24 October 2014

Elton Cane

Elton Cane - writer & tech geek

116 | posts 457,885 | views 54 | comments

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Massive ATM fraud in the US - who is to blame?

03 July 2008  |  7543 views  |  12

The UK daily newspapers and newswires are today picking up on an ongoing case in the US involving system breaches, thousands of stolen PIN numbers, card cloning  and money laundering. We've been following this on The Wired Blog Network for a few weeks now - most recent post here.

The main case involves Citibank branded ATMs in 7-11 convenience stores managed by Cardtronics with some processing handled by Fiserv.

Most of the reporting is based on a few court documents in the public domain, as well as a lot of commentary. Different articles have different takes on how the criminals got the PINs in the first place. Some have said that PINs were intercepted on the network between the ATM and processing hub. This article implies that this is possible because the ATMs run on Windows.

I'm not certain, but I don't think this is likely. TripleDES encryption has been mandatory since 2002 if the ATM connects in any way to the Visa or Mastercard network, and it encrypts the PIN within the PIN pad itself - there's no raw transmission even to another circuit within the ATM body and certainly not to any OS accessible layer.

A more likely scenario is the system breach at the processing end. An FBI affadavit says this is what happened, and the breach was of a Citi server. Citi denies this and points to the third party operators/processors who run their branded ATMs.

This would leave Fiserv and Cardtronics, the largest non-bank ATM operator in the US, as the possible breach points. Fiserv have made statements about their innocence, while according to Wired, Cardtronics are maintaining their silence.

It would be interesting to see how the PINs were obtained (I suspect an insider job), and also how they managed to access unencrypted PINs and account details.

But looking at the big picture I can't help feeling that the US banking industry as a whole (including Mastercard and Visa in the US) might be to blame for the situation. By not getting involved with the global EMV chip card standard and sticking with easily clonable magnetic stripe cards, the US makes itself an easy target for organised criminals.

'Card present' fraud - getting easy access to cash with cloned cards - is better for the criminals than 'card not present' fraud, which usually takes the form of buying goods online that than have to be delivered and converted to cash - an extra, inconvenient step.

Countries that have adopted the EMV chip card standard, which among other things makes it much much harder to clone cards, have all seen a reduction in card present fraud. Admittedly some of this fraud has migrated to the card not present variety. But as organised crime is a global business, a lot of it has just moved to other countries that present a softer target, and this case certainly demonstrates that the US falls into this category.
TagsSecurityRetail banking

Comments: (14)

Jonathan Rosenne - QSM Programming Ltd. - Tel Aviv | 04 July, 2008, 04:27

EMV is not relevant to PIN security at the ATM, as the EMV enabled ATMs use "online PIN".

On the other hand, using the PIN for low value transactions unnecessarily exposes it to various scams.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Guru Prakash Radhakrishnan - Legend Systems Private Limited - Chennai | 04 July, 2008, 05:46 There is a easy and simple solution to prevent this kind of theft. By using Biometrics ( Finger Print)! But I think in certain markets only complex and expensive solutions will be looked upon as a good solution! Already some Indian Banks have started using biometric ATMs.  
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Chandrasekhar Yanamandra - Quinnox - Pune | 04 July, 2008, 07:04 How about using RSA tokens as an immediate measure to tackle the situation ?
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Elton Cane - writer & tech geek - Brisbane | 04 July, 2008, 09:41 Jonathan, I know EMV doesn't have anything directly to do with PIN encryption - that's the job of the TripleDES standard I mentioned. But It does make it harder for criminals - even if they have obtained a PIN from should surfing or whatever other means - to make a cloned copy of the card and use it to withdraw cash.
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Dean Procter - Transinteract - Sydney | 04 July, 2008, 12:41

I suspect that the underlying problem was with the methodology used by the banks and or ATM operators.

In any event we could have prevented it without new infrastructure, whether customers are using cards or without. An inside job should not even be possible, and cloning a customer's card, or whatever, should not enable fraud.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member | 04 July, 2008, 16:15

"It would be interesting to see how the PINs were obtained (I suspect an insider job), and also how they managed to access unencrypted PINs and account details. "

I don't know if you all know what 7-11 stores are but I suspect that skimmers and pin-pad touch recorders captured the mag-stripes and pin-codes. These ATM machines that you find in these convenience stores arent the robust ATM machines that one would usually find in banks. I was quite amazed as to how fragile-looking (and sometimes dirty !) they are.

----------------------------------------------------------

"But looking at the big picture I can't help feeling that the US banking industry as a whole (including Mastercard and Visa in the US) might be to blame for the situation. By not getting involved with the global EMV chip card standard and sticking with easily clonable magnetic stripe cards, the US makes itself an easy target for organised criminals."

