ATM Fraud and Security

Transcription

1 WHITE PAPER ATM Fraud and Security Minimizing loss, mitigating risk and maintaining consumer confidence in the ATM channel Since the introduction of the first automated teller machine (ATM) in 1967, perpetrators have been devising ways to try to steal the cash inside. Because ATMs eliminate the need for round-theclock human involvement and tend to be located in places that make them more vulnerable to attack, they are often attractive targets for perpetrators. ATM crime is not limited to the theft of cash in the ATM. Many ATM attacks seek to obtain a consumer s personal information, such as their card number and personal identification number (PIN). While these types of identity theft attacks take more effort to net cash for perpetrators, the result is the same illegally obtaining money. According to estimates by Retail Banking Research, there are more than 2.2 million ATMs deployed worldwide. This is a figure forecasted to exceed 3 million by As the number of ATMs in use increases, so do the frequency and sophistication of security threats, making the development of fraud prevention measures a top priority for financial institutions (FIs) and ATM manufacturers. This white paper details a comprehensive overview of the current threats to the ATM channel and best practices in security and consumer safety issues facing the self-service industry. It describes techniques perpetrators use to commit fraud and introduces security management practices and devices designed to keep ATMs secure. ATM Fraud Around the World ATM fraud is not confined to particular regions of the world. To further complicate matters, perpetrators and victims are often on different continents, and the problems of one region can quickly become the problems of another. Here is a look at geographical trends associated with ATM fraud: Europe Card skimming was the most prevalent crime affecting ATMs in Europe, according to a 2011 survey of 394,296 ATMs in 27 European countries by the European ATM Security Team. Card skimming at ATMs resulted in losses of nearly 111 million Euros across Europe during the first half of According to the same study, 61 percent of European countries reported a decrease in card skimming incidents compared to the first half of 2010, decreasing total fraudulent losses by 28 percent. These drops are likely due to Europe s use of anti-fraud devices, in addition to the implementation of Europay,

2 are rapidly expanding their network size, Asia is fast becoming a target for ATM fraud. The most prevalent type of fraud in Asia is card skimming. Malaysia and Taiwan have already migrated the entire network to skimming-resistant chip cards. Whereas, more countries such as Indonesia and Thailand are accelerating their migration plan. In addition, most of the FIs in the region are adopting fraud deterrence technologies for their ATM fleet. MasterCard and Visa (EMV) technology in 98 percent of Europe s ATMs. ATMs that are EMV compliant have the ability to read embedded chip cards, which provide a two-factor authentication that mitigates the fraudlent redemption of stolen credentials. While the number of skimming attacks is decreasing in Europe, the number of cash trapping crimes are on the rise. In this attack method, fraudsters attempt to gain access to cash by attaching a fraudulent device to the cash-dispensing slot, causing notes to be stuck inside the ATM. The perpetrator then returns later to remove the cash from inside the dispenser. During the first half of 2011, there were 6,756 incidents of cash trapping reported in Europe, up from just 150 incidents during the same time in Cash trapping resulted in reported losses of 495,782 Euros from January to June Latin America Over the course of 2010, Latin America s number of installed ATMs grew by 8.4 percent, making it one of only two global regions where ATM growth accelerated over the previous year, according to a study conducted by Retail Banking Research. Nearly two-thirds of the region s ATMs were deployed in Brazil, where demand has increased and offset the global decline in ATM installment growth. Asia According to a study conducted by Retail Banking Research, the Asia-Pacific market deployed more than 100,000 new ATMs in 2010 which made it one of the fastest-growing ATM markets. China accounted for half of the reported growth in this region and installed roughly 50,000 ATMs in In addition to a 50 percent increase in cash withdrawals, China s significant ATM installation growth was also largely due to a low ATM-to-person ratio. This market is predicted to continue to expand at a rapid pace through 2015, and is expected to surpass the U.S. as the top ATM market. North America North America is currently the largest ATM market in the world. Canada leads the world in perconsumer transaction volumes, while the U.S. has the largest installed base. But, the widespread use of ATMs with over 14 billion cash withdrawals in the U.S. alone makes North America an attractive target for fraudsters