2 2 Blinded by the Mundane Tricks of the ATM Scam Trade It s a fact. People become complacent, so accustomed to the technology pervading their lives that they don t take an active enough role in watching and protecting it. We must remember that security awareness is never just about technology and that we should consider all three domains - Cyber, Physical and Human - when trying to protect our assets. Our busy, multitasking lifestyle often allows physical security to be forgotten, left by the wayside, leaving our computers, electronic devices and data at risk. What can we do to improve the physical security of our information assets? You re in a rush and you need some fast cash. Did you look closely at the ATM when you used it? It s evening at dusk; you re low on gas and pull into a station. Do you really look at the card reader and the pump? You re running to catch a flight and need cash to pay for airplane food and drinks. Do you even look at that machine? We are blinded by monotony, no longer paying attention to the mundane details of every day life. But the thing is we need to pay attention! We need to look closely at things, especially card scanners! There s a bad guy technology that s victimizing the ordinary consumer and very few people are aware of it. Millions of dollars, pounds and euros are disappearing into the hands of criminals through ATMs. One of the latest ATM crimes is to insert a claw, a spring trap into the cash dispenser and wait for a victim. The victim s cash will not come out, they will get very upset, finally leave, and obviously call the bank to get an explanation. The bad guy steps in, removes the claw and the cash, and puts the claw back in to snare the next victim. What should you do? Look closely, especially in darker areas, to see if the ATM appears to have been tampered with. Look for: Additional pieces attached to the ATM that look as though they were afterthoughts. Loose screws or plates or covers on the ATM, like it was assembled too quickly. An additional camera added to the ATM security camera that could be recording your PIN keystrokes. If your card is ever jammed or eaten, call your bank immediately for instructions. Spring traps: Once a card has been inserted, these prevent it from being returned to the customer and stop the ATM from retracting it. (See page 3 for a detailed explanation.) Cash traps: Claw-like implements are inserted into the cashdispensing slot to capture or skim some of the dispensed bills. Jammers: An oversized fork-like device is jammed into the cash dispenser slot to keep it open following a normal ATM transaction. Skimmers: Thieves lift the data from cards through handheld skimmers or via magnetic strip readers. The data can then be reencoded onto blank cards and used at any ATM along with the victim s PIN to withdraw cash. Transaction reversal fraud: Involves tricking the ATM into not debiting some of the cash that has been requested or manipulating the ATM to pay more than the balance available. This can be done with clips or claws so the machine does not know exactly what is dispensed..
3 The Spring Trap in Action Please be aware of how subtle criminals can be. This almost invisible trap is so simple, yet so effective. It is a perfect example of how being UNaware of your physical surroundings could get you into trouble. 1. An x-ray film is cut to build the ATM card capture mechanism. 2. The trap is inserted into the card slot. 3. Unless you look very carefully, and feel for bumps along the slot, you can be easily fooled into trusting the ATM. 4. Once a frustrated and angry victim leaves the machine, the trapped card can be easily and quickly removed. 5. The bad guy gets the card. If he has installed a wellhidden camera to capture keystrokes, or if a Good Samaritan had come along offering to help but was actually watching for the PIN entry, the victim s account is now available to be emptied. 3 ATM and credit card machine scams are going global and unless people look closely, the number of victims will grow exponentially. Whether it is YOUR card or a card issued through your COMPANY, you need to be extra cautious! Trust but verify. Think about physical security in your personal lives as well as your professional ones. Don t forget to report anything suspicious in your physical work environment. If you suspect that an ATM or credit card machine has been compromised, call your credit card company and ask for the Fraud Department. Reporting incidents in your personal life is no less important than reporting events in the workplace Printer Security Thoughts We might not think about printers much, except when they re not working! But these often frustrating devices actually pose physical security threats both at work and at home. Company common area printers: If you don t pick up your documents, they are available for anyone to see. Know the data sensitivity of what you send to shared printers. Know and follow company policy. Some printers are also copy machines. Remember to retrieve the originals as well as all copies before leaving. Networked printers are basically computers, since they can store data. They can be hacked the same way computers can; be aware that they have memory. They can divulge company secrets even after the documents have been printed. Know and follow company policy. If a printer is instructed to print 10 copies but only has 9 sheets of paper, the next person to refill the paper will see a copy of your sensitive data. Don t leave that page behind in memory. At home: You should double check that you haven t left personal data, banking information or for parents only type of information in the house printer. We know you have a busy family life and chaos reigns, but even at home you should have and follow your own policies for handling important papers.
