I work for a financial institution. This problem is due to complete ignorance of banks on best security practices.
Their global ATM lacks simple velocity checks. Such can never be made in real-time as data has to be aggregated globally to detect the total money flows from certain financial institutions, but given the manual handling of ATM withdrawals, a minute delay would be acceptable.
Simply sum all withdrawals, not per card number, but per financial institution (per BIC-code), and measure the money flowing out per time unit. If it exceeds a multiple of X times the average for what's normal on that day,
raise an alarm to investigate manually.
Such velocity checks would never work if only looking at withdrawals in a single ATM and still not good enough if they would measure all withdrawals in a single banks all ATMs as there are so many banks.
Banks need to cooperate in developing a global anti-fraud system. Unfortunately they still use COBOL and don't lose enough money on these things to find the motivation to do it.
Simply sum all withdrawals, not per card number, but per financial institution (per BIC-code), and measure the money flowing out per time unit. If it exceeds a multiple of X times the average for what's normal on that day, raise an alarm to investigate manually.
Such velocity checks would never work if only looking at withdrawals in a single ATM and still not good enough if they would measure all withdrawals in a single banks all ATMs as there are so many banks.
Banks need to cooperate in developing a global anti-fraud system. Unfortunately they still use COBOL and don't lose enough money on these things to find the motivation to do it.