ATM Journal

European Journal of Economics, Finance and Administrative Sciences

ISSN 1450-2275 Issue 21 (2010)

© EuroJournals, Inc. 2010

http://www.eurojournals.com

ATM Risk Management and Controls

Devinaga Rasiah

Lecturer, multimedia university (Malacca Campus), Malaysia

E-mail: [email protected]

Abstract

The aim of this study is to investigate risk management, security and controls in the

context of Automated teller machines (ATMs). In doing so, it adopts a non-technical

approach by investigating the interrelationship and effect of risk management and controls

in setting Automated Teller Machine security goals. The literature explores and discusses

the risk management and different controls of ATMs. To reduce the risk of fraudulent

activity, several controls can be integrated into the ATM processing environment.

However, the controls should not be considered a cure-all.

Keywords: ATMs, data security, risk, fraud, electronic banking, and controls.

ATM An automated teller machine (also known as an ATM or Cash Machine), is a computerized device that

provides the customers of a financial institution with the ability to perform financial transactions

without the need for a human clerk or bank teller.

Crime at ATM’s has become a nationwide issue that faces not only customers, but also bank

operators. Security measures at banks can play a critical, contributory role in preventing attacks on

customers. These measures are of paramount importance when considering vulnerabilities and

causation in civil litigation and banks must meet certain standards in order to ensure a safe and secure

banking environment for their customers.

The Automated Teller machine is a terminal provided by bank or other financial institutions

which enables the customer to withdraw cash to make a balance enquiry, to order a statement, to make

a money transfer, or deposit cash. The ATMs are basically self-service banking terminals and are

aimed at providing fast and convenient service to customers.

Some of the new generations of ATMs are able to cash a check to the penny, dispense

traveller’s cheques and postage stamps, perform stock transfers, print discount coupons, issue phone

cards, and even sell concert tickets. Customers are grateful for these ATM features but they are also

very concerned with ATM crime and safety.

Background Studies ATMs are generally designed for through-the –wall operations as well for use in lobbies. The Banker’s

magazine, September (1983), indicated that the ATMs provided convenient bank access to customers

accounts 24 hours a day, seven days a week including public holidays. The lobby machines which are

installed in the banking lobbies are only operational during banking hours. James Essinger (1987)

indicated that “ATM machines allow banks customers who have been issued with a card and a six digit

secret number known as a PIN number (Personal identification number) to perform their own banking

162 European Journal of Economics, Finance and Administrative Sciences - Issue 21 (2010)

transactions”. The plastic card contains a magnetic stripe or a chip that contains a unique card number

and some security information, such as an expiration date and card validation code (CVC).

Kalakota and Whinston, (1996) mentioned that the financial services industry has been through

'structural and operational changes since the mid-1990s, and innovative use of new information

technology, electronic commerce. Hamelink, (2000) indicated that these associated cost reductions are

driving ongoing changes in banking New technology brings benefits and risks and new challenges for

human governance of the developments.

RCBC (2007), mentioned that authentication of the user is provided by the customer entering a

personal identification number (PIN). Miranda F, Cosa R and Barriuso (2006), highlighted that

customers transacting on these ATMs are guided by instructions displayed o the video screens. These

ATMs normally dispense two or more denominations of paper money. Customer’s advice slips are

automatically printed and dispensed except for balance enquires. All deposits have to be accounted for

by the bank staff, before they are credited to customers’ accounts.

Marcia Crosland of NCR Corp. (2010) indicated that aside from revenue generation and cost

savings, ATMs are becoming the face of many financial institutions. For many consumers, ATMs are

becoming the only interaction they have with their banks. In addition, ATMs are also becoming a

competitive mark for many banks. Therefore, it is imperative to ensure that the customer's experience

with the ATM is safe and secure.

Mike Fenton (2000), mentioned that over the past three decades consumers have come to

depend on and trust the ATM to conveniently meet their banking needs. In recent years there has been

a proliferation of ATM frauds across the globe. Managing the risk associated with ATM fraud as well

as diminishing its impact are important issues that face financial institutions as fraud techniques have

become more advanced with increased occurrences.

