Drilling holes in ATMs, card skimming and other fraud

Chris Sienko: Hello and welcome to another episode of CyberSpeak with InfoSec Institute. Today's guest is Stan Engelbrecht, Director of Cybersecurity Practice for D3 Security. We're going to be speaking about a scary topic that we've been hearing a lot about on the news, the practice of ATM fraud and the implications for other swipe and chip based technologies. Stan Engelbrecht is the Director of D3's Cybersecurity Practice and an accredited CISSP. Stan is involved throughout the product delivery and customer success life cycle and takes particular interest in working with customers to configure solutions. You can find Stan speaking about cybersecurity issues at conferences, in the media and as the chapter president for a Security Special Interest Group. Stan, thank you for being here today.

Stan Engelbrecht: My pleasure, Chris. Pleasure to be here. Looking forward to this.

Chris: So how did you get started in computers and security? Were you always interested in these things or did they sort of come later? What were some of your formative experiences?

Stan: I think for the most part, a lot of it came later. I've been interested in computers since my early teens, put together and built my first ones in my teenage years, but never really did anything industry-wise with it up until later. Then basically went back to school, got introduced to that Security Special Interest Group here in the Vancouver British Columbia Area. Had one professor who really focused on the aspect of security as a whole actually, across both physical and cybersecurity areas. And that really kind of kicked off my interest in that. And so that's been a fantastic journey. That's been sort of what I've delved into now for the last six, almost seven years, and it's been great. I did a lot of other things in my life prior to that, but that's where my last six, seven years has been is in the security industry.

Chris: What was it about the sort of professor's approach that got you excited about security when you weren't previously?

Stan: Just really looking at some of the complexities, looking at how our world has changed in the last number of years. I've got three kids at home and when I came to the realization that none of them will ever know the world without the Internet and really what that ... I'm old enough to remember the world without the Internet [inaudible 00:02:27] have to go back.

Chris: The day it came to town.

Stan: Yeah, exactly. And really just realizing they're going to grow up in a vastly different world and there's aspects of that world that they're going to have to deal with their whole lives that we didn't even have to touch on. And he really brought to light a lot of those things, the different security concerns. I mean, you're familiar with the security space attack surface in terms of everything now from our smart phones to our computers to fridges for crying out loud and other stuff that we never ever thought would be interconnected. And that really kind of sparked that interest in terms of security as a whole, especially cybersecurity or information security as the total field is called.

Chris: That brings up the thing, folks who are enjoying this conversation and are interested in more about that, we also did a recent episode about hacking the Internet of things, which goes deeply into sort of the implications of everything from pacemakers to smart homes and what have you. So today we're specifically talking about a sort of combination security/physical attack. The US Secret Service is warning financial institutions about a recent uptick in a form of ATM skimming. Usually it involves cutting cupcake size holes in the cash machines and using a combination of magnets and medical devices to siphon currency or customer accounts directly from the card reader inside the ATM. When and where did this form of physical theft begin and how exactly does it work?

Stan: Yeah, so I went back and I actually did a little checking and it looks like it's well over a year old. The first article that was announced on it, actually, Kaspersky did a research on it and it really happened in Europe and Russia to begin with. And so they figured those types of attacks started in 2016-ish, somewhere in there but they've only really gotten prevalence or I should say prevalence is probably the wrong word, but notoriety. Now, the US Secret Service put something, they put a bulletin out to financial services and they were literally, I think if the articles are correct, they were literally a day before the actual attacks happened. When they started, there was a large attack that siphoned off a lot of things.

These cupcake size holes that they're finding in machines, it's a more sophisticated attack. And I think it really speaks to the fact that ... I mean, ATMs are designed to be physically accessed. And that's sort of a theme that we'll probably talk about throughout the interview, but as these machines are ... there's tens of thousands of them deployed worldwide. And honestly for a criminal element to get their hands on an actual machine and take it apart and study it is not going to be overly difficult any more, especially when you're dealing with countries in other parts of the world where the law enforcement isn't maybe quite as widespread or maybe they don't have the resources.

