Security Awareness The Dangers of using ATM How to Protect yourself? Presented by Reaz Baichoo (CISSP)

Security Awareness

The Dangers of using ATM

How to Protect yourself?

Presented by Reaz Baichoo (CISSP)

The Dangers of using ATM

How to Protect yourself?

The purpose of this presentation is to make the audience aware of the dangers of using ATMs and how to protect from ATM Frauds

In no case the reader should use any techniques presented to perform ATM Frauds. It is for awareness ONLY and the Author disclaims of any liability thereafter

© Reaz Baichoo (CISSP) - 2007

Agenda

• Introduction• General practices

• ATM Fraud Techniques

• PIN Security

• Accessing the Cash

• ATM Burglary attacks

• Conclusion

Introduction

• Consumers – Trust and depend on ATM

• ATM – conveniently meet consumers Banking needs

• ATM – one of many EFT devices vulnerable to fraud attacks

Introduction

• Fraud at the ATM – more difficult than at a POS

• But still Widespread• ATM Fraud techniques

– Shoulder surfing– Card Skimming– Software tampering– Hardware modifications

Introduction

Recent Global ATM consumer research indicates that one of the most important

issues for consumers when using an ATM was personal safety and security (Decision

Analyst)

19%

30%

11%

16%

7%

11%

1%

26%

18%

18%

14%

11%

9%

1%

0% 5% 10% 15% 20% 25% 30% 35%

Personal safety & Security

Cost of Transaction

Completing transaction quickly

Financial Safety & Security

Privacy completing transaction

Simple instructions

ATM appearance

Most Important Second Most Important

Decision Analyst, Inc. 2002

Introduction

Agenda

• Introduction

• General practices• ATM Fraud Techniques

• PIN Security



• Conclusion

General Practices

• Video Surveillance

• Awareness and Consumer Education

• Remote Monitoring

General Practices - Video Surveillance

• Invaluable and Effective as a monitoring of ATM and surrounding Area

• Assists in the deterrence and apprehension of bank robbers

• legislatively mandated in many states• Potential benefits in the surveillance of off-

premise ATMs

General Practices – Awareness & Consumer Education

• Joint effort involving– Financial Institutions– Consumer– ATM Manufacturer / Service Provider


• Financial Institutions– stress the importance of awareness at ATM to

their customers– promote vigilance in reporting irregularities– Branch personnel, ATM services providers

and cash handlers – proper training to recognize ATM Frauds

– Training to service technicians to conduct detailed evaluation of key ATM components at each visit


• Consumer– Use of same ATMs daily / weekly– Attentive consumer– Notices any irregular objects or any attached

notes– Report discrepancy to Financial institutions– Carefully review monthly account statements– Use Internet banking to monitor any

uncommon activity on their account


• ATM Manufacturers / Service Providers– Criminal rings purchasing ATMs and placing

them in open market– A repository for stolen card data and PIN

Numbers– Promote consumers to use recognized ATMs

General Practices –Remote Monitoring

• Provide an automated means to monitor and manage ATM network

• Communicate important messages that may indicate the tampering with a machine

• Provides improved ATM availability and reduces risk

• Quick identification of problem – remotely and centrally

Agenda

• Introduction

• General practices

• ATM Fraud Techniques• PIN Security



• Conclusion

ATM Fraud Techniques

• Card Theft

• Skimming Devices

ATM Fraud Techniques – Card Theft

• Criminals use a variety of card trapping devices• Encased in a plastic transparent film• Inserted into the card reader throat• Hooks attached to prevent card from being

returned to consumer


• Criminal usually in close proximity• Criminal offer support• Suggest the user to enter the PIN again so that

he can view the entry and remember the PIN• Criminal uses probe to extract the card (After

consumer left believing his card was captured by ATM)


Card Trapping Devices:

ATM Fraud Techniques – Preventing Card Theft

• Use remote diagnostics to monitor ATM, error codes generated by card reader

• An increase in the occurrence of error codes related to card readers could be an indication of a fraud attempt

• Consumer and staff awareness• Never enter PIN in front of Intruders

ATM Fraud Techniques – Skimming Devices

• Most frequently used method of illegally obtaining card track data

• Devices used by criminals to capture stored data in magnetic strip of the card

• Read and decipher info on magnetic stripes through the application of small card readers in close proximity or on top of the actual card reader input slot