around the globe. In the U.S., ATM card-related fraud has continued to rise. A study released in 2011 by the Aite Group estimates that card fraud costs the U.S. card payments industry $8.6 billion annually. These amounts exclude secondary losses, such as negative publicity for the FI and lost consumer confidence. ATM card fraud in the U.S. is expected to increase dramatically in the coming years. A major factor is the transition to EMV compliant embedded chip cards throughout Europe, Asia, Latin America and Canada but not the U.S. Chip-based cards that are much more difficult to counterfeit than magnetic stripe cards, which are relatively cheap and easy to duplicate. As organized criminal groups become discouraged by other countries anti-fraud measures, they are likely to view the U.S. as an increasingly attractive target. A Global Problem Sophisticated criminal networks have enabled farreaching ATM fraud, affecting FIs and consumers on a global scale. With this in mind, FIs and ATM manufacturers must look at ATM fraud from a global perspective, as what is a problem in one country one day can be the problem of another country s the next. Types of ATM Threats ATM threats can be segmented into three types of attacks: card and currency fraud, logical attacks and physical attacks. Card and Currency Fraud Card and currency fraud involves both direct attacks to steal cash from the ATM and indirect attacks to steal a consumer s identity (in the form of consumer card data and PIN theft). The intent of indirect As more and more countries in Europe are migrating towards embedded chip cards and FIs in Asia 2

3 attacks is to fraudulently use the consumer data to create counterfeit cards and obtain money from the consumer s account through fraudulent redemption. Vestibule card skimming in locations where the ATM is located within a vestibule, skimmers are placed on the vestibule door card access reader to capture cardholder data from the magstripe where the card is read so an unwary consumer inserts their card into the vestibule instead of on the ATM. A skimming attack is usually combined with other fraudulent devices such as covert cameras or keypad overlays that capture the consumer s PIN as it is being entered on the keypad during a transaction. Skimming ATM card skimming is the most prevalent and wellknown attack against ATMs. Card skimmers are devices used by perpetrators to capture cardholder data from the magnetic stripe on the back of an ATM card. These sophisticated devices smaller than a deck of cards and resembling a hand-held credit card scanner are often installed inside or over top of an ATM s factory-installed card reader. When the consumer inserts his card into the card reader, the skimmer captures the card information before it passes into the ATMs card reader to initiate the transaction. The transaction continues in a normal fashion. When removed from the ATM, a skimmer allows the download of personal data belonging to everyone who used the ATM. An inexpensive, commercially available skimmer can capture and retain account numbers and PINs for more than 200 ATM cards. Typically, criminals design skimming devices to be undetectable by consumers. The following are three kinds of card skimming attacks that can occur: External card skimming placing a device over the card reader slot (motorized or dip) to capture consumer data from the magnetic stripe on the card during a transaction. This is the most common form of card skimming. Internal card skimming gaining access to the top hat of the ATM to modify the card reader or replace the original card reader with an already modified one for the purpose of obtaining consumer card data during a transaction. Some skimming perpetrators have even installed signs on ATMs instructing cardholders to swipe here first before continuing with transactions. Another fraudulent method is to portray the additional card reader as a card cleaner designed to extend the life and improve the performance of ATM magnetic stripes. Card Trapping/Fishing Card trapping and fishing attempt to steal consumers cards as they are inserted into the card reader during a transaction. The purpose of this type of attack is to steal the card and use it at a later time to make fraudulent withdrawals from the consumers compromised accounts. Card trapping is conducted by placing a device over or inside the card reader slot to capture the consumer s card. These can be devices such as plates over the card reader, thin metallic strips covered in a plastic transparent film, wires, probes and hooks. These devices are designed to prevent the card from being returned to the consumer at the end of a transaction. These attacks are sometimes combined with other fraudulent devices such as cameras or keypad overlays to capture the consumer s PIN as it is being entered on the keypad during a transaction. Currency Trapping/Fishing Currency trapping and fishing is an attempt by perpetrators to capture currency that is dispensed by the ATM during a transaction, whether it be in an envelope or as cash that is being deposited by the consumer during a transaction. Trapping a false dispenser front is placed over the shutter of the dispenser with adhesive or tape on the inside to trap the notes before they are dispensed. Fishing the methods used are similar to those used to fish for cards. Wires, probes and hooks that are difficult for the consumer to see are used to prevent cash from being ATM threats can be segmented into three types of attacks: card and currency fraud, logical attacks and physical attacks. 3