Diebold Inco. (2002) indicated that the ATM is only one of many electronic funds transfer

(EFT) devices that are vulnerable to fraud attacks. Card theft, or the theft of card data, is the primary

objective for potential thieves because the card contains all relevant account information needed to

access an account.

Recent global ATM consumer research indicates that one of the most important issues for

consumers when using an ATM was personal safety and security. As financial institutions use the

migration of cash transactions to self-service terminals as a primary method of increasing branch

efficiencies, the ATM experience must be as safe and accommodating as possible for consumers.

The industry has grave difficulty in measuring ATM fraud given the lack of a national

classification, the secrecy surrounding such frauds, and the unfortunate fact that one cannot know the

true cost of fraud until one is hit with it. Even low-cost solutions, such as customer awareness,

challenge banks that fear scaring customers away from the ATM, or worse, into the doors of a

competitor.

ATMs Transactions in Malaysia 2000 – 2004

Automated Teller Machines 2000 2001 2001 2003 2004

Number of ATMs 3,944 4,161 4,213 5,241 5,565

Volume of cash withdrawals in (million) 146.1 174.9 193.5 215.6 264.3

Value of cash withdrawals (RM billion) 62.0 71.8 77.6 86.3 110.8

Bank Negara Malaysia 2004.Figures in 2000-2002 comprises domestic commercial banks, LIFBs, Islamic banks and

finance companies. Figures in 2003-2004 include the DFLs. Figures in 2000-2003 represent transactions involving the

domestic commercial banks ,LIFBs and finance companies. Figures include Islamic banks transactions.

Number of EFTPOS Terminals MALAYSIA

as at end of period 2004 2005 2006 2007 2008 2009

Unit

International brand payment cards1 n.a. 83,100 93,368 119,490 144,897 160,585

ATM card2 n.a. 20,052 21,592 34,754 67,581 88,808


E-money 16,642 18,198 28,115 28,771 29,236 30,198 1

MasterCard, Visa, American Express and Diners Club 2

Domestic PIN-based debit card scheme

n.a Not available

Note: Data is collected on a quarterly basis

Number of Cards/Users of Payment Instruments

as at end of period 2004 2005 2006 2007 2008 2009

'000

Credit card 6,583.0 7,815.5 8,833.0 9,901.3 10,812.4 10,817.6

Charge card 286.3 244.5 272.1 245.6 285.6 285.2

Debit card1 10,237.2 15,676.7 18,861.4 21,887.3 24,436.6 30,847.6

E-money 34,174.1 44,034.8 46,874.7 53,150.4 61,534.1 68,461.8

Includes international Brand debit card and ATM card

Source: BNM Annual Report (2004 – 2009)* refers to commercial banks only, also excludes Islamic Banks

Frauds at ATMs Diebold Inco. (2002), indicated that fraud at the ATM although more difficult than at a POS, has

recently become more widespread. Recent occurrences of ATM fraud range from techniques such as

shoulder surfing and card skimming to highly advanced techniques involving software tampering

and/or hardware modifications to divert, or trap the dispensed currency.

Recent Global ATM consumer research indicates that one of the most important issues for

consumers when using an ATM was personal safety and security*. As financial institutions use the

migration of cash transactions to self service terminals as a primary method of increasing branch

efficiencies, the ATM experience must be as safe and accommodating as possible for consumers.

The magazine (1991), published that the UK consumer Association reported a case pf phantom

withdrawals. In 1989, 570 pounds was wrongly deducted from John Allans’ Bank of Scotland account.

A total of 8 cash withdrawals were carried out, three of them when he was away with his card in

Andorra. Complaining to the bank was fruitless and later Mr Allan was going to sue the bank of

Scotland. The day before the case was due to come to court, the bank reached an out –of court

settlement with him. The magazine concludes that this case marks a breakthrough because the bank

acknowledged that money can get debited to a account without the use of the card plus the PIN.

