EMV (or “Chip and PIN” as it’s known in the UK) is changing the fraud landscape, no doubt about it. Counterfeit card fraud at POS is down, card theft is down, card-not-present is up, phishing is up, ATM fraud is up. Fraud migrates, we get the picture. But as EMV reaches maximal deployment in the next five years or so, the banks and other investors in this technology are hoping that the flood will abate to a trickle, and that some holes can be totally plugged.
I’ve been thinking about whether or not EMV is capable of sorting out the ATM fraud problem (also known as “phantom withdrawals”) once and for all. Well as I wandered around town this afternoon, I snapped some pics at WH Smiths this afternoon of an ATM in distress, and it reminded me how horribly vulnerable our ATM infrastructure is.
It’s not just the “look of vulnerability” exuded by them… like these cheap wafer-locks on the housing of the aforementioned ATM (I’m sure there must be a better lock before the cash safe itself), it’s that all the security is based around keeping the money and the secrets safe, and very little attention is focussed on keeping the machine alive and operating.
Read on to find out my master plan…
Now, up until the deployment of EMV, why disable an ATM? Why damage it if you know that you can’t get the money out? Disabling an ATM would just be mindless vandalism. But now put yourself in the mind of a organised financial crime gang, looking on while your steady income of nice clean money from ATMs peters out as the bank slowly upgrades all the ATMs in your area to be EMV-capable. Are you going to be angry? Yes! Whose in charge of this neighbourhood, the west-side posse, or the west-clyde bank? We are!
So you fall back to a good-old fashioned crime — racketeering, with the aim of forcing the banks to continue to fall back (to magnetic stripe) themselves. It’s quite simple: any ATM which denies a magstripe fallback transaction gets worked over. You can put in a card with high voltage contacts to zap the chip reader, or with nasty goo on to stop the contacts from working, but leave the magstripe functionality intact. That’s a kind warning to the west-clyde bank (fictional name taken from “the parole officer”) to continue to support fallback. If you want to be firmer, then squirt glue in, smash up the screen. Maybe if you know the right place to drill, you can trigger the dye pack and destroy all the cash within!
ATMs are vulnerable because many of them are in isolated locations, fixed there 24/7. Those in safer locations are still vulnerable to surreptitous damage — so even under observation it should be impossible to tell the crook who is sabotaging the ATM from a legitimate user. Should the ATM sound an alarm when detecting sabotage, the crooks need only migrate to a different strategy where the damage is done more slowly, for instance by squirting in a chemical which will degrade the ATM innards progressively over a week.
Now a criminal gang would be foolish to think they can take on the whole world with this trick, abort the move to EMV, and reign in glorious anarchy. But maybe they can hope to secure their cut. If the crooks are smart, they’ll target a particular ATM brand or particular acquirer at a time, and furthermore only used magstripe cards ripped off from the same bank (where the acquirer is also the issuer). Keep it nice and small, keep it individualised, and maybe a special deal can be struck. From here we can move on into a more stable fraud scenario: the protection racket.
The gang hits ATMs on magstripe fallback for up to a certain amount each month (say 50K per month per suburb), but they don’t get too greedy. In return, the gang offers that acquirer protection, they have the men on the ground to ensure that no other gang goes around physically damaging the ATMs or getting too greedy, and tacitly funding the gang is much cheaper than funding the police to try and lock up all the crooks. The gang might even knock out ATMs from rival acquirers, and so much the better if the only ATMs still standing happen to be fee charging!
So there’s my dystopian vision of the “ATM protection racket”, and we can see that there are limits to what technology like chip cards and PINs can achieve, especially in protecting a bank’s real front line presence: its cash machine network. The questions that spring to mind are:
- Is this a war that the banks can win?
- How much of bank anti-fraud policy is really driven by economics, and how much by honour?
- Should security architects be designing security protocols and systems that try and write the crook totally out of the equation, or should we leave them a small (acceptable) window, lest they fight us on a battleground which is more costly? Think here of the problems suffered in South Africa by improving anti-theft security on cars; live hijackings and the like soared upwards
- What technologies can help us armour ATMs against denial of service?
My starter for 10 is that if contactless EMV makes it in, then it could negate the need for one of the holes in an ATM in the long term. This just leaves the hole that the cash comes out of. But they must watch that the contactless antennae are resistant to attack by homemade EMP weapons (a la camera flash and coil). Any further thoughts?
