General security

Bank Fraud & ATM Security

Sofiane Chafai
September 12, 2012 by
Sofiane Chafai

ATMs Fraud Trends

According to the last 2011 survey (*) in 27 European countries, card skimming is still the most prevalent crime, however 61% of European countries reported a decrease due to use of anti-fraud devices and implentation of Europay, EMV technology embedded in ATMs providing two-factor authentication which drastically lowers the risk of stolen credentials.

In the same time we have noted an increase in cash trapping attacks where cash dispensing slot are targeted by fraudsters who replacing these ATM's components with fake devices.

In the US, ATM fraud is expected to increase, this is due to the transition to EMV standards in Europe, Asia, Latin America and Canada where EMV embedded chip cards are much more difficult to counterfeit than magnetic stripe cards available in US, therefore most ]criminal organizations are likely to view the US as an attractive target.

ATM fraud has become more sophisticated, and the attacks are highly organized. Investments have been made to develop fraudulent devices that take advantage of trends in terms of components: miniaturization, storage, wifi communication, and battery life; in terms of organization: a business model has been developed where each player skimmers, developers, mules collect data and sale information, and a card fraud duplicator, are a part of the whole chain of this underground industry.

Types of ATM Threats

  • Card & Currency fraud which covers attacks conducted to steal cash and /or to steal details of consumers credentials to produce fake cards for fraudulent transactions.

    • Skimming, still the most frequent type of attack reported, uses devices (skimmers) to capture cardholder data from the magnetic stripe IE copying the TRACK2 information on the magnetic stripe of the card. In general a skimming device is installed over the top of the ATM's card reader, sometimes installed inside the ATM. The skimmer will capture card data prior to the ATM card reader, the data will be stored and transmitted to attackers. The skimming is often combined with other devices, cameras, and a fake keypad to capture the PIN number.

    • Card trapping aims to steal the consumer's card and use it at a later time by the attacker, this attack is combined with the use of other devices, cameras, and the fake keypad described previously.

    • Currency trapping, fishing used to steal the cash, it can be through a false dispenser (trapping attacks) or using wires, probes to prevent cash being dispensed (fishing), the attacker will retrieve the cash as soon as the consumer leaves the ATM.

    • Transaction reversal, attempt to create an error condition at the ATM resulting in a transaction reversal due to reported inability to dispense cash.

    • Dummy ATMs; ATMs bought and setup by criminals and installed in pedestrian traffic areas for the one purpose of reading consumer card data. Machines are powering by batteries or any nearest power socket.

  • Logical / Data Attacks
    • Targeting the ATM's software OS, logical attackers include authors of a virus and hackers who install malware. The logical attack is still one of the most difficult to detect, the impact can be very high as it will impact and compromise thousands of consumer's data. The logical attacks include malware and viruses.

    • Hackers attempt to install malware in order to violate integrity, confidentiality and authenticity of data transactions. The purpose is to gather cardholder data and dispense cash. Attacks can be either locally or remotely executed. Local attacks are performed through downloading malware or sniffing communication between card reader and ATM Central Unit using a USB drive connected to the ATM computer. The system should be locked to prevent any unauthorized program running.

    • Remote attacks target the ATM networks and attempt to compromise the communication with the host, these attacks are more critical because a hacker does not need to open up the ATMs.

    • As ATM technology knowledge becomes widespread, monitoring systems access through web browsers or TELNET enables an easy access to attackers who can hijack ATM management systems and perform management functions.

    • ATM networks are still vulnerable to similar IP based networks attacks. Remote attacks such as Eavesdropping, Spoofing, Denial Of Service, Sniffing, and Virtual Channel Theft are almost always carried out by criminal organizations.

  • Physical attacks
Physical attacks are usually perpetrated to gain access to the cash and all valuable ATM components such as the safe, the top hat, presenter and depositor or in some other cases, the entire ATM. Depending on the component targeted, the attacks can be described as below:

Because it contains the cash, the safe is still the first common target. The perpetrator;s efforts concentrate on the locks, handles and hinges of the safe. In some cases the top hat is targeted to steal the ATM hard drive or for attaching skimming devices or USB devices to download malware. The presenter and depositor can be subject to attacks where perpetrators attempt to access an ATM's cash sources (deposits) therefore they will use several methods: cutting, drilling, burning devices (torch), pulling the safe door, using pry bars, bombs and other explosive devices. Other physical attacks will attempt to remove the ATM, and move it to another location, ramming the ATM with a car or truck, pulling it using a chain and a car, or lifting it from its foundation with forklift.

How to Secure Your ATM

Securing the ATM's infrastructure becomes one of the most challenging tasks. The process requires business, IT and third party vendors' involvement. ATM security is a combination of physical security, which is basically how to secure the assets, logical security, or how to protect operating systems from malware, and finally the fraud from skimming attacks.

In practice

An ATM Security Policy should be in place, or a related section should be added in the current Security Policy. All ATMS should comply with PCI DSS, and all third parties, contractors, and providers involved in ATM processing should comply with PCI DSS standards.A regular internal audit should be conducted to ensure compliance with the security policy.

The ATM location should comply with the "Crime Prevention Through Environmental Design" concept which provides guidelines and a set of rules on proper facilities design and environment, which affects human behavior by reducing the occurrence of crimes. It addresses landscaping, entrances, facilities, lighting, road placements, and traffic circulation patterns.

