Security Awareness The Dangers of using ATM How to Protect yourself? Presented by Reaz Baichoo (CISSP)
The Dangers of using ATM How to Protect yourself? The purpose of this presentation is to make the audience aware of the dangers of using ATMs and how to protect from ATM Frauds In no case the reader should use any techniques presented to perform ATM Frauds. It is for awareness ONLY and the Author disclaims of any liability thereafter © Reaz Baichoo (CISSP) - 2007
Agenda Introduction General practices ATM Fraud Techniques PIN Security Accessing the Cash ATM Burglary attacks Conclusion
Introduction Consumers – Trust and depend on ATM ATM – conveniently meet consumers Banking needs ATM – one of many EFT devices vulnerable to fraud attacks
Introduction Fraud at the ATM – more difficult than at a POS But still Widespread ATM Fraud techniques Shoulder surfing Card Skimming Software tampering Hardware modifications
Introduction Recent Global ATM consumer research indicates that one of the most important issues for consumers when using an ATM was personal safety and security (Decision Analyst)
Introduction Decision Analyst, Inc. 2002
Agenda General practices Introduction ATM Fraud Techniques PIN Security Accessing the Cash ATM Burglary attacks Conclusion
General Practices Video Surveillance Awareness and Consumer Education Remote Monitoring
General Practices - Video Surveillance Invaluable and Effective as a monitoring of ATM and surrounding Area Assists in the deterrence and apprehension of bank robbers legislatively mandated in many states Potential benefits in the surveillance of off-premise ATMs
General Practices – Awareness & Consumer Education Joint effort involving Financial Institutions Consumer ATM Manufacturer / Service Provider
General Practices – Awareness & Consumer Education Financial Institutions stress the importance of awareness at ATM to their customers promote vigilance in reporting irregularities Branch personnel, ATM services providers and cash handlers – proper training to recognize ATM Frauds Training to service technicians to conduct detailed evaluation of key ATM components at each visit
General Practices – Awareness & Consumer Education Use of same ATMs daily / weekly Attentive consumer Notices any irregular objects or any attached notes Report discrepancy to Financial institutions Carefully review monthly account statements Use Internet banking to monitor any uncommon activity on their account
General Practices – Awareness & Consumer Education ATM Manufacturers / Service Providers Criminal rings purchasing ATMs and placing them in open market A repository for stolen card data and PIN Numbers Promote consumers to use recognized ATMs
General Practices –Remote Monitoring Provide an automated means to monitor and manage ATM network Communicate important messages that may indicate the tampering with a machine Provides improved ATM availability and reduces risk Quick identification of problem – remotely and centrally
Agenda ATM Fraud Techniques Introduction General practices PIN Security Accessing the Cash ATM Burglary attacks Conclusion
ATM Fraud Techniques Card Theft Skimming Devices
ATM Fraud Techniques – Card Theft Criminals use a variety of card trapping devices Encased in a plastic transparent film Inserted into the card reader throat Hooks attached to prevent card from being returned to consumer
ATM Fraud Techniques – Card Theft Criminal usually in close proximity Criminal offer support Suggest the user to enter the PIN again so that he can view the entry and remember the PIN Criminal uses probe to extract the card (After consumer left believing his card was captured by ATM)
ATM Fraud Techniques – Card Theft Card Trapping Devices:
ATM Fraud Techniques – Preventing Card Theft Use remote diagnostics to monitor ATM, error codes generated by card reader An increase in the occurrence of error codes related to card readers could be an indication of a fraud attempt Consumer and staff awareness Never enter PIN in front of Intruders
ATM Fraud Techniques – Skimming Devices Most frequently used method of illegally obtaining card track data Devices used by criminals to capture stored data in magnetic strip of the card Read and decipher info on magnetic stripes through the application of small card readers in close proximity or on top of the actual card reader input slot
ATM Fraud Techniques – Skimming Devices Skimming devices can be smaller than a deck of cards Can capture and retain information from more than 200 cards Capture account numbers, balances and verification codes