Chris: Or not every ATM is being continuously monitored by a camera or what have you.

Stan: You got it, exactly. And, really what's happening is it's exposed weaknesses in terms of the internal components and how they really function together. So there's a 10 pin connector that largely gives them direct access to the main systems and they can basically send a command that says please spit money. And that's what they've been doing. It doesn't affect you or I as a consumer in terms of using the cards, but it definitely affects the financial services because if you have somebody walk up to a machine and just sit there and spit all the money out of a machine, obviously it's just not a good thing. So there's a lot of components on the inside that they work together, but they're very, very simple. I think if you look in it ...

And I am going to refer back to Kaspersky because they're really the ones that did the research on this. They said it really was not difficult. It took them $15 in parts and a little bit of time looking at the code and went, wow, this is really easy.

Chris: Wow. So obviously, like you said, this is something more of an issue for financial services, although certainly it seems like some cases reader account access can be stolen and so forth. And I've been hearing about this for years with gas pumps that there'd be hacks on gas pumps and any kind of swipe places. So what type of warning signs, physical warning signs should savvy ATM users be on the lookout for to make sure they're not putting their account info at risk? I mean, what are you looking for apart from just looking like it's sort of beat up or whatever.

Stan: That's a good. Beat up is a great-

Chris: It's a great start.

Stan: If you're noticing like scratch marks, scratch marks obviously not like claw marks but scratch marks in terms of if things have been slid across or it looks like something's been jammed or forced over top of the keypad area. There's other ones where they'll mount a camera above the pin pad to get that type of ... obviously get people typing in their codes. So it's really looking for things that are out of place. And again this becomes difficult because you know as well as I ... not every ATM looks the same. Everyone's got a bit of a different configuration. So it takes a bit of savvy to kind of notice these things.

We're all busy. I'll say it, myself or if I go to an ATM, my first thing isn't to do a complete physical security check on the ATM. But at the same time being savvy enough to notice if things are really, really out of place.

Chris: Right. And there's also that, you don't necessarily want to walk to the next ATM. You're like, oh, I'm sure it's fine or whatever. But you really do have to be careful about this.

Stan: You do really have to be careful about it. I mean, if you're sticking to the ones that are at the bank branches and whatnot, chances are those ones have got ... they're monitoring those, they're on camera. Those ones are probably going to be your most secure ones. I was interesting looking at the ones that they're actually drilling the holes into, they're becoming quite savvy with those. They're not just drilling the hole, leaving the hole, they're patching the hole and then putting a nice little logo over top of it. They're making it look like it's just part of the machine. So this is something where unless the general public is aware that these things are happening and you're grabbing the ... punching your finger into where maybe the stickers are, those are going to be really, really hard to tell whether or not they've been tapped or not.

So it's looking for things that are out of places, it's looking for things that are loose. I mean, you're going to probably lead into the sort of the next type of attack coming up and there's things to look at there, but it's really area and location I think are a big thing. I'll say it later in the interview as well, try to avoid the ATMs that are in the dark, isolated locations. You don't know what type of security controls are around those and it just can be a problem.

Chris: Right. Now, if you see one of these compromised ATMs or other sort of warning signs that could suggest hack card reader device or a gas pump, is there sort of a central place that you should be reporting this information to? Should you just go to the nearest business and say there seem to be something wrong with the ATM or is there sort of a centralized agency that you should talk to about this?

Stan: Yeah, that really is going to depend on kind of who owns the ATM systems. Like up in Canada here, we've got a number of independent ones. They'll have a phone number on them or whatnot. If it's with a major financial institution, I'd probably notify the financial institution via phone call immediately. The other thing to do is call local fraud for law enforcement. They're looking out for these things. These are items that they need to be aware of as well. Might be a good thing to notify the financial institution and then the fraud department. I mean, I here in Canada with the RCMP, they've got a dedicated fraud hotline, so that would be sort of a centralized area that I would report to here. In the US if there's a local fraud line that they have for a County Sheriff's Department or law enforcement, that's probably another place that I would go to as well as the financial institution itself.