This risk exists in each product and service offered. The level of transaction risk is affected by

the structure of the institution’s processing environment, including the types of services offered and the

complexity of the processes and supporting technology.

ISACA (2007), highlighted that the key to controlling transaction risk lies in adapting effective

polices, procedures, and controls to meet the new risk exposures introduced by e-banking. Basic

internal controls including segregation of duties, dual controls, and reconcilements remain important.

Information security controls, in particular, become more significant requiring additional processes,

tools, expertise, and testing. Institutions should determine the appropriate level of security controls

based on their assessment of the sensitivity of the information to the customer and to the institution and

on the institution’s established risk tolerance level.

There are three basic types of ATM attacks:

• Attempts to steal a customer‘s bank card information;

• Computer and Network attacks against ATM‘s to gather bank card information;

• Physical attacks against the ATM.

THEFT OF CUSTOMER‘S BANK CARD INFORMATION

Card Skimming

Fake ATM machines

Card Trapping/Card Swapping


Distraction theft or ‘manual’ skimming

Shoulder Surfing

Leaving transaction ‘Live’

Cash trapping

COMPUTER AND NETWORK ATTACKS

Network attacks against ATMs

Viruses and malicious software

Phishing

PIN cash-out attacks

Utilizing a Fake PIN pad overlay

PIN Interception

PHYSICAL ATM ATTACKS

Ram Raid Attacks

Theft of ATMs

Smash and Grab of ATMs

Safe cutting/Safe Breaking

Explosive Attacks

The other most common cash dispenser fraud has become known as the "Lebanese loop"

because criminals of Lebanese origin apparently first used it. This has many variations but usually

involves the cash machine being tampered with so that your card is not returned to you and is then

removed by the criminals: alternatively if you get your card back a device has recorded the details of

your magnetic stripe. The crooks have also captured your PIN number though some variation of

shoulder surfing. It is this problem that has led to banks putting posters and other warnings on ATMs

advising customers to visually inspect the machine to see if it has been altered or tampered with.

Types of Errors So far the ATMs have been the most widely spread application of electronic banking. There are various

types of errors which can occur due to mechanical failure at the ATM terminal leading to the following

problems:-

• ATM dispenses less cash to the customer but the account is debited correctly.

• The customer’s account is debited twice but the cash is only dispensed once by the ATM.

• The customer’s account is debited but the cash is not dispensed by the ATM.

Normally errors can occur at any time, even when the ATM accepts cash and cheques deposits.

There have also been cases of phantom withdrawals and the card-holder denying being responsible for

those cash withdrawals, although the computer records showed that a genuine transaction had taken

place.

Reputational Risks

This is considerably heightened for banks using the Internet. For example the Internet allows for the

rapid dissemination of information which means that any incident, either good or bad, is common

knowledge within a short space of time. The speed of the Internet considerably cuts the optimal

response times for both banks and regulators to any incident.

Any problems encountered by one firm in this new environment may affect the business of

another, as it may affect confidence in the Internet as a whole. There is therefore a risk that one rogue

e-bank could cause significant problems for all banks providing services via the Internet. This is a new

type of systemic risk and is causing concern to e-banking providers. Overall, the Internet puts an

emphasis on reputational risks. Banks need to be sure those customers’ rights and information needs

are adequately safeguarded and provided for.


Management Risk Analysis Management risk analysis identifies the nature of risk involved in detail. This evaluation helps the

financial institution to decide whether it is necessary to have controls to overcome losses which may

arise from various risks associated with the ATMs. A plan is normally formulated as to how these

ATM risks are going to be identified, what methods are going to be used to overcome these

risks/threats, and, if a fraud or a misuse should occur, how much loss is expected and how Bank is

going to recover.

