Transcript
7/27/2019 Mitigating Fraud in the EFT Industry
1/34
ATM Business Issues - Edinburg
jim.richardson@k3des.com
713 545-5867
Understanding and MitigatingFraud in the EFT Industry
Jim Richardson K3DES LLC
7/27/2019 Mitigating Fraud in the EFT Industry
2/34
ATM Business Issues - Edinburgh
About K3DES LL Founded in April 2002 with focus on
security of payment systems
Approved by Visa and other payment
systems to perform PIN security reviews
Approved Payment Card Industry (PCI)assessor (credit, debit, stored value)
7/27/2019 Mitigating Fraud in the EFT Industry
3/34
ATM Business Issues - Edinburgh
About Jim Richardso Worked for major accounting firm from
1990 to 2002 before founding K3DES
Performed assessment and consulting
projects for major ATM/POS switches,
processors and financial institutions in the
US and around the globe since 1992
Developed first US network PIN security
training class in 1994
7/27/2019 Mitigating Fraud in the EFT Industry
4/34
ATM Business Issues - Edinburgh
1. History of EFT Fraud
2. Case Studies
3. Evolving Nature of Fraud
4. Mitigating Fraud
Session Overview
7/27/2019 Mitigating Fraud in the EFT Industry
5/34
ATM Business Issues - Edinburgh
Session Objective Understand the background and evolving
nature of EFT fraud (debit and credit)
Understand the skills, finances and
resources of the international gangs
Understand the most significant risksfacing the EFT industry
7/27/2019 Mitigating Fraud in the EFT Industry
6/34
ATM Business Issues - Edinburgh
Brief History of EFT Frau 1980s the case of the consultant and the
clear text encryption key
1990s shoulder surfing stealing PINs
and card numbers
1990s large scale counterfeit creditcards
2000s skimming, scamming & scheming
7/27/2019 Mitigating Fraud in the EFT Industry
7/34
ATM Business Issues - Edinburgh
Forensic assessmentsto determine common
point of compromise
Hand skimmers (demo)
Account truncation on
ATM and POS receipts
Shoulder surfing
Controls over encryption
keys (standards, audits)
Compromise of clear
text encryption keys
CountermeasureFraudulent Activity
7/27/2019 Mitigating Fraud in the EFT Industry
8/34
ATM Business Issues - Edinburgh
CVV and CVCCard number generating
software
Security reviews of card
personalization vendors
Compromise of PIN
Verification Key
NYCE and other
payment companies
EPP requirements
Compromised POS and
ATM PIN pads
CountermeasureFraudulent Activity
7/27/2019 Mitigating Fraud in the EFT Industry
9/34
ATM Business Issues - Edinburgh
Security requirementsfor issuers
Compromise of PINmailer process
????Skimming and CCTV at
POS Fuel Dispensers
Card Protection Kit
www.tdmsecurity.com
Skimming and CCTV at
ATMs
CountermeasureFraudulent Activity
7/27/2019 Mitigating Fraud in the EFT Industry
10/34
ATM Business Issues - Edinburgh
Internal Fraud Case Historie Card personalization vendor
The PIN verification key
7/27/2019 Mitigating Fraud in the EFT Industry
11/34
ATM Business Issues - Edinburgh
Card Personalization Vendo Issued and reissued debit cards for
community banks
Cardholders began experiencingfraudulent withdrawals from accounts
Vendor mailed card and PIN mailer on
different days Vendor suspected internal fraud and
requested assistance in evaluation
ATM B i I Edi b h
7/27/2019 Mitigating Fraud in the EFT Industry
12/34
ATM Business Issues - Edinburgh
Card Personalization Vendo PINs generated using IBM 3624 method
PIN offsets used for all banks
PIN generation application and files used
to generate PINs were not secure
PIN mailer process ran during middle ofswing shift
ATM B i I Edi b h
7/27/2019 Mitigating Fraud in the EFT Industry
13/34
ATM Business Issues - Edinburgh
Card Personalization Vendo Requested complete dump of all
fraudulent transactions
Compared run dates of PIN mailers with
