Skip to main content
Splunk Lantern

ATM withdrawal testing

You might want to know when an ATM card is used for a small and then a large withdrawal in rapid succession when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

As a financial institution employee, you know that suspicious users sometimes "test" ATM cards by making a small withdrawal first to see if they work and then, if that transaction is successful, they make a large withdrawal. Rarely do legitimate users withdraw very small amounts and very large amounts in a short one minute window. You want to create an alert to trigger on this suspicious activity.

  1. Run the following search:
    |inputlookup <name of lookup file for ATM transaction information>
    |search action=withdrawal
    |streamstats count time_window=1m min(amount) AS min max(amount) AS max BY user,location
    |where count>1 and min<20 and max>9000
    |table _time user action min max location
    |dedup user, location
    |eval min=tostring(round(min, 2),"commas")
    |eval max=tostring(round(max, 2),"commas")

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
|inputlookup <name of lookup file for ATM transaction information> Search the data in your ATM transaction information lookup file.
|search action=withdrawal

Search only withdrawal activity from the data in your lookup file.

If your lookup file does not contain a withdrawal column, adjust the search to match the names in your lookup.

|streamstats count time_window=1m min(amount) AS min max(amount) AS max BY user,location Use a time window of 1 minute to find min and max withdrawals by user.
|where count>1 and min<20 and max>9000 Define your outliers as a minimum withdrawal of less than 20 and a maximum of over 9,000 during at least 2 transactions.
|table _time user action min max location Display the results in a table with columns in the order shown.
|dedup user, location Remove duplicate entries.
|eval min=tostring(round(min, 2),"commas")
|eval max=tostring(round(max, 2),"commas")
Round the minimum and maximum values to two decimals places and add commas for better readability.

Result

When your ATM logs show users who have a small minimum withdrawal amount and a large maximum amount, you may have found fraudsters who are testing the ATM machine and then withdrawing a large amount to take home. You can use the results to investigate further.

  • Was this article helpful?