The Central Bank of the Russian Federation described another method of fraud when transferring funds from card to card through an ATM. The scheme is based on the imperfection of the scripts for processing p2p transfers (transfers between individuals) in some ATMs, as indicated in the review of computer attacks in the financial sector for 2018.
This type of attack can be roughly classified as transaction reversal fraud (TRF attacks). The method is as follows: an attacker selects a customer-to-customer transfer at an ATM and indicates the recipient's card number. The terminal sends two authorization messages - to the sending bank and to the receiving bank. Approval for transactions arrives at the ATM almost simultaneously, and then the actual transaction is carried out, when the amount on the recipient's card increases, the transfer amount is frozen on the sender's card at that moment.
Next, the terminal asks the sender for consent to write off the commission for the transfer, but a refusal follows and a return message is sent to both banks. Funds frozen on the card are unblocked, but by this time the recipient has already managed to withdraw the amount sent.
To prevent fraud of this kind, the regulator recommends that banks check the correctness of the ATM operation scenarios. Among the measures to minimize risks, it is proposed to send approval to cancel the operation to the sender only after notification of the successful return of the transferred funds from the receiving bank, and also to obtain consent to charge the transfer fee before sending authorization messages for the operation.