4 dispensed or deposits from being made. When the unwary consumer leaves the ATM, the perpetrator returns and uses the fishing device to retrieve the currency or deposit envelope. Transaction reversal this type of scam uses a variety of methods to create an error condition at the ATM that results in a transaction reversal by the host processor due to the reported inability to dispense cash. An example would be requesting a withdrawal of a certain amount but only carefully removing a portion of the notes presented. When the transaction times out, the remaining notes are retracted, but depending on the bank policies, the entire transaction may be reversed leaving the person with some cash but no corresponding debit to the account. Meanwhile, the cash has been taken through accessibility or force. is necessary. Often masquerading as Microsoft Windows, once installed, malware can operate undetected for months at a time, capturing cardholder data or instructing ATMs to dispense cash. Physical Attacks Physical attacks on an ATM include any type of assault that physically damages the components of the ATM in an attempt to obtain cash. While the entire ATM can be a target for a physical attack, specific components of the ATM are often targeted. The Safe The safe is the primary target for most perpetrators because it contains cash. Most, but not all, physical attacks seek to access the safe. Typically, this involves focusing on the locks, handles and hinges of the safe door, but attacks can be made anywhere on the safe. Logical/data Attacks Often the most difficult attacks to detect, logical attacks target an ATM s software, operating system and communications systems. Logical attacks can be some of the most damaging in terms of the quantity of consumer data compromised. The migration from proprietary operating systems to Microsoft Windows technology has led to greater connectivity and interconnectivity of ATMs. Vast networks including ATMs, branch systems, phone systems and other infrastructure connected via the Internet are targets of logical security threats. Logical attackers include vandals who author viruses intended to exploit an ATM s operating system and hackers who install malware to violate the confidentiality, integrity or authenticity of transaction-related data. Malware and Hacking With any computer system, the purpose of installing malicious software (malware) is to violate the confidentiality, integrity and/or authenticity of data on that computer system. Designed to collect cardholder data and/or dispense cash, malware and hacking can occur both locally or remotely. Local attacks operate by accessing the top hat and downloading the malware using a USB drive or attaching a USB sniffing device to intercept communication between the card reader and the ATM s computer. Remote attacks on an ATM network occur at some point in the communication with the host or at the backend infrastructure. Typically, these sophisticated attacks are carried out by well-funded criminal organizations. Malware threats are of particular concern as they are on the rise and constantly evolving in an attempt to stay ahead of security measures. For malware to be installed, physical and administrative access to the ATM platform s operating system The methods of attacks used to try to gain access to the safe include: Cutting/grinding usually with power saws and grinders Drilling usually with power drills Prying with pry bars, wedges, and crowbars Pulling after the safe door has been cut with a saw or torch, one end of a chain or cable is connected to the door and the other end to a vehicle to pull off the door. Torch or other burning device such as a thermal lance Explosives such as gas, dynamite, homemade bombs, or even gasoline 4