This is the highest risk category that requires the strongest controls since online transactions are

often irrevocable once executed. The bank’s internet systems may be exposed to internal or external

attacks if controls are inadequate. A heightened element of risk is that attacks against internet systems

do not require physical presence at the site being attacked. At times, it is not even clear or detectable as

to when and how attacks are launched from multiple locations in different countries

In view of the proliferation and diversity of cyber attacks, banks should implement two-factor

authentication at login for all types of internet banking systems and for authorising transactions. The

principal objectives of two-factor authentication are to protect the confidentiality of customer account

data and transaction details as well as enhance confidence in internet banking by combating phishing,

key logging, spyware, malware, middleman attacks and other internet-based scams and malevolent

exploits targeted at banks and their customers.

Two factor authentications for system login and transaction authorisation can be based on any

two of the following factors:

• What you know (eg. Personnel Identification Number)

• What you have (eg. One Time Password token)

• Who you are (eg. Biometrics) comprises methods for uniquely recognizing humans

based upon one or more intrinsic physical traits

Risk analysis provides the financial institution with variable information as to how much

investment it should make to enhance the security and controls of its ATM installation.

The EDP Audit Control and Security Newsletter (March 1991) indicated that risk analysis involves 4

steps.

• Reviewing the existing ATM centre environment

• Identifying the critical information processing of ATM applications

• Estimating the value of the ATM assets used by these application that must be

protected

• Quantifying the estimated loss associated with the occurrence of a fraudulent misuse

of cards of unauthorised withdrawals etc.

Reviewing the Existing Operation of the ATM Installation It is essential that management identify all the various hazards to which ATM centre is exposed,

including natural disasters or otherwise. The management normally identifies the controls that are in

operation that are to reduce the possible impact of these risks/threats. Controls of all kinds which are

applicable to the Automated Teller Machine must be identified.

Even though the existing ATM controls may appear to be in operation, the management must

make sure that maintenance is preformed to ensure that the controls will be effective in the event of a

fraud or misuse. John Page and Paul Hooper (1987) indicated that compliance testing is used to

determine the following:

• To determine whether the necessary controls are in place.

• To provide reasonable assurance that the controls are functioning properly

• To document when, how, and by whom, the controls are preformed.

The management may recommend that some of these controls be changed, implement or

modified in ways that minimize the relevant risks and the exposure associated with them.


ATM Risk Management ATM risk management is a ongoing process of identifying, monitoring and managing potential risk

exposure considering as ATMs relates to payment systems. The following should be considered:-

• General Supervision

• Transaction Processing

• System administration

Identifying the Various Areas The management can identify the major area of risks by doing an analysis or statistical sampling of the

information given below. They should be able to form an opinion from this information below:-

a) Total number of ATM’s and their usage.

b) Time logged on/Settlement time.

c) Number of Cardholders.

d) Number of Transactions, e.g. Withdrawals and transfers etc.

e) Total amount withdrawn of transferred etc.

f) Number of ATM reports generated etc. and may more areas.

g) Overall review of ATM management resources etc.

Only after management have identified these areas can the controls be increased, changed or

modified. It is important to determine a reasonable estimate of the overall value of the ATM

installation. Care should also be taken in determining the value of the installed software.

Estimating the ATM Loss Estimating losses can be difficult, Dr Catherine P Smith (1987) indicated “that normally the loss could

be due to human error, technical error or deliberate action such as fraud, misuse or unauthorised use of

the ATM card etc.” Most financial institutions treat ATM losses unless it is major as a small loss

unless it is a major fraud. Normally the loss is only a very small percentage when compared to the

overall volume and amount transacted within the bank. Alvin A, Arens and James K Loebbecke (

1988) indicated “that it is not possible to establish my dollar- value guidelines as it depends on a

number of factors which the management analyses and forms a decision”.

Upon management identifying the risks, audit techniques can be used to evaluate the

consequences of fraud or misuse at the ATM prior to recommending improved controls.

There are several exposures to losses inherent in an ATM installation, e.g. exposure occurs

when a customer transfers funds over communication links; customer’s financial data are subjected to

fraudulent interception at many points.

What should be done is to find a way to reduce risks and threats to an acceptable level and to

provide a method of recovery of ATM losses.