dates of first acknowledged fraudulent
transactions
Compared dates of first transactions with
run dates of PIN mailers
ATM B i I Edi b h
7/27/2019 Mitigating Fraud in the EFT Industry
14/34
ATM Business Issues - Edinburgh
Card Personalization Vendo Determined that cards issued on a given
date experienced their first fraudulent
transaction between three days and threemonths after the PIN mailer was run
Looked at all fraudulent transactions on a
given date to see when the PIN mailer was
run
ATM B i I Edi b h
7/27/2019 Mitigating Fraud in the EFT Industry
15/34
ATM Business Issues - Edinburgh
Card Personalization Vendo Observed PIN mailer run
Noticed that the cover sheet that protects
the mailers during impact printing was
thrown in trash rather than being placed in
(unlocked) container for shredding
Observed line monitor present in adjacent
operations area (line monitors are used to
monitor transactions for trouble shooting)
ATM Business Issues Edinburgh
7/27/2019 Mitigating Fraud in the EFT Industry
16/34
ATM Business Issues - Edinburgh
Card Personalization Vendo Fraud involved insider with access to the
cover sheet and the line monitor
Needed access to the line monitor to
obtain the PIN offset value
This accounted for the wide divergence intiming between the PIN mailer runs and
the first fraudulent use of cards
ATM Business Issues Edinburgh
7/27/2019 Mitigating Fraud in the EFT Industry
17/34
ATM Business Issues - Edinburgh
PIN Verification Ke Asian bank experiencing ATM fraud
Bank suspected shoulder surfing to be the
cause for fraud (another bank had
shoulder surfing fraud attempt)
Engaged to assist bank in confirmingcause of fraud and in developing remedies
ATM Business Issues Edinburgh
7/27/2019 Mitigating Fraud in the EFT Industry
18/34
ATM Business Issues - Edinburgh
PIN Verification Ke Evaluated controls over encryption keys
Determined mix of transactions (on-us,
foreign, network and POS)
Performed data analysis of six months of
transactions (4,000,000)
ATM Business Issues Edinburgh
7/27/2019 Mitigating Fraud in the EFT Industry
19/34
ATM Business Issues - Edinburgh
PIN Verification Ke Encryption keys not secure
But 98.5% of transactions on-us with
PIN verified at ATM
Conclusion: insecure encryption keys not
cause of fraud
ATM Business Issues - Edinburgh
7/27/2019 Mitigating Fraud in the EFT Industry
20/34
ATM Business Issues - Edinburgh
PIN Verification Ke ATM cards had white background with
card numbers embossed in white
Cards required six digit PINs
Card numbers truncated on ATM receipts
Cards did not use CVV/CVC or PIN offset
ATM Business Issues - Edinburgh
7/27/2019 Mitigating Fraud in the EFT Industry
21/34
ATM Business Issues - Edinburgh
PIN Verification Ke Almost all ATMs at branches - loitering all
day would prompt suspicion
Only 50% of compromised cards shared
common ATM usage during 30 days prior
to date of compromise
Customers used cards used all day
Conclusion: shoulder surfing not cause
ATM Business Issues - Edinburgh
7/27/2019 Mitigating Fraud in the EFT Industry
22/34
ATM Business Issues Edinburgh
PIN Verification Ke 88 balance inquiries in a row starting at
8:00 am on Sunday morning
No pattern of card usage prior to this
Cards first used to fraudulently withdraw
money across the entire country in period
of 3 8 days following balance inquiries
ATM Business Issues - Edinburgh
7/27/2019 Mitigating Fraud in the EFT Industry
23/34
ATM Business Issues Edinburgh
PIN Verification Ke Encryption keys not cause
Shoulder surfing not cause
Conclusion: PIN verification key was being
used internally to generate valid PINs
Conclusion: fraud disguised to look likeshoulder surfing to throw off suspicion
ATM Business Issues - Edinburgh
7/27/2019 Mitigating Fraud in the EFT Industry
24/34
ATM Business Issues Edinburgh