5 The Top Hat Perpetrators will attempt to access the top hat of the ATM because they mistakenly believe it is a way to get to the safe or other cash or because they want to steal components of the ATM such as the hard drive. Fraudsters also try to access the ATM via the top hat to attach an internal skimmer or download malware. The most common types of attacks against the top hat are: Prying open the door or side panels of the top hat Prying open the fascia Damaging the lock to gain access Picking the lock in an effort to leave no evidence behind so that an internal skimmer or downloaded malware will go undetected Cutting/grinding either the top hat door or sides, or the fascia Using a torch or other burning device The Presenter and Depositor Physical attacks on the presenter and depositor attempt to gain access to the ATM s cash source, which include the storage area for deposits and the divert bin. These types of physical attacks target the exterior components of these modules using the same methods used elsewhere on the ATM, including cutting, prying, drilling, torching and smashing. Often, explosives or gas hoses are inserted into the presenter for explosion attacks. The Entire ATM Many physical attacks seek to remove the entire ATM and then transport it to a location where its safe or vault can be laboriously penetrated and its contents removed. ATM removal techniques include: Ramming or ram raid attempting to ram the ATM with a car, truck or heavy machinery to smash it loose from its foundation Pulling placing a chain or rope around an ATM and attaching the other end to a vehicle to pull the ATM from its foundation or location Lifting using a forklift or similar equipment to try to lift the ATM from its foundation While island ATMs are the usual targets of these attacks, stand-alone ATMs in stores or other buildings as well as through-the-wall ATMs have been targeted. Fighting Fraud & Securing the ATM Maintaining the security of an ATM fleet is one of the most technically challenging areas of an FI s operations. To ensure the most effective protection against these types of threats, FIs must implement a comprehensive, multi-layered security program that includes hardware, software and services designed to protect against all breaches today and in the future. Card and Currency Security Preventing Card Skimming There is a variety of methods that may be employed to deter card skimming. To begin with, awareness among consumers, branch personnel and ATM service technicians can result in the detection of devices added to an ATM fascia. Visual clues such as tape residue near or on a card reader may indicate the former presence of a skimming device. In addition, the following anti-skimming solutions can help prevent skimming attacks: Jitter - a process that controls and varies the speed of movement of a card as it is swiped through a card reader, making it difficult if not impossible to read card data Alert systems - these systems monitor routine patterns of withdrawals and notify operators or FIs in the event of suspicious activity Chip-based (EMV) cards - these cards house data on microchips instead of magnetic stripes, making data more difficult to steal and cards more difficult to reproduce Anti-skimming technologies - effective in identifying, jamming or disturbing skimming devices when they are attached to the ATM Foreign object detection - ATMs equipped with this type of technology can alert owners, operators or law enforcement in the event that a skimming device is added on the fascia of an ATM Preventing PIN Capture Video surveillance is the most effective method for deterring or detecting PIN capture. In addition, mirrors can be affixed to the fascia of an ATM, allowing users to easily see behind consumers as they enter data. Maintaining the security of an ATM fleet is one of the most technically challenging areas of an FI s operations. 5

6 Furthermore, PIN pad shields can be used to obscure data entry because they shield the PIN pad from view. The ergonomic design of an ATM can also play an important role in preventing shoulder surfing. Techniques such as positioning the keyboard in the center of the fascia or recessing the display more deeply within the terminal can also make shoulder surfing more difficult. Preventing Fraudulent Equipment Consumer education and ATM monitoring services are the best ways to prevent the application of fraudulent equipment such as skimming devices on or near legitimate ATMs. Consumers should be taught awareness of the look and location of ATM components, such as PIN pads, card readers, monitors and dispensers. ATM monitoring services are designed to notify owners of repetitive timeout messages during PIN entry. Foreign object detection technology can also play a role in identifying fake equipment. Hidden from view, this type of technology actively monitors the ATM s fascia. When abnormalities are detected, ATMs can notify authorities and even shut down until problems are resolved. Preventing PIN Interception Encrypted PIN pad technology is the key to preventing PIN interception. Encrypted PIN pads scramble data before transmission so that no raw PIN numbers are accessible to electronic hackers. Preventing Card Theft Card readers with the capability to detect if an ATM s shutter is closed completely can provide an indication that a fishing device may have been inserted into the card reader. By using remote diagnostics to monitor the ATM, error codes generated by the card reader can be tracked. An increase in the occurrence of error codes related to card readers could be an indication that a fraud attempt is in progress. Preventing Transaction Reversals Many FIs deter this fraud by always debiting the account for the full amount of a