• Skimming devices can be smaller than a deck of cards

• Can capture and retain information from more than 200 cards

• Capture account numbers, balances and verification codes


• Consumer believes the device is part of the ATM equipment

• Sign instructing cardholders to swipe cards through the additional reader for security purposes or

• Portray the additional card reader as a card cleaner


Skimming Devices:


Skimming Devices:

ATM Fraud Techniques – Preventing Skimming

• Attentiveness of ATM consumers, branch personnel or ATM Service technician

• Visual clues – presence of adhesive tape residue near or on card reader

• Therefore, awareness for consumers, Branch personnel and ATM service Technician


• Use Anti-skimming solutions:– Control speed of the movement of the card or– Intentional erratic movement of the card

during card insertion and return by the motorized card reader – will confuse most skimming devices

– Jitter techniques incorporated into some newer card reader designs


• Use Anti-skimming solutions:– Install an auto alert system to monitor the

routine patterns of withdrawals to help determine fraudulent withdrawals

– Migrate towards chip cards and chip card readers – less susceptible to skimming

Agenda

• Introduction



• PIN Security• Accessing the Cash


• Conclusion

PIN Security

• Shoulder Surfing

• Fake PIN Pad Overlay

• PIN Interception

PIN Security – Shoulder Surfing

• Direct observation• Watching what number that person taps onto the

keyboard• Use miniature video cameras – easily obtained

and can be discretely installed close to the PIN Pad

PIN Security – Preventing Shoulder Surfing

• Fix mirror on the fascia of the ATM – users will see behind as they enter their info

• Ergonomic design of the ATM to prevent shoulder surfing

• Consumer – allow body to cover the area of pin entry

PIN Security – Preventing Shoulder Surfing

• Educate users• Place ATM in high-traffic area, with illuminated

signage panels and surrounding street lights provide a secure and welcoming environment to customers

PIN Security – Fake PIN Pad Overlay

• Fake PIN pad placed over original keypad• Overlay captures the PIN data and stores info

into its memory• Fake PIN pad then removed and recorded PINs

are downloaded• Identical in appearance and size of original

keypad


• Some are very thin and transparent to the consumer– PIN intercepted– allows for transaction to proceed in normal

way– Used in conjunction with card data theft to get

info needed to access unsuspecting consumer’s account


• Criminal may also attach a portable monitor and card reader on top of the actual ATM’s monitor and card reader to obtain card and PIN info– Card will not be returned to consumer– After consumer left, criminal will remove card

and use recorded PIN for fraud activities


PIN Pad Overlay

PIN Security – Preventing Fake PIN Pad Overlay

• Educate users to be aware of abnormalities in look and feel of the keypad

• Pay attention to screen as they enter PIN• No **** when entering PIN indicates a PIN Pad

overlay

PIN Security – Preventing Fake PIN Pad Overlay

• Use ATM monitoring software / services e.g. to notify of repetitive “time-out messages”– could signify that a card was inserted but

transaction timed out due to no data entered– PIN pad overlay has received the PIN entry

info

PIN Security – PIN Interception

• After PIN entered, info is captured in electronic format through an electronic data recorder

• Done either inside the terminal or as the PIN is transmitted to host computer for online PIN check

• Access to communication cable required – therefore more easily done at off-premises

PIN Security – Preventing PIN Interception

• PIN pad security dictated by MasterCard and VISA– Require encrypted PIN pad (EPP) in place– The EPP is a sealed module that immediately

encrypts the PIN entry– No “raw” PIN numbers are accessible to

electronic hackers– Tampering of EPP renders it unusable

requiring shipment back to manufacturer

PIN Security – Preventing PIN Interception

• For online communication, 3DES standards strengthens the encryption algo used to protect the secrecy of PIN as it is sent from ATM to bank for verification

Agenda

• Introduction



• PIN Security

• Accessing the Cash• ATM Burglary attacks

• Conclusion

Accessing the Cash

• False ATM presenter

• Transaction Reversal

Accessing the Cash – False ATM presenter

• Fraud performed through addition of traps in front of the dispense point

• Device covers or disguises the normal dispense point

• ATM dispenses notes to false front and never presented to consumer

• Consumer mistakenly assumes the ATM has malfunctioned

• After customer leaves, criminal removes false fronts and takes the currency


• Simplest method – use adhesive tape that blocks the cash dispenser and holds delivered banknotes