Lessons from Credit Card Frau Eastern European and Russian gangs
Both employed skilled hackers to obtain
full track data
Had Web sites selling all types of cards
Provided guarantee of validity andinstructions on how to test cards
ATM Business Issues - Edinburgh
7/27/2019 Mitigating Fraud in the EFT Industry
25/34
ATM Business Issues Edinburgh
Lessons from Credit Card Frau Use Web forums
Provide ICQ (online chat) addresses
Understand value of CVV and CVC
Asking for full track data and encryption
keys for generating CVV and CVC values www.carderportal.org, www.asechka.ru
ATM Business Issues - Edinburgh
7/27/2019 Mitigating Fraud in the EFT Industry
26/34
g
Major Vulnerabilitie Security of PIN Verification Key
Use of line monitors
Security of CVV/CVC keys
Transmission of card image files to card
personalization vendors
ATM Business Issues - Edinburgh
7/27/2019 Mitigating Fraud in the EFT Industry
27/34
g
What If Criminals are patient enough to wait 6, 9,
12 months after stealing card information
before using cards to commit fraud
Criminals mix the card information stolen
in one theft with card information stolen in
another theft and so on
The above actions make forensic
reconstruction of events difficult
ATM Business Issues - Edinburgh
7/27/2019 Mitigating Fraud in the EFT Industry
28/34
g
Offline Debit Card Blessings virtually all debit cards are
Visa or MasterCard branded and include
CVV or CVC in track information
Curses offline debit cards vulnerable to
same risks as credit cards
Curses debit card processors subject to
PCI security requirements
ATM Business Issues - Edinburgh
7/27/2019 Mitigating Fraud in the EFT Industry
29/34
g
PCI Data Security Requirement The PCI (Payment Card Industry) Data
Security Standard is result of alignment of
Visa and MasterCard CISP and SDP Designed to create common industry
security requirements
Service providers and merchants mustvalidate compliance with PCI
ATM Business Issues - Edinburgh
7/27/2019 Mitigating Fraud in the EFT Industry
30/34
3. Protect stored data
4. Encrypt transmission ofcardholder data and sensitive
information across public
networks
Protect Cardholder Data
1. Install and maintain a firewall
configuration to protect data
2. Do not use vendor-supplied
defaults for system passwordsand other security parameters
Build and Maintain a Secure
Network
PCI Data Security Requirement
ATM Business Issues - Edinburgh
7/27/2019 Mitigating Fraud in the EFT Industry
31/34
7. Restrict access to data by
business need-to-know8. Assign a unique ID to each
person with computer access
9. Restrict physical access to
cardholder data
Implement Strong Access Control
Measures
5. Use and regularly update
anti-virus software
6. Develop and maintain secure
systems and applications
Maintain a Vulnerability
Management Program
PCI Data Security Requirement
ATM Business Issues - Edinburgh
7/27/2019 Mitigating Fraud in the EFT Industry
32/34
12. Maintain a policy that
addresses information security
Maintain an Information Security
Policy
10. Track and monitor all access
to network resources and
cardholder data
11. Regularly test securitysystems and processes
Regularly Monitor and Test
Networks
PCI Data Security Requirement
ATM Business Issues - Edinburgh
7/27/2019 Mitigating Fraud in the EFT Industry
33/34
Summar EFT fraud continues to evolve
Each countermeasure forces the gangs to
become increasingly more sophisticated
The criminals are international, technically
knowledgeable, organized and well-funded
Greatest vulnerability is insider with
knowledge selling information to gangs
7/27/2019 Mitigating Fraud in the EFT Industry
34/34
ATM Business Issues - Edinburg
jim.richardson@k3des.com
713 545-5867
Understanding and Mitigating
Fraud in the EFT Industry
Questions and Answers
top related