Chris: Now, in addition to obviously swipe card fraud is fairly common and fairly easy to do, but there's another slightly more subtle technique I heard of called shimming in which paper thin shims containing embedded microchips and flash storage can be fitted into indoor devices, which specifically target chip cards, which is scary to me because I thought chip cards were created because they were safer than swipe cards. So it seems there's always keeping one step ahead there.

Stan: Yeah. I mean, that's security as a whole across all industries. It seems like the crooks are always going to be one step ahead. The shimming ones are a bit interesting because they're more expensive right now because the technology involved and you're right, it's like a paper thin ... literally like a paper thin card that goes in between the reader and when you stick your card in, it basically taps off the card. Now, on the good side of it, the chip cards still are more secure. They can't replicate the actual chip card itself with the encryption items and everything else. So basically what they can do is they can replicate a card that they can use in swipe machines. They can't use it for tap and they can't use it for chip card payments, but they can use it at any place that has a swipe area. So the chip still gives you an extra layer of security.

These are tough. There was one, and kudos to him, in one of the articles on this, there was an owner who does a regular routine check on his point of sale machines and they have a test card that they put in. And the first thing that he noticed with the test card was really difficult. He actually had to put quite a bit of force, more force than normal to actually slide into the machine. And that's what tipped him off that something might be wrong. And again these are difficult things to actually see because you'd probably have to shine a light actually right into the slot to actually see it.

He had to take the machine apart to actually find it. And then when he found it, he was like, "Whoa, what's going on?" They took the other machines apart and found the other ones. But the biggest telltale sign there on looking for that one is if the card has as a larger force than normal to actually put into the machine.

Chris: Okay. Now, and is that something that they would have to have ... To insert a shimming device, would you need access sort of during off hours? Or is this something that someone with a card can just sort of zip in there and be on their way?

Stan: Yeah, this is the tricky part with this particular attack, because it can look ... And it's two ways. They can come up to a machine and look as if they're going to be paying for something and essentially slide it in unnoticed and it slides in far enough that it's not going to be seen. On top of that, they could very easily go in and pay for something and do an actual transaction, slide it in at essentially at the same time and then leave the skimmer in there. Furthermore, they have a card to actually read off of that and they can just simply slide the card in as if they're doing a normal transaction and read the information off that device. So it's a new type of attack. It's definitely scarier I would say in terms of how subtle they're able to do this. But again, like I said, you're still more protected with the chip card because they can only duplicate the card for swipe transactions.

Chris: All right. Now, in addition to these sort of ATM skimming fraud issues and we're getting to the sort of holiday season, there's going to be a lot of swiping. There's going to be a lot of ... everyone is doing more transactions and payments than they do any other time of the year. And a lot of it is, I dare say, sort of not the most thoughtful, you're sort of swiping everywhere. So whether gas pumps or retail stores or charitable giving or whatever. So can you come up suggest any strategies, safety measures that people should be thinking about in this sort of most wipe heavy of all seasons?

Stan: Yeah, that's a good one. The unfortunate thing is a swipe is just really insecure. If you can avoid it, avoid it. That would be my first line of defense. I have friends in the security industry that if they're traveling or they're other places and they have to swipe their card, they don't. They'll actually take the time to go and look for additional places to actually use a card that has the chip or a tap to pay. But again, sometimes you can't get away with it, get away from it, I should say, in terms of the swipe. It's a busy season, people just need to be more aware, watching their transactions more closely. You probably are going to want to check your transaction records on sort of a more regular basis.

So if you've gone out, if you've done a lot of shopping, make sure you're checking your transactions via your financial institution at the end of the day or every couple of days. Yeah, it's difficult. That's about the best security advice that you can have. If you can avoid swipe, avoid it. If you can't avoid it, check your transactional records and make sure that the bank's aware or the financial institution's aware. Some of them are really, really good especially on the credit. A lot of the credit card companies have gotten very, very good at tracking fraudulent transactions if it's something that's really outside. One of my institutions got in touch with me, this is going back a couple of years, but still I got a phone call out of the blue from them. They said, "Look, we're from the fraud department such and such card, we want to just talk to you about some of the transactions."