ATM Fraud Techniques – Skimming Devices Consumer believes the device is part of the ATM equipment Sign instructing cardholders to swipe cards through the additional reader for security purposes or Portray the additional card reader as a card cleaner
ATM Fraud Techniques – Skimming Devices
ATM Fraud Techniques – Skimming Devices
ATM Fraud Techniques – Preventing Skimming Attentiveness of ATM consumers, branch personnel or ATM Service technician Visual clues – presence of adhesive tape residue near or on card reader Therefore, awareness for consumers, Branch personnel and ATM service Technician
ATM Fraud Techniques – Preventing Skimming Use Anti-skimming solutions: Control speed of the movement of the card or Intentional erratic movement of the card during card insertion and return by the motorized card reader – will confuse most skimming devices Jitter techniques incorporated into some newer card reader designs
ATM Fraud Techniques – Preventing Skimming Use Anti-skimming solutions: Install an auto alert system to monitor the routine patterns of withdrawals to help determine fraudulent withdrawals Migrate towards chip cards and chip card readers – less susceptible to skimming
Agenda PIN Security Introduction General practices ATM Fraud Techniques PIN Security Accessing the Cash ATM Burglary attacks Conclusion
PIN Security Shoulder Surfing Fake PIN Pad Overlay PIN Interception
PIN Security – Shoulder Surfing Direct observation Watching what number that person taps onto the keyboard Use miniature video cameras – easily obtained and can be discretely installed close to the PIN Pad
PIN Security – Preventing Shoulder Surfing Fix mirror on the fascia of the ATM – users will see behind as they enter their info Ergonomic design of the ATM to prevent shoulder surfing Consumer – allow body to cover the area of pin entry
PIN Security – Preventing Shoulder Surfing Educate users Place ATM in high-traffic area, with illuminated signage panels and surrounding street lights provide a secure and welcoming environment to customers
PIN Security – Fake PIN Pad Overlay Fake PIN pad placed over original keypad Overlay captures the PIN data and stores info into its memory Fake PIN pad then removed and recorded PINs are downloaded Identical in appearance and size of original keypad
PIN Security – Fake PIN Pad Overlay Some are very thin and transparent to the consumer PIN intercepted allows for transaction to proceed in normal way Used in conjunction with card data theft to get info needed to access unsuspecting consumer’s account
PIN Security – Fake PIN Pad Overlay Criminal may also attach a portable monitor and card reader on top of the actual ATM’s monitor and card reader to obtain card and PIN info Card will not be returned to consumer After consumer left, criminal will remove card and use recorded PIN for fraud activities
PIN Security – Fake PIN Pad Overlay
PIN Security – Preventing Fake PIN Pad Overlay Educate users to be aware of abnormalities in look and feel of the keypad Pay attention to screen as they enter PIN No **** when entering PIN indicates a PIN Pad overlay
PIN Security – Preventing Fake PIN Pad Overlay Use ATM monitoring software / services e.g. to notify of repetitive “time-out messages” could signify that a card was inserted but transaction timed out due to no data entered PIN pad overlay has received the PIN entry info
PIN Security – PIN Interception After PIN entered, info is captured in electronic format through an electronic data recorder Done either inside the terminal or as the PIN is transmitted to host computer for online PIN check Access to communication cable required – therefore more easily done at off-premises
PIN Security – Preventing PIN Interception PIN pad security dictated by MasterCard and VISA Require encrypted PIN pad (EPP) in place The EPP is a sealed module that immediately encrypts the PIN entry No “raw” PIN numbers are accessible to electronic hackers Tampering of EPP renders it unusable requiring shipment back to manufacturer
PIN Security – Preventing PIN Interception For online communication, 3DES standards strengthens the encryption algo used to protect the secrecy of PIN as it is sent from ATM to bank for verification
Agenda Accessing the Cash Introduction General practices ATM Fraud Techniques PIN Security Accessing the Cash ATM Burglary attacks Conclusion
Accessing the Cash False ATM presenter Transaction Reversal
