMs. A plan is normally formulated as to how these
ATM risks are going to be identified, what methods are going to be used to overcome these
risks/threats, and, if a fraud or a misuse should occur, how much loss is expected and how Bank is
going to recover.
This is the highest risk category that requires the strongest controls since online transactions are
often irrevocable once executed. The bank’s internet systems may be exposed to internal or external
attacks if controls are inadequate. A heightened element of risk is that attacks against internet systems
do not require physical presence at the site being attacked. At times, it is not even clear or detectable as
to when and how attacks are launched from multiple locations in different countries
In view of the proliferation and diversity of cyber attacks, banks should implement two-factor
authentication at login for all types of internet banking systems and for authorising transactions. The
principal objectives of two-factor authentication are to protect the confidentiality of customer account
data and transaction details as well as enhance confidence in internet banking by combating phishing,
key logging, spyware, malware, middleman attacks and other internet-based scams and malevolent
exploits targeted at banks and their customers.
Two factor authentications for system login and transaction authorisation can be based on any
two of the following factors:
• What you know (eg. Personnel Identification Number)
• What you have (eg. One Time Password token)
• Who you are (eg. Biometrics) comprises methods for uniquely recognizing humans
based upon one or more intrinsic physical traits
Risk analysis provides the financial institution with variable information as to how much
investment it should make to enhance the security and controls of its ATM installation.
The EDP Audit Control and Security Newsletter (March 1991) indicated that risk analysis involves 4
steps.
• Reviewing the existing ATM centre environment
• Identifying the critical information processing of ATM applications
• Estimating the value of the ATM assets used by these application that must be
protected
• Quantifying the estimated loss associated with the occurrence of a fraudulent misuse
of cards of unauthorised withdrawals etc.

Reviewing the Existing Operation of the ATM Installation

It is essential that management identify all the various hazards to which ATM centre is exposed,
including natural disasters or otherwise. The management normally identifies the controls that are in
operation that are to reduce the possible impact of these risks/threats. Controls of all kinds which are
applicable to the Automated Teller Machine must be identified.
Even though the existing ATM controls may appear to be in operation, the management must
make sure that maintenance is preformed to ensure that the controls will be effective in the event of a
fraud or misuse. John Page and Paul Hooper (1987) indicated that compliance testing is used to
determine the following:
• To determine whether the necessary controls are in place.
• To provide reasonable assurance that the controls are functioning properly
• To document when, how, and by whom, the controls are preformed.
The management may recommend that some of these controls be changed, implement or
modified in ways that minimize the relevant risks and the exposure associated with them.
166 European Journal of Economics, Finance And Administrative Sciences - Issue 21(2010)

ATM Risk Management

ATM risk management is a ongoing process of identifying, monitoring and managing potential risk
exposure considering as ATMs relates to payment systems. The following should be considered:-
• General Supervision
• Transaction Processing
• System administration

Identifying the Various Areas

The management can identify the major area of risks by doing an analysis or statistical sampling of the
information given below. They should be able to form an opinion from this information below:-
a) Total number of ATM’s and their usage.
b) Time logged on/Settlement time.
c) Number of Cardholders.
d) Number of Transactions, e.g. Withdrawals and transfers etc.
e) Total amount withdrawn of transferred etc.
f) Number of ATM reports generated etc. and may more areas.
g) Overall review of ATM management resources etc.
Only after management have identified these areas can the controls be increased, changed or
modified. It is important to determine a reasonable estimate of the overall value of the ATM
installation. Care should also be taken in determining the value of the installed software.

Estimating the ATM Loss

Estimating losses can be difficult, Dr Catherine P Smith (1987) indicated “that normally the loss could
be due to human error, technical error or deliberate action such as fraud, misuse or unauthorised use of
the ATM card etc.” Most financial institutions treat ATM losses unless it is major as a small loss
unless it is a major fraud. Normally the loss is only a very small percentage when compared to the
overall volume and amount transacted within the bank. Alvin A, Arens and James K Loebbecke (
1988) indicated “that it is not possible to establish my dollar- value guidelines as it depends on a
number of factors which the management analyses and forms a decision”.
Upon management identifying the risks, audit techniques can be used to evaluate the
consequences of fraud or misuse at the ATM prior to recommending improved controls.
There are several exposures to losses inherent in an ATM installation, e.g. exposure occurs
when a customer transfers funds over communication links; customer’s financial data are subjected to
fraudulent interception at many points.
What should be done is to find a way to reduce risks and threats to an acceptable level and to
provide a method of recovery of ATM losses.