• Another method – use motorized devices that transport the delivered notes into dedicated bins


False ATM presenter:

Accessing the Cash – Preventing False ATM presenter

• Enhance presenter door mechanics with a more robust locking mechanism

• Modify firmware and hardware– After note stack reaches a certain position within the

presenter, the final delivery of the note stack is done entirely by belts without assistance of the push plate

– With an external false cover, there will be much lower force pushing notes against the tape resulting in most or all notes to be retracted

Accessing the Cash – Transaction Reversal

• Use a variety of methods to create an error condition at the ATM resulting in a transaction reversal due to reported inability to dispense cash – though cash is legitimately accessible by force

Accessing the Cash – Transaction Reversal

E.g.• ATM user request to withdraw $100• User carefully remove only a portion of the notes

e.g. only $60• $40 left in presenter• Several seconds later, ATM times out and sends

an error message• ATM retracts the remaining banknotes• Dispenser is not able to count banknotes• Transaction reversed

Accessing the Cash – Preventing Transaction Reversal

• Many financial institutions deter this fraud by ALWAYS debiting the account for full amount of the transaction and dealing with short dispense claims as they occur

• Monitor the “Time out on Withdrawal” ad resulting retract: if this error is on a specific card, it may be an indication of fraudulent activity

Agenda

• Introduction



• PIN Security


• ATM Burglary attacks• Conclusion

ATM Burglary attacks

• Physical attacks attempted on the safe inside the ATM

• Through mechanical or thermal means• Goal is to penetrate the ATM open safe to

remove cash

Preventing ATM Burglary attacks

• Certification level of safe - UL 291 Level 1 recommended as minimum for ATMs in unsecured and unmonitored locations

• Alarms and sensors to detect physical attacks• Ink stain technologies that will ruin and make

unusable any removed banknotes

Preventing ATM Burglary attacks - Lock and Closing Devices

• Mechanical locks– Allow the opening of safe door only through the

combination of different keys– Each keys in the hands of different person

• Electronic Locks– Higher level of functionality– Allow multiple combinations, each assigned to a

different ATM maintenance facilitator– Different passwords for operator, supervisor and

conveyor– Allow opening of safe during specific time periods

(pre-programmed)– Report remotely to monitoring system

Preventing ATM Burglary attacks – Alarms and Sensors

• Alarms– Detect open / closed state of the safe door– Monitor different parameters that can be indicative

of a robbery attempt

• Sensors– Temperature sensor to detect piercing with torch– Tilting sensor to detect detachment of safe (for

transportation)– Vibration sensor to detect piercing with toola

(drilling, cutting)– Door sensor to detect if door is tampered with

outside of cash handler or servicing

Preventing ATM Burglary attacks - INK Dye

• Consist of Detectors and Ink Dyeing• Bank notes stained with ink when control

system detects an abnormality in monitored parameters

• Stained notes can no longer be circulated making robbery attempt fruitless

• Dyeing of banknotes triggered unauthorized attempt to open the safe

Agenda

• Introduction



• PIN Security



• Conclusion

Conclusion

• The ATM fraud is not the sole problem of banks alone

• A coordinated and cooperative action on the part of the bank, customers and the law enforcement machinery is required

• The ATM frauds not only cause financial loss to banks but they also undermine customers' confidence in the use of ATMs

• It is therefore in the interest of banks to prevent ATM frauds

References

• Diebold, Incorporated – “ATM Fraud and Security”, 2002.

• http://www.crime-research.org/articles/preventive-measures-ATM-frauds/

• http://www.tdctrade.com/econforum/hkma/hkma031004.htm

• http://www.utexas.edu/police/alerts/atm_scam/

http://www.crime-research.org/articles/preventive-measures-ATM-frauds/

http://www.crime-research.org/articles/preventive-measures-ATM-frauds/

http://www.tdctrade.com/econforum/hkma/hkma031004.htm

http://www.tdctrade.com/econforum/hkma/hkma031004.htm

http://www.utexas.edu/police/alerts/atm_scam/



Security Awareness The Dangers of using ATM How to Protect yourself? Presented by Reaz Baichoo (CISSP)

Documents

atm atm

atm slide

monitoring of atm

atm equipment

atm network

consumer slide

introduction slide

card cleaner slide