transaction, dealing with legitimate short-dispense claims as they arise. Other techniques include monitoring time out on withdrawal error messages. If this message occurs repeatedly and is associated with a specific cardholder, this may be an indication of perpetrator activity. Finally, using a retract bin with separate compartments each dedicated to a single retract operation can allow FIs to associate specific, retracted banknotes with specific transactions. Logical/Data Security Core to protecting sensitive cardholder data are the Payment Card Industry Data Security Standards (PCI DSS). A set of requirements developed by the PCI Security Standards Council for addressing the security of cardholder data that is stored, processed or transmitted, PCI DSS was created to help facilitate the adoption of strong and consistent data security measures to help protect sensitive cardholder data using a point-of-sale device, e-commerce and ATMs. It protects customersensitive data such as security management, policies, procedures, network architecture, software design and other critical protective measures. It is a set of comprehensive requirements for safeguarding cardholders sensitive data. The PCI Council has defined and specified a set of requirements that merchants and service providers who handle such sensitive data have to implement. PCI DSS defines a set of 12 requirements that address six main areas: Build and maintain a secure network Protect cardholder data Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy Visit: for more information on PCI DSS requirements and compliance. ATM logical security systems should be designed to prevent intrusion, defy hackers and prevent data crime before it begins. To mitigate logical security attacks, ATM security experts recommend a strong firewall featuring multiple layers of security to mitigate logical security attacks. An important first step is to lock down, or harden, the ATM. This means making all electronic points of entry invisible or unavailable to hackers, viruses and worms. This technique is made possible through a combination of a strong firewall and software designed to monitor, analyze and authenticate any external source attempting to connect to an ATM. This solution should be designed to block any unauthorized user or pattern of data. In fact, a good logical security system should be able to analyze and compare patterns of data to those of known attacks and send alerts upon detecting suspicious activity. Patch management is another important component 6

7 of any logical security system. Microsoft occasionally releases security patches security-related updates to its operating system designed to eliminate known problems with its operating system. ATM logical security systems should be designed to identify appropriate patches and to quickly deploy them throughout an ATM network in an effort to protect against viruses, worms and other exploitation. Physical Security Since their invention, ATMs have been designed to resist physical attacks. Yet that has not completely eliminated physical security risks. According to research conducted by the European ATM Security Team, gas explosion attacks in Europe rose 90 percent in the first half of 2011 compared to the same period in Not only do these attacks result in significant cash and equipment loss, but damage to surrounding facilities and harm to bystanders are also potential damages this type of attack can cause. As a result, more sophisticated approaches to physical security, including the use of bank note degradation systems (ink dye system) designed to render currency useless, have gained in popularity as mechanisms for deterring physical attacks. Modern ATM engineering has resulted in improved fascia design, weather and vandal-resistant construction materials, shutters and other devices designed to protect and ensure the integrity of ATM components and cardholder data. Preventing Burglaries There is a variety of mechanical and physical factors than can inhibit attacks to ATM safes. The certification level of a safe, for example, can determine how difficult a safe is to penetrate. A certification level of UL291 Level 1 or CEN-L rated safe is recommended as a minimum for ATMs placed in unsecured, unmonitored locations. Additional Security Measures at the ATM Consumer Safety at the ATM In a 2011 poll conducted by the European ATM Security Team, 20 percent of survey participants claimed to have been a victim of ATM crime. Not surprisingly, consumer safety has become a leading consideration in the manufacture, deployment and management of ATM networks. Manufacturers have deployed mirrors, better lighting, video surveillance and other devices intended to provide a more secure environment surrounding ATMs. FIs are more carefully evaluating ATM locations, more often stressing the importance of consumer awareness and have gone so far as to arrange for security patrols at high crime, high traffic locations. Video Surveillance The primary method used to increase awareness and