ATM Security Measures

Normally security measures are divided into 2 groups. Firstly to reduce the losses at the ATM and
secondly to find a way to fund or recover these losses.
167 European Journal of Economics, Finance And Administrative Sciences - Issue 21(2010)

Measures to Reduce the Losses

a). The ATM Audit Log
The ATM audit log provides information that is recorded after the incident. The ATM audit log is
useful as it identifies and diagnoses security violation. It traces figures contained in a report back to the
point of processing and from processing to the source of the input.

b). Encryption
Encryption is an effective technique for protecting the ATM system. This technique is to make
intercepted data useless to the interceptor by making it too difficult or too expensive to decipher. This
means there is little risk if disclosure.

c). Software Auditing

R.M Richards and J. Yestingsmer (1986) indicated that “software audit techniques include a review of
program listing, use to test input/output data with expected results and auditing of the ATM system
processing program using error detectors built into the system. Tracing is software used by the auditor
to identify which instructions were used in a program and in what order”. The advantage is that it helps
to analyse the way in which the ATM program operates.
Software auditing provides system integrity to management and also provides an opportunity
for management to identify security and control weakness. There are several good security packages
that can monitor an ATM software execution to detect possible tampering with the programs.
These ATM utility programs provide the opportunity for management to examine that the ATM
programs are being properly executed and are not being overridden or by-passed. By using the audit
software, frauds and misuses can be detected in a timely manner.

Controls
In general the process should ensure Confidentiality, Integrity and Availability (CIA). This
requirement should be addressed with controls implemented at different levels of the ATM
implementation, such as General Application controls, business process controls, applications controls
and Platform controls.

1. General ATM Operation and Organisation Controls

The operation and organisational controls are designed to ensure that functions are segregated among
individuals. There are two main important elements in an ATM system; firstly the magnetic card and
secondly the PINs. Making of the PINs is not to be carried out by people who are processing the cards.
Miklos A Vasarhelyi and Thomas W Lin (1988) indicated that “there should be segregation” in order
to limit an individual to only one interface with the system.
Most ATM systems rely heavily on programmed controls within the ATM system software;
hence it is important to separate the system development individuals, e.g
To separate:-
• application testing from systems design and programming and
• System software programming from application programming.

Risks/Threats
• Mailed cards being intercepted before reaching the authorised address.
• Uncollected cards not only take up valuable space for storage but also pose a security risk to the
bank through fraudulent use of these cards by bank staff.
168 European Journal of Economics, Finance And Administrative Sciences - Issue 21(2010)

• Retained cards – these ATM cards pose an even greater risk, if they fall into the wrong hands
and are misused.
• Inadequate supervision of embossing of the card.
• Stolen cards not being reported immediately
• Stocks of blank cards could lead to unauthorised cards being issued leading to fraud.

2. Business Process Controls

In general no one person should handle all the transactions. This can be achieved by proper segregation
of duties. Appropriate control should be included during reconciliation, verification of withdrawals and
date/time of transactions was completed.
Application Close supervision is necessary within the embossing department, where control on
card issuance should be rigorous after embossing. Furthermore the envelopes should be issued based
on a predetermined control number. During hours of non-production, the embossing department should
be kept locked. Personnel having access to cards must be denied access to PINs whenever cards are
prepared and processed. There should be two staff in charge of the process in order to have dual
accountability for stock.

Security and Control of PIN (Personal Identification Number)

A PIN is a “personal identification number” . This is a number consisting of four numerical characters
which is essentially a cardholder’s password. PINs can be assigned by the institution or can be
customer selected. PINs which are generated for the customer can be derived from the customer’s
account number and a logarithm used. These PINs are normally stored in an encrypted form at the
ATM. A temporary PIN is issued which can be used at the ATM immediately. Later the customer has
the choice of selecting his own PIN number at the ATM.