The ATM location should be far from any glass walls and close to a solid wall. There should be no direct access to the ATM, and bollards should be added to prevent car jacking.
An ATM located in an open area visible with proper lighting in place will help to prevent criminal activities. TheATM should be well fixed to its location

An onsite validation process should be put in place to approve the ATM location by key players: Bank or site owner, ATM vendor, ATM supplier, ATM Cash Replenishment companies, and local police intelligence (who can report the crime history of the location). During maintenance, if ATM vault access is needed then we should close the branch, office, withdraw cash and put it in a vault during all maintenance operations. An Intrusion Detection System should be in place in all areas where the ATM is located.

The ATM should include its own alarm system, CCTV cameras embedded, the pin keyboard should not be covered by the system, CCTV should be connected to a recorder and centralized screening system.

Consumers can increase PIN protection by avoiding any shoulder surfing attacks.

Including GPS as an additional component to an ATM can help to localize it in theft cases, as compensating control, an active cash protection by using ink, glue or gas for cash destroying.

Include an ATM review in the annual Risk Review

A process review should be in place to review lost audit trails and security notifications, according to security policies, standards and best practices. The process review includes changing user profiles, tracking all unsuccessful logins or attempts to access. The process review includes use of privileged user accounts and all major events such as restarting stop change in execution mode.

Admin should not interact directly from their personal computers or laptops. The PIN number should never been transmitted or stored in clear text regardless the media or channel used. ATM network communication should be encrypted using a strong encryption protocol, 3DES, AES, the WEP protocol is prohibited.

Conduct a regular Ethical Hacking testing and vulnerability scanning on the ATM's network which include wireless access point presence testing, the exercise covering Black box penetration testing, Malware analysis and source code review of the ATM's firmware.

All passwords should be changed from manufacturer's defaults. Disposal process in place for the ATM, the HDD has to be cleaned at the end of life. Only administrator's profiles users can access ATMs through terminal services / server. Patch management should be in place and followed prior to installing any patches, fixes on ATMs, all updates should be tested prior to applying in production.

Anti Virus protection should be implemented for all ATMs. Restrict physical access to ATMs, block all unnecessary ports, cables and switches protection particularly in shared occupancy facilities.

Patch installation on the ATM required disconnecting the ATM from the network and putting it off line during the installation process. To avoid any disruption in customer services, planning should take place.

All data on ATM HDD should be encrypted to prevent any unauthorized access during third party maintenance or in theft cases.

Educate people, employees, consumers, third party technicians, through training, awareness, share best practices, random checks should be conducted by employees, inspecting the reader from skimming devices during ATM maintenance and cash replenishment.

A detection system that senses and sends an alert -- and/or takes the ATM offline -- when anything is attached to the card reader, keypad or fascia. Keep records of all security complainsuse sensors and detection systems which can trigger alerts or shutdown an ATM if any external device is attached to the card reader or keypad. Use of jitter technology and other behavioral software can detect and stop all transactions which do not match the cardholder profile.

Third parties, contractors and providers responsibilities should be clearly defined and mentioned in SLA in case of fraud conducted through ATM interface software or unapproved software installation.

Employees should not have full access to the ATM. Segregation of duties, least privilege and business needs access should be followed to mitigate the risk associated. Implement a password policy according to the best practices and track all sharing password cases through regular control, be sure to change the default password.

Access control should be in place with 2 factors of authentication. Harden the ATM Operating System and disable all unnecessary user accounts (guest). User accounts should be locked after 3 unsuccessful attempts. Develop an incident response process, in case of attacks identified, with response plan including tasks and personal assignments.

Next Steps…

Organizations need to assess and review the risk profile of their ATM, because threats can vary depending on the location, environment, facilities, CCTV, etc . A Risk

Analysis will outline all vulnerabilities and related countermeasures or compensating control to reduce and contain the risk which includes prevention and detection controls.

The first is prevention through security policies, procedures, baselines, technical by using firewalling; prevent unauthorized equipment from being physically plugged into ATM, deterrent controls through using of CCTV cameras, and educating people through awareness training.

The second one is detection by monitoring, alerts notification, regular logs review, and vulnerability assessment.

Physical security, logical security and fraud should not be addressed separately, as attacks become more sophisticated, issues need to be addressed from physical perspective, logical perspective and fraud perspective.

Multilayered security methods are the most effective. Layered security should be in place, perimeter security through physical access control, firewalls, hardening the ATM's Operation System to secure and close all unnecessary ports and make them unavailable for hackers and worms, regular pen testing, secure maintenance process, use of centralized monitoring tools.

Monitoring is still one of most important steps to secure ATMs. ATM monitoring capabilities provide a set of messages, status, notifications and alarms which can be analyzed and identify problems or security concerns, IE: notification of continual card reader failure might be an indication of tampering attacks.

As the human factor is still the weakest link, employees, consumers, and providers should be aware of ATM threats, therefore awareness program should be developed and conducted, the program includes presentations, hands on training using multimedia presentations, formal session training, movies, flyers, etc. to ensure a large communication and audience.

A holistic strategy will drive and protect Automated Teller Machines channels at all level.

*European ATM Security Team

Sofiane Chafai
Sofiane Chafai

Mr. Sofiane Chafai, CISSP & Prince2 certified Information Security and IT professional with 10 years of exceptional track records in driving projects, high end systems solution implementation in Finance & Tobacco industries. Member of ISC2, he held several position in different organizations, Security Officer for Trust Bank Algeria in charge of the information security program, development and implementation of security policies and setup the Business Continuity Plan for the Bank, North Africa IT Head at British American Tobacco, IT Project Manager & Business Information Security Officer at Citibank Algeria where he successfully implemented Real Time Gross Settlement & eclearing modules on Citigroup core banking system.