EMV chip is not the answer. As APACS will tell you, UK card  (yes, EMV enabled) fraud migrated to cross-border fraud. There are also what are called "YES CARDs", these are cards programmed in a way that whatever pin-code is entered is valid.

Why not allow cardholders to block their own cards after they use them, and unblock them again before using them? This way, even if fraudsters copy the mag-stripes and the pin-codes, they will not be able to use the clones. For that matter, allowing the cardholder to control his own card account has a lot of other utility, such as giving a teenage child a card but being able to manage the teenager's spending, etc.  This would also solve card-not-present fraud! Therefore, the control check goes all the way down the process of approving a card's use (called authorization) - towards the issuing bank. Issuing Banks should allow their cardholders a 'say' in what issuing banks are approving on their behalf, a feature that would be very much appreciated with prepaid and debit cards, I think.

-----------------------------------------------------

"Countries that have adopted the EMV chip card standard, which among other things makes it much much harder to clone cards, have all seen a reduction in card present fraud."

Sorry, this is not true. What you probably meant is 'local card present fraud' since it did migrate cross-border.

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Stephen Wilson - Lockstep Group - Sydney | 05 July, 2008, 04:02

Using biometrics -- especially fingerprints -- as an approach to solve ATM fraud could be disastrous.  These are so easy to steal, clone and otherwise work around that it's almost comical.  To avoid lengthy queues at an ATM, the false accept / false reject ratio in the detectors needs to be tuned towards lower false reject, and therefore higher false accept, making them even more vulnerable to attack. 

For details on the vulnerability of fingerprint detection, have a look at:

http://www.schneier.com/crypto-gram-0205.html#5  

http://en.wikipedia.org/wiki/MythBusters_(season_4)#Fingerprint_Lock 

http://www.heise.de/ct/english/02/11/114/

I've researched and summarised a range of other fundamental problems with biometrics at Babystep 3: Biometrics under the microscope.

Cheers,

Stephen Wilson.

 

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Dean Procter - Transinteract - Sydney | 05 July, 2008, 05:22

The problem is that these biometric and card solutions require absolutely 100% deployment in order to provide any protection and everyone would need a reader.

It just isn't realistic. Peddling biometric solutions or fingerprint readers is even more unrealistic. At least the cards are a 'renewable' credential, fingers are not renewable and this presents untold risks to the consumer.

In any event no-one is protected until every single merchant is using them in every single country in the world. Shareholders in any company which holds such an unrealistic view of the marketplace should seriously reconsider their investment.

Spending any money on biometrics and chip and PIN is a foolhardy venture and by the time it's half rolled out it'll be knocked out and you'll be back spending more billions on the next half baked idea.

I predict it will be impossible to defeat fraud with the current approaches. The problem will just get worse.

Almost every consumer who fits into the profile of being a 'desirable banking customer' already has a mobile phone and so do a billion or so others, and most people who don't yet have a mobile, want one. The same cannot be said for a fingerprint reader or a dumb card reader. I mean really - have you looked at those card specs? They're dumber than a Commodore64 and you can't even protect your Duo core PC.

I just can't see the entire world embracing an expensive obsolete and flawed system and I think it is just too much of a fantasy to hope that everyone will - certainly not before it is displaced by something better.

How on earth did the adopters of this rubbish justify doing it - knowing that it would not protect anyone until every man woman and child on earth adopted it and all the hackers all gave up hacking?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Stephen Wilson - Lockstep Group - Sydney | 05 July, 2008, 05:47

Dean Procter wrote:

"have you looked at those card specs? They're dumber than a Commodore64 and you can't even protect your Duo core PC".

You're comparing apples and oranges Dean.  The reason we cannot protect a duo core PC is that the security target for a general purpose personal computer is far too complex, and the operating system in particular was not designed with security top of mind.  But with smartcards, starting from scratch, we have the luxury of making security a priority. Furthermore, we have a very very restricted computing model, making testing vastly easier, and security weaknesses vastly rarer.  

And so, for example, the MULTOS smartcard operating system achieves Common Criteria certification at the very top level, almost unheard of outside of defence departments.

The dumbness of smartcards relative to full blown PCs acts in favour of security, not against it.

Cheers,

Stephen Wilson

The Lockstep Group.

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member | 07 July, 2008, 10:40

Dean Procter wrote : "How on earth did the adopters of this rubbish justify doing it - knowing that it would not protect anyone until every man woman and child on earth adopted it and all the hackers all gave up hacking? "

That's the result of BIG BUSINESSES' elaborate way to push something although it does not totally work because they think that the sheer quasi-monopoly they have on the market enables them to force it onto the market. And this is true - they can force it in most countries except the U.S. and perhaps China.