Risks/Threats
There are a number of risks involved in the management of PIN numbers:-
1 There is the integrity of the PIN itself. If control and security is not tight, the method of
selecting PIN or encryption keys may become known and duplicated PINs and mailers be
prepared.
2 The PIN mailers are intercepted during mailing.
3 PINs longer than four digits are security hazards, as holders may be tempted to write down their
number to remember them.
4 Issuing replacement PIN numbers to customers. If the person making the request has stolen the
card or is not authorised to use it, the true owner of the card stands to lose a substantial sum of
money.

Application Controls
For controls and security purpose the PIN which is in encrypted form is stored in a database file for
security purposes. The PIN mailers are prepared separately. The PIN is only activated upon the use of
the card by the customer at the ATM.
Adequate control should be carried out when PIN is produced for mailing. Mailing of the PIN
is carried out subsequent to card mailing. The PIN is forwarded to the customer in a separate mailer on
a different day.
For security reasons all systems documentation concerning PIN generation/encryption and
decryption keys must be under tight control at all times. Furthermore, extreme care must be taken when
requests for new PINs are made. It is important for security reasons that the request for a new PIN
should be in writing.
169 European Journal of Economics, Finance And Administrative Sciences - Issue 21(2010)

For control purposes confirmation of numbers of PINs generated must be carried out against the
total application approved.
It is recommended that the customer’s PIN should not be displayed on the PIN mailer. For
control and security reasons the PIN mailers should not have direct reference or correlation to the
customer’s account number or identification of the financial institution. The PIN must be scrambled or
encrypted if printed or displayed on terminal screens.

Other Controls are as follows:-

• Access controls and authorisation to any addition, deletion or changes to ATM transaction
details should be implemented.
• Any changes to cardholder details should be authorised by the officer at the next level.
• Realistic maximum transaction and maximum daily total limits should be implemented for
ATM withdrawals.
• Printed receipts should be dispensed by the ATM for every ATM transaction.
• Every ATM transaction should be acknowledged by e-mail or a short message script sent to the
mobile phone to confirm or alert the user that a transaction was performed.

3. Platform Controls
Controls to consider should include:-
I. Encryption
II. Algorithm
III. Communication Controls
i. Communication protocols
ii. Encryption protocols etc

Measure to Use if Fraud does occur at the ATMs

Unfortunately, losses and security breaches do occur. It is important to have a recovery procedure
which will identify if losses occur through the ATMs. Normally insurance companies provide banks
with a Bankers Insurance Coverage, which includes losses that “the cover needed will vary depending
upon the risk”. It is important for financial institutions to have a straight loss control program in order
to fully protect its ATM customers itself. In addition to the Bankers Insurance cover there is also
computer crime insurance cover. This covers all transfers of funds which are lost as a result of a
fraudulent input into system.
On its own, technology will never solve the problems of an inefficient and poorly managed
institution. At such an institution, technology may just automate problems and highlight inefficiencies.
ATMs require a high degree of additional control beyond those traditionally employed by financial
service providers. Institutions need to make sure they are able to track funds that have been deposited
into the ATMs but not yet accounted for in central accounts as fraud or errors may be involved with the
deposit. When initiating new technologies such as offering financial services through ATMs,
institutions must be prepared to educate clients on the benefits and train them in the use of the new
technology. Failing to do so can reduce adoption rates and/or lead to a rejection of the technology by
the targeted clients.
Clients are often relationship oriented and enjoy person-to-person transactions. These
transactions build trust and familiarity while automating processes can depersonalize services and
alienate clients. This must be considered and adequately planned for, when switching from highly
personalized services to automated transactions.
170 European Journal of Economics, Finance And Administrative Sciences - Issue 21(2010)

Some suggested Audit EFT Procedures

• Physical Controls
• Process Controls
• Transmission and System failures
• System logon controls
• Messaging controls
• Transfer Controls
• PIN controls
• Card Controls
• Back –end application
• Front end application
• Transaction Journal/ Audit Trail
• Visible Terminals.
Source: ISACA -Information Systems Audit and Control Association (2007)

