Mitigating Fraud in the EFT Industry

7/27/2019 Mitigating Fraud in the EFT Industry

1/34

ATM Business Issues - Edinburg

[email protected]

713 545-5867

Understanding and MitigatingFraud in the EFT Industry

Jim Richardson K3DES LLC


2/34

ATM Business Issues - Edinburgh

About K3DES LL Founded in April 2002 with focus on

security of payment systems

Approved by Visa and other payment

systems to perform PIN security reviews

Approved Payment Card Industry (PCI)assessor (credit, debit, stored value)


3/34


About Jim Richardso Worked for major accounting firm from

1990 to 2002 before founding K3DES

Performed assessment and consulting

projects for major ATM/POS switches,

processors and financial institutions in the

US and around the globe since 1992

Developed first US network PIN security

training class in 1994


4/34


1. History of EFT Fraud

2. Case Studies

3. Evolving Nature of Fraud

4. Mitigating Fraud

Session Overview


5/34


Session Objective Understand the background and evolving

nature of EFT fraud (debit and credit)

Understand the skills, finances and

resources of the international gangs

Understand the most significant risksfacing the EFT industry


6/34


Brief History of EFT Frau 1980s the case of the consultant and the

clear text encryption key

1990s shoulder surfing stealing PINs

and card numbers

1990s large scale counterfeit creditcards

2000s skimming, scamming & scheming


7/34


Forensic assessmentsto determine common

point of compromise

Hand skimmers (demo)

Account truncation on

ATM and POS receipts

Shoulder surfing

Controls over encryption

keys (standards, audits)

Compromise of clear

text encryption keys

CountermeasureFraudulent Activity


8/34


CVV and CVCCard number generating

software

Security reviews of card

personalization vendors

Compromise of PIN

Verification Key

NYCE and other

payment companies

EPP requirements

Compromised POS and

ATM PIN pads



9/34


Security requirementsfor issuers

Compromise of PINmailer process

????Skimming and CCTV at

POS Fuel Dispensers

Card Protection Kit

www.tdmsecurity.com

Skimming and CCTV at

ATMs



10/34


Internal Fraud Case Historie Card personalization vendor

The PIN verification key


11/34


Card Personalization Vendo Issued and reissued debit cards for

community banks

Cardholders began experiencingfraudulent withdrawals from accounts

Vendor mailed card and PIN mailer on

different days Vendor suspected internal fraud and

requested assistance in evaluation

ATM B i I Edi b h


12/34


Card Personalization Vendo PINs generated using IBM 3624 method

PIN offsets used for all banks

PIN generation application and files used

to generate PINs were not secure

PIN mailer process ran during middle ofswing shift

ATM B i I Edi b h


13/34


Card Personalization Vendo Requested complete dump of all

fraudulent transactions

Compared run dates of PIN mailers with

dates of first acknowledged fraudulent

transactions

Compared dates of first transactions with

run dates of PIN mailers

ATM B i I Edi b h


14/34


Card Personalization Vendo Determined that cards issued on a given

date experienced their first fraudulent

transaction between three days and threemonths after the PIN mailer was run

Looked at all fraudulent transactions on a

given date to see when the PIN mailer was

run

ATM B i I Edi b h


15/34


Card Personalization Vendo Observed PIN mailer run

Noticed that the cover sheet that protects

the mailers during impact printing was

thrown in trash rather than being placed in

(unlocked) container for shredding

Observed line monitor present in adjacent

operations area (line monitors are used to

monitor transactions for trouble shooting)

ATM Business Issues Edinburgh


16/34


Card Personalization Vendo Fraud involved insider with access to the

cover sheet and the line monitor

Needed access to the line monitor to

obtain the PIN offset value

This accounted for the wide divergence intiming between the PIN mailer runs and

the first fraudulent use of cards



17/34


PIN Verification Ke Asian bank experiencing ATM fraud

Bank suspected shoulder surfing to be the

cause for fraud (another bank had

shoulder surfing fraud attempt)