ATM Security Measures Normally security measures are divided into 2 groups. Firstly to reduce the losses at the ATM and

secondly to find a way to fund or recover these losses.


Measures to Reduce the Losses a). The ATM Audit Log

The ATM audit log provides information that is recorded after the incident. The ATM audit log is

useful as it identifies and diagnoses security violation. It traces figures contained in a report back to the

point of processing and from processing to the source of the input.

b). Encryption

Encryption is an effective technique for protecting the ATM system. This technique is to make

intercepted data useless to the interceptor by making it too difficult or too expensive to decipher. This

means there is little risk if disclosure.

c). Software Auditing

R.M Richards and J. Yestingsmer (1986) indicated that “software audit techniques include a review of

program listing, use to test input/output data with expected results and auditing of the ATM system

processing program using error detectors built into the system. Tracing is software used by the auditor

to identify which instructions were used in a program and in what order”. The advantage is that it helps

to analyse the way in which the ATM program operates.

Software auditing provides system integrity to management and also provides an opportunity

for management to identify security and control weakness. There are several good security packages

that can monitor an ATM software execution to detect possible tampering with the programs.

These ATM utility programs provide the opportunity for management to examine that the ATM

programs are being properly executed and are not being overridden or by-passed. By using the audit

software, frauds and misuses can be detected in a timely manner.

Controls In general the process should ensure Confidentiality, Integrity and Availability (CIA). This

requirement should be addressed with controls implemented at different levels of the ATM

implementation, such as General Application controls, business process controls, applications controls

and Platform controls.

1. General ATM Operation and Organisation Controls

The operation and organisational controls are designed to ensure that functions are segregated among

individuals. There are two main important elements in an ATM system; firstly the magnetic card and

secondly the PINs. Making of the PINs is not to be carried out by people who are processing the cards.

Miklos A Vasarhelyi and Thomas W Lin (1988) indicated that “there should be segregation” in order

to limit an individual to only one interface with the system.

Most ATM systems rely heavily on programmed controls within the ATM system software;

hence it is important to separate the system development individuals, e.g

To separate:-

• application testing from systems design and programming and

• System software programming from application programming.

Risks/Threats

• Mailed cards being intercepted before reaching the authorised address.

• Uncollected cards not only take up valuable space for storage but also pose a security risk to the

bank through fraudulent use of these cards by bank staff.


• Retained cards – these ATM cards pose an even greater risk, if they fall into the wrong hands

and are misused.

• Inadequate supervision of embossing of the card.

• Stolen cards not being reported immediately

• Stocks of blank cards could lead to unauthorised cards being issued leading to fraud.

2. Business Process Controls

In general no one person should handle all the transactions. This can be achieved by proper segregation

of duties. Appropriate control should be included during reconciliation, verification of withdrawals and

date/time of transactions was completed.

Application Close supervision is necessary within the embossing department, where control on

card issuance should be rigorous after embossing. Furthermore the envelopes should be issued based

on a predetermined control number. During hours of non-production, the embossing department should

be kept locked. Personnel having access to cards must be denied access to PINs whenever cards are

prepared and processed. There should be two staff in charge of the process in order to have dual

accountability for stock.

Security and Control of PIN (Personal Identification Number)

A PIN is a “personal identification number” . This is a number consisting of four numerical characters

which is essentially a cardholder’s password. PINs can be assigned by the institution or can be

customer selected. PINs which are generated for the customer can be derived from the customer’s

account number and a logarithm used. These PINs are normally stored in an encrypted form at the

ATM. A temporary PIN is issued which can be used at the ATM immediately. Later the customer has

the choice of selecting his own PIN number at the ATM.

Risks/Threats

There are a number of risks involved in the management of PIN numbers:-

1 There is the integrity of the PIN itself. If control and security is not tight, the method of

selecting PIN or encryption keys may become known and duplicated PINs and mailers be

prepared.

2 The PIN mailers are intercepted during mailing.

3 PINs longer than four digits are security hazards, as holders may be tempted to write down their

number to remember them.