Conclusion
Praveen Dalal (2006) indicated that although comprehensive computer insurance cover is available to
Banks for losses relating to ATMs, it is important to note that they vary significantly. By utilizing
careful ATM analysis and the best prevention and reduction methods acceptable levels of ATM risks
can be maintained. One of the benefits that banks experience when using e-banking is increased
customer satisfaction. This due to that customers may access their accounts whenever, from anywhere,
and they get involved more, this creating relationships with banks.
Banks should provide their customers with convenience, meaning offering service through
several distribution channels (ATM, Internet, physical branches) and have more functions available
online. Other benefits are expanded product offerings and extended geographic reach. This means that
banks can offer a wider range and newer services online to even more customers than possible before.
The benefit which is driving most of the banks toward e-banking is the reduction of overall costs. With
e-banking banks can reduce their overall costs in two ways: cost of processing transactions is
minimized and the numbers of branches that are required to service an equivalent number of customers
are reduced. With all these benefits banks can obtain success on the financial market. But e-banking is
a difficult business and banks face a lot of challenges.
171 European Journal of Economics, Finance And Administrative Sciences - Issue 21(2010)

References and sources

1] ISACA// www.isaca.org/glossary(2007)
2] http://www.atmsecurity.com/monthly-digest/atm-security-monthly-digest/atm-fraud-and-
security-digest-march-2009.html
3] http://www.computerworld.com/securitytopics/security/story
4] http://www.denverpost.com/headlines.
5] http://www.europol.europa.eu
6] http://www.mydigitallife.info/2006/09/25/atm-hacking-and-cracking-to-steal-money-with-atm-
backdoor-default-master-password/
7] http://www.theregister.co.uk/2006/11/18/mp3_player_atm_hack/
8] http://www.wired.com/threatlevel/2009/04/pins/
9] https://www.european-atm-security.eu
10] McGlasson L., ‘ATM Fraud: Growing Threats to Financial Institutions‘, Bank Info Security,
http://www.bankinfosecurity.com
11] ATM crime (2009): Overview of the European situation and golden rules on how to avoid it.
12] Robinson G., ‘Bondi banks scam: ATM alert‘, The Sydney Morning Herald, October 2008,
13] Hamelink, C. "The Ethics of Cyberspace," Sage, London, 2000.Ind, N. "Living the Brand,"
Kogan Page, London.
14] Kalakota, R. and A. B. Whinston, "Electronic Commerce: A Manager’s Guide" 2nd Edition,
Addison Wesley, Harlow, 2001.
15] Marcia Crosland, NCR Corp.(2010), Consumer behaviour drives innovation inn ATM
technology. http:/www.atmmarketplace.com.
16] ISACA (2001) , Is Auditing Procedure (Electronic Fund Transfer( EFT). Information Systems
Audit and Control Association.
17] RCBC (2007) Rizal Commercial Banking Corporation. Electronic Banking (e Banking)
Consumer protection Policy.
18] Mike Fenton (2008) by Admin. Banking systems and technology; The Blog. Taking ATM
fraud prevention to the next level.
19] Roy Martin R and Jan Y (1986) Computer and Security Risk Management. A key to security in
Electronic Funds Transfer System Elsevier Science publishers.
20] Praveen Dalal (2006) Preventive measures for ATM Frauds, Computer crime research centre -
Preventive measure for ATM frauds.
21] Diebold Inco. (2002), ATM Fraud Security white paper.
22] James essinger (1987), ATM Networks, Their organisation security and finance, published by
Elservier Int Bulletin Chp 6 Future developments.
23] Alvin AA and James K Loebbecke (1988) , Auditing an integrated approach 4 th edition Chp8
pg 231-269 prentice hall Int. Edition.
24] The EDP Audit, Control and Security Newsletter (1991) EDPACS, Robert Parker- Acss
Control software: What it will and will not do. Vol XVIII No 8.
25] John and Paul H (1987) Accounting and information System, Compliance testing in a computer
environment. Chp16, 3 editions Prentice Hall.
26] Andrew D Chambers (1981), Computer Auditing Insurance, Chp5, Pitman Books Ltd.
27] Campion, Anita & Sarah Halpern. “Automating Microfinance: Experience from Latin America,
Asia, and Africa.” MicroFinance Network, 2001.
28] www.mfnetwork.org/bookmarks/Itemid,26/task,detail/catid,1/navstart,0/mode,0/id,5/search,CG
AP IT Innovations Series
29] www.cgap.org/publications/microfinance_technology.html