I think the rationale for EMV / smartcards is they wanted to present secured cards to consumers by just requiring the 'pin-code' entry thereby making the change in security somewhat transparent to the consumers. Initially and currently, card issuers believe that the entry of a valid pin-code ensures the non-repudiation of a card transaction. We all know that the entry of a valid pin-code does not necessarily mean that whoever entered that pin-code is the cardholder.

The french smartcard was the model for EMV. It is true that with smartcards, local card present fraud decreases. But these card companies were certainly completely aware that with chip and pin, fraud migrates elsewhere. Therefore, its no surprise that they have set deadlines and penalties to both card acceptors and issuers to implement EMV, or else... 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Guru Prakash Radhakrishnan - Legend Systems Private Limited - Chennai | 08 July, 2008, 04:56 There has been a lot of developments in biometric field ( particurarly) finger prints. FAR & FRR has improved a lot.If biometric data can be stolen so are other things like smart cards, tokens etc. I think we must look at an  unbiased view and not color our views based on a few incidents. 
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Elton Cane - writer & tech geek - Brisbane | 08 July, 2008, 09:55

Cardtronics have made a statement, reiterating the compliance of their ATMs in 7-11s with all the relevant security standards. They also claim that their processing centre and networks comply with PIN security standards, and have been independently reviewed.

So either the 7-11 stores were targeted in a widespread installation of fake ATM fronts, possibly combined with video surveillance of customers entering PINs, or - as seems to be suggested by some of the court procedings - there was compromise of back-end processing servers.

If it's the former, then perhaps 7-11 can be held responsible for lax in-store security. If it is the latter, then it's probably either Cardtronics or Fiserv at fault. And if they were indeed both up to standard in terms of security, it begs the question - do standards need to be improved?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member | 09 July, 2008, 03:32

The PIN / password should never be stored.  A hash value of it only should be stored.  When a customer inputs PIN then the hash value of it is generated on the PAD (may be padding it with additional digits - salting) and then this is transmitted to the bank for verification with the hash value stored.  So in this case, either there is a bug in the verification system or PINs are transmitted for hash generation at the backend.  An insider then could get the relevant PIN before the hash is generated and pass to a 3rd party, who could use cloned cards to withdraw funds. 

Alternatively, the fraudsters would have kept a camera to observe the PIN being input by unknowing customers, with a card scanner inserted in the ATM.  This being 7-11 ATM's an analysis of their locations where fraud occured would through lot of light.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member | 10 July, 2008, 10:55

Someone asked me how is it possible to use cloned cards without the chip for ATM withdrawals.

My response to this person : "Most of the ATM/DAB machines still read the magnetic stripes, not the chip.
 
By the time the entire world changes all the machines to read only the chip, the fraudsters/skimmers would then also be able to copy the chips...   OR    hackers/skimmers will most likely implant devices which will fry/microwave the chip so that the 'fallback' method is triggered. The 'fallback' method forces the machine to read the magnetic stripe because the chip is faulty...."

Each time something like this happens, everyone but the card issuing bank gets blamed. Card Issuing Banks seem to have good P.R. and they always come across as doing everything they possibly can to minimize these incidents. But are they really doing everything they possibly can?

The best system for now, which also does not require a massive infrastructure change, is a system that enables the cardholder to set his own user limits, basically a system that enables a cardholder to turn on and off his own card account. This system truly deflects the increase of card fraud while ensuring the best quality of service to cardholders (customers). Its actually quite a logical and ideal solution.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Elton

Would you pay to put your mortgage out to tender?

18 September 2014  |  1428 views  |  0  |  Recommends 0 TagsMobile & onlineRetail bankingGroupFuture Finance

Contactless payments are not a choice

29 August 2014  |  2940 views  |  4  |  Recommends 0 TagsCardsSecurityGroupFuture Finance

Cryptocurrency can cure cancer

07 August 2014  |  1428 views  |  1  |  Recommends 0 TagsVirtual currencyInnovationGroupFuture Finance

Will regulation strangle or enable 'quasi-banks'?

26 March 2014  |  1687 views  |  0  |  Recommends 0 TagsRisk & regulationInnovationGroupFuture Finance

Good at maths? Ask your bank for a better mortgage rate

03 March 2014  |  2173 views  |  0  |  Recommends 1 TagsRisk & regulationRetail bankingGroupFuture Finance
name

Elton Cane

job title

Journalist copywriter and marketer

company name

writer & tech geek

member since

2012

location

Brisbane

Summary profile See full profile »
Writer and media production person

Elton's expertise

Who is commenting on Elton's posts

Ilja Ilit
Chris Torr
Matt Scott
Ketharaman Swaminathan
Dirk Kinvig
Eugene Danilkis
Andrew Smith
Chris Thorpe
Brett King
Neil Burton
Dave Kershaw
Gerhard Schwartz