And this is important. They didn't ask for any type of verification, they didn't ask me for my passwords or anything else, they just wanted to verify transactional records. And one of them was for a candy store in South America and I'm like, "I have not been down there." And they're like, "Okay, that's what we kind of figured." But they were on top of it. And that's probably one of the best things that I can tell you. If you can use your tap to pay rather than swipe, use tap to pay. More and more places are taking the Google Pay services, the Apple Pay services, it's an extra layer of protection and if you can use that instead of your swipe, do that.

Chris: Has there been any sort of tampering possibilities with tap to pay or is that pretty unhackable at this point?

Stan: Okay. I am going to avoid the term unhackable.

Chris: Of course, yeah. Less hackable.

Stan: Less hackable. You know what, it is. It's definitely more secure. There's more security controls in place. Items like PayPal or different places that allow you to preload a certain amount into your accounts so it's not a direct access, which means you can limit the amount that's getting taken out of that account. But for sure it's less hackable like that. The tap to pay, especially on the credit card services is really good because it's liability is really what this comes down to. If the credit card company is waiving their right for you to sign off on a transaction and you're using your tap to pay and that gets hacked somehow, you're not liable for that because they've waived the right for you to sign on it. So use something that's going to limit your liability.

Chris: So it sounds like you've already answered this, but I assume we should be sort of moving away from a sort of swiping economy. What I'm hearing is that tap to pay and even chip card should be the sort of default going forward.

Stan: It really should be. It's just a far more secure way of doing a transaction. And again, it's a matter of limiting your liability and going from there. If you can avoid the swipe, avoid the swipe. It's just too easy to have those type of items skimmed off your card.

Chris: Is it something that is going to be fairly easy to implement? I mean, because sometimes you're in the middle of nowhere and all you got is old school swiper or even the old … or something like that. What are the sort of impediments to implementation other than…

Stan: Cost.

Chris: Cost, okay.

Stan: Cost. You're looking at the cost factor on doing that because as far as I know, it's largely up to that particular vendor. I'm not going to fault mom and pop shops or different places for not upgrading because it's an expense. And oftentimes the financial institutions charge a lot for upgrading machines. It's not a small cost to upgrade these items, but we're in a day and era where you want to keep your client information as safe as possible. And it really is a cost factor that's going to justify that portion of it. It's not a technological issue, it's not a network issue anymore, it comes down to upgrading the end point devices there.

Chris: To that end with regard to ATMs and the sort of intrusive penetration of them and so forth, is this a situation where newer devices are more hack proof but fraudsters are still kind of able to get into more out of date devices? Are there firmware issues that work? Is there something that newer machines are better at than older machines?

Stan: Yeah, so I want to say yes, some of the other research ... So recently there was a big push, actually 2016, to upgrade most of the machines off of XP onto Windows 7. January 14th is now the cutoff date for Windows 7 and so a lot of the financial industry rather financial services area, they are now looking at upgrading to Windows 10 on their machines. Again, it isn't foolproof, but it's helping. With regards to the ... it's a firmware issue or whatnot. The physical attacks on the machines where they're drilling this cupcake size hole into it, as far as I know, this isn't just older machines, this is newer ones as well. They have some protection measures in place where if they tamper with the unit, it's supposed to send an alarm off, I guess network wise, to let it know that, hey, this has been tampered with.

Again, it's not foolproof. My understanding is that they drill the hole, wait a little bit, come back just to make sure that nothing's been ... no alarms have been kicked off. But again, they're able to get in there. There's very little authentication between the internal devices. So the internal chips and the cards that are functioning within the ATM. So they're able to tap into the main board and basically, hey, spit the money out.