Subject: Why are Banks ignoring to implement ID KEY system to combat fraud crimes which are boosted by unreliable systems they make us use?
These details show that virtually all fraud crimes are preventable if banks implement ID KEY system.
ID KEY system is a BIG IDEA which will deter virtually all fraud crimes with minimal effort, cost and delay.
We will not even have to protect our personal details and PIN numbers at ATMs from fraudsters
Once you have digested these details you will realise why there is no other system in the world as effective as ID KEY system in deterring fraudsters from all sectors of the industry with minimal effort, cost and delay and yet banks are not exploiting it. WHY?
Dear Sir/Madam
Our BIG idea to deter fraudsters is too simple. Fraudsters have proved to us that via use of fake ID documents they have made signature system unreliable and by using pin-hole cameras they have made PIN number system unreliable. These unreliable systems are the root cause of the problem and so unless banks implement ID KEY system to make them reliable it is virtually impossible to combat fraud. Our BIG ID KEY IDEA as been invented to deter virtually all fraud crimes simply by making both these systems reliable with minimal effort, cost and delay. For details on this honesty restoring ID KEY system please visit website http://www.xwave.co.uk
How does ID KEY system make signature system reliable and foolproof?
ID KEY (Memory pendrive with or without thumb print activator) will activate printer at any transaction point to print user’s ID sticker (sticker with person’s photo and name printed on it). To personalise signature all user has to do is apply ID sticker to the document and countersign so that the signature is shared between ID sticker and document. Personalised signatures system will deter fraudsters because they have option to misuse victim’s personal details but not their unique appearance (true identity or visible biometric). This system also eliminates the need to rely on complex equipment, databases, CCTV images and even ID documents to deter fraud. Currently we are struggling to identify fraudsters but if we use personalised signature system fraudsters will be struggling to do fraud without exposing their identity. In other words only personalised signature system will increase fraudsters risk of getting prosecuted from next to none to virtually 100%. Surely this better than any other system proposed to combat fraud.
Important points about ID stickers.
1. Fraudsters will not get tempted to misuse other people’s ID stickers because these stickers are personalised to individual’s appearance.
2. Fraudsters will not get tempted to use fakes of ID stickers because even fakes will expose their identity. This makes ID stickers foolproof.
3. Fraudsters will not get tempted to use ID stickers with disguised photos because using computers police will be able to remove these disguises. ID documents or plastic cards with photos do not provide this unique advantage because person’s photo is not retained as a security along with signature on document.
4. Traders will not get tempted to fake fraud crimes by misusing victim’s stolen or forged ID stickers because police will be able to establish that the crime is faked by proving that the person in question was not at that point of transaction at that moment in time. ID sticker system will also retain user’s thumbprints and probably even dry skin cells to provide DNA evidence.
5. Current signature system is like passports without photos and that is why it is so complex to deter and prosecute fraudsters. We rely on photos on passports and images from CCTVs and so there should be no problem with retaining images on documents along with signature to deter a very serious crime which has become a multi-billion pound business.
6. Only personalised signature system will deter identity fraud, cheque/bankers’ draft fraud, mail order or card not present fraud if we personalise signatures on delivery notes, bogus con-trader fraud if traders personalise their signatures on receipts and good collected for repair notes etc. This shows that until we personalise our signatures, we will go on boosting all these fraud crimes.
7. Use of fake documents has become a big business worldwide. Personalised signature system will make make this outdated system. Which other system provides us this unique advantage. NONE
8. Apart from personalising signatures ID stickers will personalise medication and medical reports to prevent fatal mistakes by play group staff, hospital staff, nursing home staff etc. ID stickers will also help members of search team to find missing children or person quickly. This very personal problem had motivated invention of ID stickers.
*Identity fraud has nothing to do with ID documents (they could be fake or forged) or PIN numbers (which could be stolen) or biometric ID cards (since it is not possible to have readers at every point of transaction) but has every thing to do with signature which does not even expose person’s gender. Pre-printed ID stickers supplied by banks or printers activated by ID KEY do not need equipment and hence will personalise signature on any document anywhere in the world. Can you imagine how effective this system is in deterring fraudsters compared to other systems?
