Abstract

ATM occupies an important position in the e-Banking portfolio. It has given the consumers a quality of life
allowing them to access cash and other financial information. Its role in promoting, developing and expanding
the concept of ‘Anytime Anywhere Anyplace” banking is undeniable. It offers a real convenience to those who
are on the run in their everyday life, but at the same time, it also carries a big element of risk.
In this paper we have investigated and demonstrated a mapping flaw (bug) in the ATM Controller (commonly
known as financial middleware), which allows the ATM card holders of various banks to fraudulently withdraw
cash from the ATMs of ACB Bank Limited. The flaw remained undetected for nearly 3 months.
Since the breach has been thoroughly investigated, we, therefore, concluded that the banks’ internal control
system had failed to detect the implantation of mapping bug which deprived the bank of more than 21 million
Pakistani Rupees. In addition, lack of understanding of higher management on the systems & procedures
supporting ATM Infrastructure played a significant role in developing the bug.
Considering the nature of the fraud and the degree of losses incurred, this paper has recommended strong
internal controls implementation over the payment system applications. A detailed review of fraud screening
strategy is also recommended to ensure that the security tools are optimized for their particular product or service.
Turnkey ATM solution has also been recommended for the ACB Bank Limited.

This work is licensed under a Creative Commons Attribution 4.0 License.