How do you secure those? How do you make them more hack proof? In security industry, if you've got physical access, all bets are off for the most part. And it comes down to largely, I think, in terms of convenience versus security. Can they build a box that if ... Let's use maybe a hypothetical example. Let's say you encase all the components within a secured box that if anything happens to that box, a hole gets drilled through it, you've got basically a circuitry around the entire box that sets an alarm off and shuts the machine down and then it just locks the whole machine, so nothing can happen with the machine. I would think it's doable, but now you've given the creeps the ability to do a denial of service attack on the boxes.

So at what point does the cost of sending a repair guy out constantly to fix the box, update whatever happens, replace the components that box on there. At what point does the security outweigh the convenience of the cost, the financial institution of having to constantly repair the unit. These are the things that they're going to look at and weigh. So there's things they can do. It's a difficult problem. I don't know if there's any good solution right now to it that I've seen that's going to really block the physical attacks side of it.

Chris: Are there any legislative methods you think that could be enacted that would reduce instances of this to sort of ... or sort of force the money? Is this enough of a deal or enough of a problem that you could say like tax credits if you upgrade all your ATMs or all your devices or something like that?

Stan: That's a good ... So I think if you look at it on a country by country basis, do I think Canada could do something? Do I think the US could do something? Yeah. Do I think the European area and UK, could they legislate something like that? Yes, I think they probably could. How effective it's going to be, I don't know. If you're talking about other countries around the world, I don't think you can legislate. I don't know how you could legislate something like that. I think the bigger push is going to be financial costs to the bottom line of the financial industry itself. In other words, if they're getting hacked enough and it's costing them enough money, that's probably going to be a larger kick in the pants to get something done than if the government's going to legislate something, in my opinion.

Chris: So as these security issues continue to be discovered and plugged and discovered and plugged, do you see any new technologies or methods being developed to make these physical card based devices safer? It sounds like to tap to pay is the big one, but is there anything else out there in that regard?

Stan: So tap to pay is the big one. Again, like I said, on the physical security side of the boxes, I haven't seen a whole lot. It's difficult because they're going to have to try to monitor the boxes in some method that, either set some type of a network alarm off that they can respond to very quickly. But again, if you got isolated ATMs out in the middle of nowhere, how do you handle those types of situations. So it's difficult. I think in terms of the card protection side of it, there's encryption methods that are coming out and I'm not going to claim to be an expert, but in the quantum technology side of things, there's some companies that we've talked in the last few months that have developed new encryption methodologies. So I think that's going to be a larger ... another type of protection item that's coming out.

Other areas where I think, and again I'm going to head back to the convenience side of it in terms of protecting ourselves when it comes to using the cards, it may not be convenient to use some type of a two factor or multifactor authentication, but you know what? Maybe when we're using our cards in a chip slot, we get sent something to our phones or some other token device that we have that says, yeah, this is a transaction that I'm doing. Is it convenient? Maybe not, but you know what? If somebody is using a swipe method to pay for something and it has to go through a second factor, that's going to protect you from that.

Chris: Especially if it's $2,000 or something.

Stan: Yeah, and the thing is, that's a big deal. I mean, it's gotten better, but ... This is a number of Christmases ago, we were out in a very well known mall, Bright and Airy Mall here in the Vancouver Area and my brother-in-law who's from one of the other provinces over, he was just buying Christmas stuff and all of a sudden his card stopped working.

He had only been shopping and well known chain stores. Something in one of the stores hit and it locked his card because somebody pushed through two transactions. The second one was I think for almost $5,000 and they caught it. But again, if you've got a second factor on there, you're going to know right away. It saves embarrassment going in and having your card declined because it's locked. If you've got an additional factor coming into maybe your device saying, hey, is this you that's trying to authorize $5,000 onto your card?

Chris: Yeah. I mean, if you really want to do it, you can almost have a call from a live operator, if you really want to do the extra step or whatever for ...

Stan: Yeah. You know what, the apps have gotten so good these days in terms of the banking apps and the apps that the credit card companies have. To have something in there or to have your app open, you know what, if that's an extra layer that's going to drive costs down all the way around and okay, maybe it's not again not most convenient thing, but it's an option.