*Looking at the benefits of personalised signatures, banks are wrong in not implementing this system because apart from Chip and PIN system they rely on signatures to conclude most of their other transactions such as agreements, cheque/bankers’ drafts, money withdrawal notes etc. Can you think of a reason why banks did not realise that just like card transactions signature system was not reliable for their other transactions too?. By implementing Chip and PIN system banks have made bad problems worse because
a. This system is effective only for card transactions rather than all other signature dependent transactions banks have. Can you regard this system to be effective fraud deterring system?
b. This system has provided fraudsters option to skim cards and pick PIN numbers even from retail outlets rather than only from ATMs. This in turn is boosting ATM fraud. Do you know why banks have ignored this disadvantage?
c. This system has made it possible for cardholders to let others use cards on their behalf. Criminals too have option to clear their kidnapped victim’s account as shown in following report Gang’s victims ‘scarred for life’ Do you agree that this system has made bad problem worse by introducing a new crime which threatens public’s safety? Only personalised signatures on card transaction slips will deter this dangerious crime.
d. This system has stopped traders from stoppin g people with wrong gender using stolen cards. Can you see why this system is worse than old system?
e. This system has made it easier for dishonest cardholders to fake fraud crimes on their own or in collaboration with fraudsters. Can you see why this system will encourage faked crimes more than old system?
f. This system will not deterred dishonest traders from selling card details to fraudsters for mail order fraud. Can you see why banks were better off implementing personalised signature system rather than Chip and PIN system?
* These details show that fraudsters are guilty of fraud crimes but banks are guiltier for not implementing ID KEY system which would have deterred fraudsters from doing these crimes.
How about biometric ID cards?
These ID cards will not be effective where there is no equipment to read them. Would this not tempt fraudsters to use fakes of these cards and hence encourage more identity fraud? How would the government protect these victims from this new crime which will be introduced by ID card system?
These cards will not be ready for ten years and hence losses due to fraud would be over £17 billion by than. Can we afford these losses along with £6 billion need to exploit this system? Probably our fraud losses would have grown so much in ten years that we would not have funds to implement ID card system.
* This shows that to protect the public and entire business industry from becoming victims of fraud crimes the government should make banks implement ID KEY system, which will also be effective in deterring fraudsters in all government departments as they too rely on signatures to conclude transactions. Normal ID cards are not good enough because they can be faked similarly biometric ID cards are not good enough since they will not be effective where equipment to read these ID cards is not present. This system works only for organisations where everyone on the list has a card and every point of transaction has card reading equipment. Nationally it is virtually impossible to satisfy both these conditions and hence the system will not work.
How does ID KEY system make PIN number system reliable to deter ATM fraud?
To conclude ATM transaction invisible electronic Card Key Code (which will change to new random value after every transaction) stored in ID KEY will be required. This will make card skimming and PIN number picking meaningless. There is no reason why banks should not exploit this system when they do not have other equally effective system to deter ATM fraud.
Since 1994 when ID KEY system was invented we have been telling the Home Office and APACS that unless they exploit ID KEY system fraud crimes will continue to grow. They have ignored this and now fraud has become multi-billion pound business and it is the fastest growing crime.
We hope that policymakers will appreciate these details and exploit ID KEY system before it is too late to stop a fraud boom because according to report in Sunday Times dated 3/9/2006 along with fake IDs our personal details are sold on the net from only £1.
Please do not hesitate to contact us if you need any further information on ID KEY system. We hope you will get proposed honesty restoring system appreciated and exploited before it is too late.
Thank you.
Email from
Visual Security International Limited
9 Bond Close, Aylesbury, Bucks. HP21 8FZ
Mobile 07989 344509 Website http://www.xwave.co.uk Email ykr@btinternet.com
WARNING: Idea of ID stickers and Card Key Code used in ID KEY system are rights protected by granted patents while the stationary used is protected by copyrights.
U.K. (Patent no. 2301555 and 2334362), Europe (Patent no. 0748285 which covers 15 countries) and U.S.A. (Patent no. 5,884,942)
END
Mike,
On your initial premise – “whether or not EMV is capable of sorting out the ATM fraud problem (also known as ‘phantom withdrawals’)” – I am afraid that the answer is clearly “no”. Phantom withdrawals are going to fall into one of the following categories:
1. Where the withdrawal actually happened and the customer is deliberately trying to defraud the bank (for those without long history in this debate, this is the long-held position as the only option by the UK banks) or, to be fair, the customer simply does not remember conducting the transaction (most of us have had nights out like that 🙂 ).