deter fraud attempts at the ATM is the installation of Closed Circuit Television Cameras mounted in plain view on or near the ATM. This may be because similar technology deployed in branch environments has proven itself invaluable as it constantly deters crime and helps apprehend bank robbers. Nowhere does this sort of digital security offer more benefits than in the surveillance of offpremises ATMs, which present obvious challenges with regard to maintenance and security. Cameras can be easily integrated into the fascia of most ATM machines and improved security can be achieved by installing additional site cameras on and around the premises. The availability of remote video surveillance services makes digital video an even more attractive security option, because many ATMs and their surrounding areas can be directly monitored from a single, central location. Remote Monitoring Remote diagnostic services provide an automated means to monitor and manage ATM networks. Remote monitoring can communicate important messages that may indicate tampering with a machine. Remote diagnostics, monitoring and management provide improved uptime and reduced risk. These services promote dispatch avoidance and enable a group of central support associates to control keyboard and mouse operations of ATMs directly from remote computers. Through ATM monitoring capabilities, status messages from an ATM can be sent to a central location where those messages are acted upon based upon a predefined plan. Central support associates can quickly identify problems and security concerns based upon the messages they receive. For example, the continual notification of a card reader failure or a drastic decline in transactions at an otherwise busy location might be an indication of tampering. Remote diagnostic services also contribute to the safety and security of personnel assigned to work on ATMs, allowing these associates remote access and gives them the ability to manage events from a secure location. Further, the best defense against potential litigation by crime victims is a proven track record of policies aimed at crime prevention. The following are practices to consider for educating consumers, deterring crimes and improving the security of ATM premises. Consumer Education o Make safety and security educational materials available o Provide safety information directly on ATM screens 7

8 o Print safety and security reminders on ATM receipts Crime Prevention o Videotape customers and ATM transactions o Provide video surveillance of parking lots and other areas surrounding ATMs o Document requests to local police to patrol areas surrounding ATM o Increase security measures in areas of frequent crime o Use contracted security guards as patrols or as sentinels o Maintain records relating to security complaints; document action taken as a result of each complaint o Maintain a record of proper security equipment maintenance Premises Protection Conclusion o Locate ATMs in highly visible, well-traveled areas o Employ high-intensity lighting at and around ATMs o Designate parking spaces dedicated to ATM Use Only o Keep trees, shrubs and other greenery well trimmed; remove other obstacles that may obscure the view of ATMs and the areas around them Threats at the self-service channel come in many forms and are constantly increasing in frequency and sophistication. According to a 2011 study conducted by CPP Research, 28 percent of adults more than 13 million people have been a victim of card fraud in the United Kingdom alone. ATM fraud is growing because it produces cash and is fairly low risk relative to other crimes. The necessary equipment for perpetrator activity is inexpensive, readily available and expendable, which makes ATM fraud popular among organized crime organizations. Even so, consumer confidence in ATMs remains high, and industry efforts to combat fraud, increase consumer awareness and promote ATM security seem to be outpacing the growth rate of criminal activity. A multi-layered approach to ATM security combining technologies such as video surveillance and monitoring, remote ATM management and foreign object detection as well as common sense management practices aimed at deterring crime are providing FIs with an edge in the fight against fraud and keeping the self-service industry at least one step ahead of fraudsters. End Notes 1. Global ATM Market and Forecasts to Retail Banking Research. September Brochure Pg European ATM Crime Report. The European ATM Security Team. June Asia-Pacific ATM market booms while USA and much of Western Europe falls. Press Release. Retail Banking Research. October 13, From Mag Stripe to Malware: Card Security Risks in Aite Group Summary of Website Research Poll Results. The European ATM Security Team. October Pg million people in the UK affected by card fraud. CPP. January Contact Information: Diebold, Incorporated P.O. Box 3077 Dept.9-B-16 North Canton, Ohio USA International productinfo@diebold.com Diebold, Incorporated, All rights reserved. File number