Chris: Going from the hardware side of it, how about with regard to software and firmware? Is this something that you feel is being addressed properly? I heard about FBI warning on so-called ATM cash outs where networks of crooks would not only print unlimited money, but also would disable the spending limits and things like that right beforehand.

Stan: Yeah. And those are pretty coordinated attacks. They take a lot of sophistication, knowledge of the backend systems. I think that's getting better. There was a really interesting article that actually I read just a little bit ago just in terms of doing a little bit of extra research in terms of the interview here. There's a consortium of about 125 ATM companies that are actually looking at moving away from a Windows based approach and actually looking at developing their own and using their own in-house software and apps to actually build ATM software as a ... Open-source is the wrong thing, but when you've got 125 companies, they're all tapping their combined knowledge, they're looking at setting their own standard.

Chris: Like a proprietary software or something.

Stan: Yeah. And the big thing is that they're saying, look, we're the experts on this and we want to come up with a way. I think they've decided on an API methodology now. Where it's going to lead, I don't know. They admit it's going to take a long time. They'll probably migrate to Windows 10 yet before actually getting their own items in place. I don't necessarily think it's a bad idea. They're the experts in their machines, if they can come up with a methodology from the ground up, I think that's great. That has its own issues. And again, I don't think anything's foolproof, but at least the improvements look like they're going through. And again, it's lost money. This is what's driving a lot of it and is forcing them to improve on the ATM technology, forcing them not to simply sit on Windows XP.

And unfortunately it's more of the developed countries that are moving that direction. I think it's difficult in other countries. Like you've got India still largely on Windows XP units and other places like that and these aren't easy issues to solve and there's a cost factor involved in everything.

Chris: And they're also sort of global issues too, so you really can't just say, well, we're fine over here, right?

Stan: Yes, exactly. I mean, face it, people travel all over the place and people want to know that no matter where they go, that their transactions are going to be secure and that becomes a much larger issue.

Chris: So as we wrap up today, can you tell me a little bit about your company D3 Security. What is your company's primary focus and how do you help strengthen your client security?

Stan: Yeah, so our primary focus is an instant response in case management software platform. SOAR, as the acronym is, which is Security Orchestration Automated Response. Largely we do areas of a SOC automation. So Security Operation Centers use our software to log, track. We interconnect with a lot of different tools, be it a SIM systems or email systems and point items and essentially try to automate as much of the processes as possible. Where sort of our largest return on investment comes in is really helping SOCs to get away from cutting and pasting into multiple different tools and automate a lot of the ingestion and then the actions that they may need to take.

So that's the space we play in along with ... What we've noticed in the industry so far is a lot of convergence in terms of security. There is a lot of siloed items in the last number of years in terms of, well, the physical security was in one space, the corporate security was another space, data privacy had their own area, SOC was their own area. That landscape is changing. Industries are finding that in order to be agile enough to keep up with the attacks, you need to a better communication platform and we help supply that across the enterprise.

Chris: And where can listeners find you if they want to learn more about D3?

Stan: Yeah, d3security.com is our website. You can find us on Twitter, you can find us on LinkedIn. So any of those main places Yeah, and that's probably the best place to look. You'll find me on all those places as well and if anybody wants to reach out, I'd love to hear from them.

Chris: Well Stan Engelbrecht, thank you very much for joining us today.

Stan: Chris, I appreciate. This has been an absolute pleasure.

Chris: Awesome and thank you all today for listening and watching. If you enjoyed today's video, you can find many more of them on our YouTube page. Just go to youtube.com and type in InfoSec Institute, check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your Workday, all of our videos are also available as audio podcasts. Please visit infosecinstitute.com/cyberspeak for the full list of episodes. If you'd like to qualify for a free pair of headphones with a class signup, podcast listeners can go to infosecinstitute.com/podcast to learn more about this special offer. And finally, if you'd like to try our free security IQ package, which includes phishing simulators you can use to fake phish and educate your colleagues and friends in the ways of security awareness, visit infoseinstitute.com/securityiq. Thanks once again to Stan Engelbrecht and thank you all again today for watching and listening. We'll speak to you next week.