Engaged to assist bank in confirmingcause of fraud and in developing remedies



18/34


PIN Verification Ke Evaluated controls over encryption keys

Determined mix of transactions (on-us,

foreign, network and POS)

Performed data analysis of six months of

transactions (4,000,000)



19/34


PIN Verification Ke Encryption keys not secure

But 98.5% of transactions on-us with

PIN verified at ATM

Conclusion: insecure encryption keys not

cause of fraud



20/34


PIN Verification Ke ATM cards had white background with

card numbers embossed in white

Cards required six digit PINs

Card numbers truncated on ATM receipts

Cards did not use CVV/CVC or PIN offset



21/34


PIN Verification Ke Almost all ATMs at branches - loitering all

day would prompt suspicion

Only 50% of compromised cards shared

common ATM usage during 30 days prior

to date of compromise

Customers used cards used all day

Conclusion: shoulder surfing not cause



22/34


PIN Verification Ke 88 balance inquiries in a row starting at

8:00 am on Sunday morning

No pattern of card usage prior to this

Cards first used to fraudulently withdraw

money across the entire country in period

of 3 8 days following balance inquiries



23/34


PIN Verification Ke Encryption keys not cause

Shoulder surfing not cause

Conclusion: PIN verification key was being

used internally to generate valid PINs

Conclusion: fraud disguised to look likeshoulder surfing to throw off suspicion



24/34


Lessons from Credit Card Frau Eastern European and Russian gangs

Both employed skilled hackers to obtain

full track data

Had Web sites selling all types of cards

Provided guarantee of validity andinstructions on how to test cards



25/34


Lessons from Credit Card Frau Use Web forums

Provide ICQ (online chat) addresses

Understand value of CVV and CVC

Asking for full track data and encryption

keys for generating CVV and CVC values www.carderportal.org, www.asechka.ru



26/34

g

Major Vulnerabilitie Security of PIN Verification Key

Use of line monitors

Security of CVV/CVC keys

Transmission of card image files to card

personalization vendors



27/34

g

What If Criminals are patient enough to wait 6, 9,

12 months after stealing card information

before using cards to commit fraud

Criminals mix the card information stolen

in one theft with card information stolen in

another theft and so on

The above actions make forensic

reconstruction of events difficult



28/34

g

Offline Debit Card Blessings virtually all debit cards are

Visa or MasterCard branded and include

CVV or CVC in track information

Curses offline debit cards vulnerable to

same risks as credit cards

Curses debit card processors subject to

PCI security requirements



29/34

g

PCI Data Security Requirement The PCI (Payment Card Industry) Data

Security Standard is result of alignment of

Visa and MasterCard CISP and SDP Designed to create common industry

security requirements

Service providers and merchants mustvalidate compliance with PCI



30/34

3. Protect stored data

4. Encrypt transmission ofcardholder data and sensitive

information across public

networks

Protect Cardholder Data

1. Install and maintain a firewall

configuration to protect data

2. Do not use vendor-supplied

defaults for system passwordsand other security parameters

Build and Maintain a Secure

Network

PCI Data Security Requirement



31/34

7. Restrict access to data by

business need-to-know8. Assign a unique ID to each

person with computer access

9. Restrict physical access to

cardholder data

Implement Strong Access Control

Measures

5. Use and regularly update

anti-virus software

6. Develop and maintain secure

systems and applications

Maintain a Vulnerability

Management Program




32/34

12. Maintain a policy that

addresses information security

Maintain an Information Security

Policy

10. Track and monitor all access

to network resources and

cardholder data

11. Regularly test securitysystems and processes

Regularly Monitor and Test

Networks




33/34

Summar EFT fraud continues to evolve

Each countermeasure forces the gangs to

become increasingly more sophisticated

The criminals are international, technically

knowledgeable, organized and well-funded

Greatest vulnerability is insider with

knowledge selling information to gangs


34/34

ATM Business Issues - Edinburg

[email protected]

713 545-5867

Understanding and Mitigating

Fraud in the EFT Industry

Questions and Answers

Mitigating Fraud in the EFT Industry

Documents