Accessing the Cash – False ATM presenter Fraud performed through addition of traps in front of the dispense point Device covers or disguises the normal dispense point ATM dispenses notes to false front and never presented to consumer Consumer mistakenly assumes the ATM has malfunctioned After customer leaves, criminal removes false fronts and takes the currency
Accessing the Cash – False ATM presenter Simplest method – use adhesive tape that blocks the cash dispenser and holds delivered banknotes Another method – use motorized devices that transport the delivered notes into dedicated bins
Accessing the Cash – False ATM presenter
Accessing the Cash – Preventing False ATM presenter Enhance presenter door mechanics with a more robust locking mechanism Modify firmware and hardware After note stack reaches a certain position within the presenter, the final delivery of the note stack is done entirely by belts without assistance of the push plate With an external false cover, there will be much lower force pushing notes against the tape resulting in most or all notes to be retracted
Accessing the Cash – Transaction Reversal Use a variety of methods to create an error condition at the ATM resulting in a transaction reversal due to reported inability to dispense cash – though cash is legitimately accessible by force
Accessing the Cash – Transaction Reversal E.g. ATM user request to withdraw $100 User carefully remove only a portion of the notes e.g. only $60 $40 left in presenter Several seconds later, ATM times out and sends an error message ATM retracts the remaining banknotes Dispenser is not able to count banknotes Transaction reversed
Accessing the Cash – Preventing Transaction Reversal Many financial institutions deter this fraud by ALWAYS debiting the account for full amount of the transaction and dealing with short dispense claims as they occur Monitor the “Time out on Withdrawal” ad resulting retract: if this error is on a specific card, it may be an indication of fraudulent activity
Agenda ATM Burglary attacks Introduction General practices ATM Fraud Techniques PIN Security Accessing the Cash ATM Burglary attacks Conclusion
ATM Burglary attacks Physical attacks attempted on the safe inside the ATM Through mechanical or thermal means Goal is to penetrate the ATM open safe to remove cash
Preventing ATM Burglary attacks Certification level of safe - UL 291 Level 1 recommended as minimum for ATMs in unsecured and unmonitored locations Alarms and sensors to detect physical attacks Ink stain technologies that will ruin and make unusable any removed banknotes
Preventing ATM Burglary attacks - Lock and Closing Devices Mechanical locks Allow the opening of safe door only through the combination of different keys Each keys in the hands of different person Electronic Locks Higher level of functionality Allow multiple combinations, each assigned to a different ATM maintenance facilitator Different passwords for operator, supervisor and conveyor Allow opening of safe during specific time periods (pre-programmed) Report remotely to monitoring system
Preventing ATM Burglary attacks – Alarms and Sensors Detect open / closed state of the safe door Monitor different parameters that can be indicative of a robbery attempt Sensors Temperature sensor to detect piercing with torch Tilting sensor to detect detachment of safe (for transportation) Vibration sensor to detect piercing with toola (drilling, cutting) Door sensor to detect if door is tampered with outside of cash handler or servicing
Preventing ATM Burglary attacks - INK Dye Consist of Detectors and Ink Dyeing Bank notes stained with ink when control system detects an abnormality in monitored parameters Stained notes can no longer be circulated making robbery attempt fruitless Dyeing of banknotes triggered unauthorized attempt to open the safe
Agenda Conclusion Introduction General practices ATM Fraud Techniques PIN Security Accessing the Cash ATM Burglary attacks Conclusion
Conclusion The ATM fraud is not the sole problem of banks alone A coordinated and cooperative action on the part of the bank, customers and the law enforcement machinery is required The ATM frauds not only cause financial loss to banks but they also undermine customers' confidence in the use of ATMs It is therefore in the interest of banks to prevent ATM frauds
References Diebold, Incorporated – “ATM Fraud and Security”, 2002. http://www.crime-research.org/articles/preventive-measures-ATM-frauds/ http://www.tdctrade.com/econforum/hkma/hkma031004.htm http://www.utexas.edu/police/alerts/atm_scam/