2. Where the withdrawal was conducted with the customer’s genuine card and their pin, but not but the customer and without their permission. Often friends / family and not necessary with the customer having deliberately disclosed the pin (well-known numbers, seen the pin form, shoulder surfing …)
3. Where the card is forged and the pin captured through camera, bodged pin-pad, shoulder surfing etc. EMV should go some way towards making the card forging more difficult, provided fallback is disabled.
4. Simple (and non-malicious) error in the bank ATM or ledger systems. (Error in the ledger should be catchable by cross-reference to the ATM transaction logs, but if the ATM accidentally records the wrong card / account number …)
5. Casual (possible, but I can’t see how it could be done) or systematic fraud by bank staff or contractors (this would require multiple developers to be involved or some more local dodginess around authentication keys.)
There are some other (harder to do – normally needing stolen cards) attacks that apply to the smaller and simpler pay-for ATM estates but not to the main bank estates.
Addressing your main contentions:
* Is this a war that the banks can win?
Not the way you frame it. A bat through the screen will take any ATM out.
* How much of bank anti-fraud policy is really driven by economics, and how much by honour?
Some is driven by economics, much is driven by regulatory context and displeasure, a considerable amount by (the marketing department’s view of) public opinion, and a little by honour.
* Should security architects be designing security protocols and systems that try and write the crook totally out of the equation, or should we leave them a small (acceptable) window, lest they fight us on a battleground which is more costly? Think here of the problems suffered in South Africa by improving anti-theft security on cars; live hijackings and the like soared upwards
We need to consider holistic risk – already the most common attack is against cash delivery when it is in the street.
* What technologies can help us armour ATMs against denial of service?
Ah – sounds like a research project to me 🙂
S-E
Mike,
You say,
“Fraud migrates”
I actualy think “it evolves”, that is simple fraud works against an unsophisticated system, the users get hurt and scream the system operators are then forced to marginaly increase security.
However the criminal now knows from experiance that the improvment is only going to be small, therefor their previous fraud gives the funding and incentive to take the fraud to the next level and so on, and alows them to continue to recoup on their initial investment in associated procedures (fencing) to deal with their ill goton gains.
So the war starts, at each stage the defender has a choice, a simple / incremental improvment, or a major / quantum improvment. If they chose the former due to expediancy then the war goes on, if the later there is a reasonable chance they will raise the threshold beyond the attackers means.
It is almost exactly the same as EW / ECM / ECCM / ECCCM….
Likewise if the system operator had implemented a sensible level of security at the out set then the fraud would not have been started in the first place as it would have been to difficult / expensive for the attacking fraudster to gain the initial toe hold. However once in the attacker goes on to make further investment into the attack, and this gives the attacker an increased incentive to prolong the war.
The fact that the system operator was lazy / negligent / unknowing allowed a crack to appear in the system, and once it is there, the crack will be fourced open again and again unless the operator takes a sufficiently large step to prevent it.
Examples of this abound, the German Enigma is one of the earliest. The Sky Card system a more modern example, likewise the “set top box cube” that still bedevils cable operators. If at any point the system operators had taken a sensible look at their system security and not an expident look then the initial attack threshold would have been to dificult to cross.
To the fraudster, it is almost like a drug dependency, the initial fairly easy crack starts them off they then develop methods and systems to exploit it and they become hooked on hacking the system.
Therefor unless the system operator uses sufficient resources and makes the threshold to high for the attacker they are actually commiting themselves to an endless round of expensive incremental changes.
It is fairly easy to see that even in the short term it is more cost effective to commit the required resources to raise the threashold properly…
I don’t think this is workable. What you describe is essentially a DOS attack, but the reason for DOS attacks’ prevalence on the Net is that a) the incremental cost of one more bot is near-zero, b) the risk of one being caught is small, and c) the cost of one bot being caught is zero. Imagine trying to push John Lewis out of business by sending lots and lots of mail-order forms, and then compare using a botnet to hammer their website.
Delivering enough smash attacks to impose a cost that is significant compared to the bank’s free cash flow is far harder in reality than in cyberspace – you need quite a few people. The chance of getting caught each time is probably far greater on the streets, and you only need to get caught a few times before the cost spikes dramatically (i.e. someone realises that the same person keeps smashing ATMs and asks why, you go down for blackmail rather than crim dam).