4 Issuing replacement PIN numbers to customers. If the person making the request has stolen the

card or is not authorised to use it, the true owner of the card stands to lose a substantial sum of

money.

Application Controls For controls and security purpose the PIN which is in encrypted form is stored in a database file for

security purposes. The PIN mailers are prepared separately. The PIN is only activated upon the use of

the card by the customer at the ATM.

Adequate control should be carried out when PIN is produced for mailing. Mailing of the PIN

is carried out subsequent to card mailing. The PIN is forwarded to the customer in a separate mailer on

a different day.

For security reasons all systems documentation concerning PIN generation/encryption and

decryption keys must be under tight control at all times. Furthermore, extreme care must be taken when

requests for new PINs are made. It is important for security reasons that the request for a new PIN

should be in writing.


For control purposes confirmation of numbers of PINs generated must be carried out against the

total application approved.

It is recommended that the customer’s PIN should not be displayed on the PIN mailer. For

control and security reasons the PIN mailers should not have direct reference or correlation to the

customer’s account number or identification of the financial institution. The PIN must be scrambled or

encrypted if printed or displayed on terminal screens.

Other Controls are as follows:-

• Access controls and authorisation to any addition, deletion or changes to ATM transaction

details should be implemented.

• Any changes to cardholder details should be authorised by the officer at the next level.

• Realistic maximum transaction and maximum daily total limits should be implemented for

ATM withdrawals.

• Printed receipts should be dispensed by the ATM for every ATM transaction.

• Every ATM transaction should be acknowledged by e-mail or a short message script sent to the

mobile phone to confirm or alert the user that a transaction was performed.

3. Platform Controls

Controls to consider should include:-

I. Encryption

II. Algorithm

III. Communication Controls

i. Communication protocols

ii. Encryption protocols etc

Measure to Use if Fraud does occur at the ATMs Unfortunately, losses and security breaches do occur. It is important to have a recovery procedure

which will identify if losses occur through the ATMs. Normally insurance companies provide banks

with a Bankers Insurance Coverage, which includes losses that “the cover needed will vary depending

upon the risk”. It is important for financial institutions to have a straight loss control program in order

to fully protect its ATM customers itself. In addition to the Bankers Insurance cover there is also

computer crime insurance cover. This covers all transfers of funds which are lost as a result of a

fraudulent input into system.

On its own, technology will never solve the problems of an inefficient and poorly managed

institution. At such an institution, technology may just automate problems and highlight inefficiencies.

ATMs require a high degree of additional control beyond those traditionally employed by financial

service providers. Institutions need to make sure they are able to track funds that have been deposited

into the ATMs but not yet accounted for in central accounts as fraud or errors may be involved with the

deposit. When initiating new technologies such as offering financial services through ATMs,

institutions must be prepared to educate clients on the benefits and train them in the use of the new

technology. Failing to do so can reduce adoption rates and/or lead to a rejection of the technology by

the targeted clients.

Clients are often relationship oriented and enjoy person-to-person transactions. These

transactions build trust and familiarity while automating processes can depersonalize services and

alienate clients. This must be considered and adequately planned for, when switching from highly

personalized services to automated transactions.


Some suggested Audit EFT Procedures • Physical Controls

• Process Controls

• Transmission and System failures

• System logon controls

• Messaging controls

• Transfer Controls

• PIN controls

• Card Controls

• Back –end application

• Front end application

• Transaction Journal/ Audit Trail

• Visible Terminals. Source: ISACA -Information Systems Audit and Control Association (2007)

Conclusion Praveen Dalal (2006) indicated that although comprehensive computer insurance cover is available to

Banks for losses relating to ATMs, it is important to note that they vary significantly. By utilizing

careful ATM analysis and the best prevention and reduction methods acceptable levels of ATM risks

can be maintained. One of the benefits that banks experience when using e-banking is increased

customer satisfaction. This due to that customers may access their accounts whenever, from anywhere,

and they get involved more, this creating relationships with banks.