4 4 Hotel Security: Epic Fail You already know why leaving a laptop or other portable, personal electronics in a car can be a disaster. Even leaving your personal or business technology in the trunk while at a movie or a meeting is an open invitation to theft, rear ending or overheating. These are all bad things. So keeping your electronics with you at all times is the best advice most experts will give. Is it convenient? No. But it is the best practice for security. Business travelers are regularly advised that hotels are not as safe as one might assume. Nation-state spies, industrial competitors and run-of-the-mill criminals are well-known to break and enter into hotel rooms and to steal the contents of hard drives, laptops, ipads and all data storage devices. And things are only getting worse. Imagine that there is a single key that can open every hotel room in the world. Does that sound far-fetched? A security researcher created a pocketsized, pen-like device that could disable any hotel door lock, and he did so for less than $50. After he published his findings online, a string of robberies occurred at a Hyatt Hotel. So it seems that the bad guys paid attention. Millions of hotel rooms are now vulnerable and that means the security guidelines we once followed are changing right before our eyes. The pen-like device would never raise suspicion even to a trained security person and it exploits a bypass mechanism in hotel door locks. The locks can be popped open in a fraction of a second. How do you respond? Hotel rooms were always accessible by staff personnel, and while we all place some limited degree of trust in hotel staff, it s never absolute. Given that millions of hotel rooms have become much more vulnerable, our behavior should change. This hotel doorlock hack represents a major shift in both the threats out there and what our reactions to these threats should be. It is now best practice to assume your hotel rooms are common areas and any bad guy has access if he so chooses. Imagine that there is a single key that can open every hotel room in the world. Does that sound far-fetched? Since this threat is relatively new, please find out if any company policies or procedures have been changed to reflect the increased risk. Know and follow company policy concerning the handling of company data outside of work. To read more about the hotel hack, check out this link: andygreenberg/2012/11/26/security-flawin-common-keycard-locks-exploited-instring-of-hotel-room-break-ins/
5 5 If you leave laptops, ipads, hard drives or other electronic devices in your room, they are now more vulnerable than ever. Keep them with you whenever possible or take to the frontdesk to put in the hotel safe. Consider the encryption options for your data. You might want to start here: toptenreviews. com/ A locked briefcase can be opened in seconds and should not be considered a security barrier. Therefore, your physical documents are also at risk. Lock them in the hotel safe, at the frontdesk. At work, ask about approved encryption software and how the company can help. Where policy permits, travel with an external backup drive. One which can easily be kept in your pocket or purse, physically separate from your laptop. Password protect every device. Period. If you do choose to lock the device in your room safe, a password should be the bare minimum you use to protect it. Just know that thieves can easily remove that closet safe (unless it is embedded in the wall or floor) and take the whole thing with them.
6 6 Who Owns Company Data? Historically, security experts attempt to control the breach of electronic data. But what about the physical data, such as printed presentations, lists, databases and other company sensitive information? A European survey suggests that employees feel they own the data that they have collected while working for an organization. According to the study, 51% of employees will take company data with them when they switch jobs. In most companies, these types of information represent highly sensitive and valuable data, which is critical to a company s competitive advantage, brand reputation and customer trust. Do you know your responsibilities for protecting your organization s physical information assets? What are you explicitly permitted to remove from company premises? Information security is as much about the physical domain as it is about digital and technological controls in the cyber domain. But if we aren t vigilant about physical security, then the cyber security controls won t be effective. 51% of employees will take company data with them when they switch jobs. 21% of employees take company proposals with them. 18% 46% of employees walk off with presentations. of employees leave their companies with strategic plans or product/ service roadmaps. Leveraging Persons of Interest We see a lot of exaggerated uses of breaking and entering on popular TV shows like Leverage and Person of Interest. They both regularly show supposed tricks of the trade used to bypass physical security. In one show, the protagonist clones a building access card from a remote location in seconds. In another, the hacker character creates false credentials on demand in seconds. Are these things actually possible? Not really but the point they re making is that that all security systems have weaknesses. Hollywood just makes it look like technical geniuses can break through security barriers in an instant, for the sake of time. After all, the show only has 42 minutes to tell a story. These shows use real world examples of technical hacks, which certainly have a basis in reality, most of the time. The writers have advisors and experts who help them utilize actual technology in a fictional manner, often morphing the facts to create a more dramatic effect. Your take away: Stay aware of the Hollywood Hacks and question their reality. Your awareness of what might be possible will make it less likely for you or the company to become victimized. It may make you a little more paranoid, but we like to call that being aware. If you see any hackingbased TV episode or movie scene using technology you aren t sure is real, ask a more knowledgeable person or research it with your kids as a shared exercise, so you can all learn something new.
7 7 Nutshell Advice At a recent security conference, we polled attendees for some quick snippets about their best security advice in the physical domain, and the response was primarily from females! Here s what they had to say. 1. Ugly purses get stolen less often. Put your iphone in an ugly purse. 2. Larger purses can hold more. If you want to be able to carry more things, use an ugly backpack instead of a fancy purse. 3. Have suits made with an ipad pocket. 4. Look over your shoulder before entering any secure area. 5. Use a shredder at home. 6. Clean up your desk at least once a day. You will be amazed at what you find. 7. Lock doors. They only keep out the honest folks, but it is a deterrent to the bad guys. 8. Buy a gun safe. Use it for electronics, backup drives and important papers. A small safe isn t big enough anymore. 9. Look around the printer/copy room and common areas for lost company documents. 10. Unlabeled boxes are, by definition, suspicious. Label things! The Taliban Messes Up, Too. It s not only the good guys who mess up when using information technology... Since has been around for many years now, EVERYONE understands about BCC vs CC, right? In a major OOPS!, an official Taliban spokesperson sent out an and forgot that BCC was meant to hide the addresses of his distribution list. He used CC for his message, thus exposing the online identity of 500 people. Reminder: BCC is the Blind Carbon Copy which doesn t let any of the recipients see who else got the , while CC, Carbon Copy, lets all recipients see who else received the same message. Just be careful at home and at work. Lesson: When you are mass mailing, as with a holiday message or event announcement, be very aware of what your recipients can see! Do a test to a co-worker or yourself to be sure that you re not revealing the addresses of folks who wouldn t want others to have it. Think before you <click>! Coming Next Month: The Top 10 of Mobile, PC and Mac Security