The banks have every reason to keep cash machines cheap, cover them with CCTV cameras, and design them to fail-secure by breaking down easily under attack.
The extended advertisement of ID KEY above doesn’t seem to be quite relevant to Mike’s post 🙁
It probably deserves some response though
The author appears to suggest that ATM fraud will be solved by updating all the ATMs (that’s quite an investment) to read another sort of card (the ID KEY) which they happen to have patented. This card will require you to input not only your PIN but also a one-time code (so that observing the transaction doesn’t assist the bad guys).
There is no discussion as to the costs (or methods) of updating these one-time codes, or indeed whether a camera (or a shoulder-surfing crook) will be unable to read the paper on which all these codes will (necessarily) be written out.
Clearly this does make ATM usage a bit more secure (and a bit more inconvenient), but it’s a pretty disruptive change to their use and so it doesn’t look like a no-brainer to implement it (rather the reverse).
The second safeguard is apparently the use of embedded photo-id. This is straightforward to rebut as a solution since there’s existing research as to its ineffectiveness. A description of the classic experiment can be found in #13.3 of Ross’s book. Those who have not read about it will find the time well spent.
Alex says:
I don’t think this is workable.
This is the crucial issue. Could such a racket actually work or not? I see your arguments about DOS being practicable on the net because it’s cheap, the cost of nodes is low, and the cost of losing nodes is low. But I think these facts also remain true in the real world for ATM infrastructure attack…
* One man working full time over a weekend can easily visit 200 cash machines (I’ve known a case where 200 phantom withdrawals were made in a single weekend), and they don’t need a lot of people — they just need more people than there are ATM repair engineers, scaled by the factor for how long a break takes (seconds) versus a repair (hours–days). It’s much quicker to break stuff than to repair it, I promise. And to find problems with the ATM network, than to solve them 😉
*DOS based on killing hardware-equipment is very different from DOS based on filling up bandwidth pipes. Once the attack stops in the latter, business can resume as normal, no-one needs to go round fixing anything as such, possibly reboot a few computers.
* Remember that smashing it with a bat is at the extreme end of a whole spectrum I presented. Some of the subtle stuff could be done so that ATMs could be disabled even while under surveillance.
* Don’t think that the police would put ATM racketeering at the top of their priority list without a serious political impetus, or a wad of cash from the banks to go investigate. There are a lot more violent and hurtful crimes to think about too. And you are not even disabling the whole ATM, just the chip functionality.
Are we forgetting something here?
How much money can the fraudster get out of the broken machine? I think the theory is correct but in practise?
But someone who goes around damaging ATMs 200 times in a weekend is at a far greater risk of being caught than someone who makes 200 phantom withdrawals – sticking a card in one is so normal you wouldn’t see it, whacking it with a bat isn’t. And even if you are only arrested for vandalism, the kind of person who is doing this probably has excellent reasons to avoid any dealings with cops whatsoever.
Further, what makes you think the bank is losing money whilst the ATM is out of service? Cash handling is a cost.
So if the criminal damaging the ATM wants to minimise their chances of being caught at the scene, they want to attack it in a way that seems indistinguishable from the activities of a normal user. Sticking in a card which zaps the smartcard reader contacts with a high voltage seems suitable here. But surely after a few such attacks it will be very easy to identify the responsible parties from CCTV footage, since presumably the machines log enough information to be able to identify the last transaction in which the ATM was able to communicate with a chip on a card?
To answer the following question , But surely after a few such attacks it will be very easy to identify the responsible parties from CCTV footage, since presumably the machines log enough information to be able to identify the last transaction in which the ATM was able to communicate with a chip on a card?
Yes the machine logs all the information of transactions and faults.Even if you begin to insert youre card and then pull it out before the card reader takes it a card tease is registered.If the banks wanted to they could implement more safty features on the ATM to protect the customer such as Biometrics where finger prints would be required along with pin numbers,There is also the obtion of retena scan .But this becomes costly and banks dont charge for atm withdrawls,If I had to catch a person vandalising an ATM Id have no problem in breaking there fingers.cause they piss me of and waste my time .
Hi,
Did the major banks ever respond to this issue and solution?