Banks should provide their customers with convenience, meaning offering service through

several distribution channels (ATM, Internet, physical branches) and have more functions available

online. Other benefits are expanded product offerings and extended geographic reach. This means that

banks can offer a wider range and newer services online to even more customers than possible before.

The benefit which is driving most of the banks toward e-banking is the reduction of overall costs. With

e-banking banks can reduce their overall costs in two ways: cost of processing transactions is

minimized and the numbers of branches that are required to service an equivalent number of customers

are reduced. With all these benefits banks can obtain success on the financial market. But e-banking is

a difficult business and banks face a lot of challenges.


References and sources 1] ISACA// www.isaca.org/glossary(2007)

2] http://www.atmsecurity.com/monthly-digest/atm-security-monthly-digest/atm-fraud-and-

security-digest-march-2009.html

3] http://www.computerworld.com/securitytopics/security/story

4] http://www.denverpost.com/headlines.

5] http://www.europol.europa.eu

6] http://www.mydigitallife.info/2006/09/25/atm-hacking-and-cracking-to-steal-money-with-atm-

backdoor-default-master-password/

7] http://www.theregister.co.uk/2006/11/18/mp3_player_atm_hack/

8] http://www.wired.com/threatlevel/2009/04/pins/

9] https://www.european-atm-security.eu

10] McGlasson L., ‘ATM Fraud: Growing Threats to Financial Institutions‘, Bank Info Security,

http://www.bankinfosecurity.com

11] ATM crime (2009): Overview of the European situation and golden rules on how to avoid it.

12] Robinson G., ‘Bondi banks scam: ATM alert‘, The Sydney Morning Herald, October 2008,

13] Hamelink, C. "The Ethics of Cyberspace," Sage, London, 2000.Ind, N. "Living the Brand,"

Kogan Page, London.

14] Kalakota, R. and A. B. Whinston, "Electronic Commerce: A Manager’s Guide" 2nd Edition,

Addison Wesley, Harlow, 2001.

15] Marcia Crosland, NCR Corp.(2010), Consumer behaviour drives innovation inn ATM

technology. http:/www.atmmarketplace.com.

16] ISACA (2001) , Is Auditing Procedure (Electronic Fund Transfer( EFT). Information Systems

Audit and Control Association.

17] RCBC (2007) Rizal Commercial Banking Corporation. Electronic Banking (e Banking)

Consumer protection Policy.

18] Mike Fenton (2008) by Admin. Banking systems and technology; The Blog. Taking ATM

fraud prevention to the next level.

19] Roy Martin R and Jan Y (1986) Computer and Security Risk Management. A key to security in

Electronic Funds Transfer System Elsevier Science publishers.

20] Praveen Dalal (2006) Preventive measures for ATM Frauds, Computer crime research centre -

Preventive measure for ATM frauds.

21] Diebold Inco. (2002), ATM Fraud Security white paper.

22] James essinger (1987), ATM Networks, Their organisation security and finance, published by

Elservier Int Bulletin Chp 6 Future developments.

23] Alvin AA and James K Loebbecke (1988) , Auditing an integrated approach 4 th edition Chp8

pg 231-269 prentice hall Int. Edition.

24] The EDP Audit, Control and Security Newsletter (1991) EDPACS, Robert Parker- Acss

Control software: What it will and will not do. Vol XVIII No 8.

25] John and Paul H (1987) Accounting and information System, Compliance testing in a computer

environment. Chp16, 3 editions Prentice Hall.

26] Andrew D Chambers (1981), Computer Auditing Insurance, Chp5, Pitman Books Ltd.

27] Campion, Anita & Sarah Halpern. “Automating Microfinance: Experience from Latin America,

Asia, and Africa.” MicroFinance Network, 2001.

28] www.mfnetwork.org/bookmarks/Itemid,26/task,detail/catid,1/navstart,0/mode,0/id,5/search,CG

AP IT Innovations Series

29] www.cgap.org/publications/microfinance_technology.html

Documents

ATM Journal