ATM Security

Is ATM SECURITY a challenge in Kenya and all over the world?

Tope Dare
Sales & Marketing Manager NCR (Nigeria)
1 1

Global ATM Fraud & Security Overview

Global issues Techniques migrate

Perpetrators migrate
No ATM Estate is 100% secure Knowledge is critical Intelligence is critical Planning imperative and essential
2 2

Global ATM Security Challenges

The problem of ATM frauds is global in nature and its ramifications have been felt in Kenya as well The modern contemporary era has replaced these traditional monetary instruments from a paper and metal based currency to plastic money in the form of credit cards, debit cards, etc This has resulted in the increasing use of ATM all over the world. The use of ATM is not only safe but is also convenient This safety and convenience, unfortunately, has an evil side as well that do not originate from the use of plastic money rather by the misuse of the same. This evil side is reflected in the form of ATM frauds that is a global problem The world at large is struggling to increase the convenience and safety on the one hand and to reduce its misuse on the other An effective remedy for prevention of ATM frauds, however, cannot be provided unless we understand the true nature of the problem
3

ATM Security Reports in Europe

According to the European ATM Security Team (EAST);

1,459 ATMs were robbed throughout Europe during the first half of 2009, equaling 4.5 crimes or attacks annually for every 1,000 ATMs

According to the police records in Lithuania; 26 ATMs were robbed in from November 2007 to November 2008, equaling 18 crimes per thousand ATMs Lithuania has 1,471 ATMs

Card Skimming Losses In Europe

Card Frauds in America

The criminal gangs need an environment where large numbers of cards are in circulation and where counterfeit cards will not be easily noticed

In the past, they targeted the big banks such as Bank of America and Citibank Technology advances have made it easier for criminals to obtain both card PIN and the sensitive data held in the magnetic stripe Gangs will place realistic-looking false fascias containing magnetic stripe readers on the front of genuine ATMs to collect information, and install minicams masquerading as security cameras in order to record PIN numbers as they are entered on the ATM keypads

A Proactive Approach to ATM Frauds

A lack of preparedness with regards to physical and Logical ATM security exposes financial institutions to greater risks Increasing security at the ATM level after a security compromise is often the path many banks take Simply assuming that fraud risk is low based upon a lack of previous fraud exposure is an unwise security methodology Physical security, premise monitoring and accurate video surveillance are all considerations that are best addressed when fraud is minimal Do we wait for a catastrophic event before Bank and other financial institutions react to ATM and card fraud crisis?
7

Common ATM Security Challenges

Fraudulent Cash withdrawal via ATM with careless, lost or stolen cards and PINs Card Theft (Trapping, Swapping, Distraction .) Card cloning Card Skimming Phishing Smishing ATM Physical attacks Shoulder Surfing for PIN Social Engineering / Consumer Negligence Human attack after cash withdrawal

Trends in the Banking Market Risk Mitigation Fraud Management

ATM fraud is up with card skimming being the fastest growth area
Risk Mitigation Fraud 396%, Management 3% Regulatory Compliance 2% 2% Multivendor Strategies
Card Skimming

4% 7%

Cost Reduction

Intelligent Deposit & Physical Truncation Attacks

Other

Insider threats are an emerging risk with potential for significant account data compromise

Managing Operations
Manage Cost & Control Risk 14%

35%

Transaction reversal

Cash trapping

ATM deployers need a risk management strategy that minimizes reputational damage and financial Consumer Customer Experience losses due to ATM Intimacy & crime PersonalLoyalty ization

PIN Compromise only

Mobile 33% and Online

Merged Channel Integration

Branch Experience Redesign

Card trapping

Deposit manipulation

Risk Mitigation Fraud Management

Regulatory Compliance

Cost Reduction

Multivendor Strategies

Focusing on the Consumer

Consumer Intelligent Customer Experience Deposit & Intimacy & PersonalTruncation Loyalty Grow Revenue & Improve Service ization

Mobile and Online

Merged Channel Integration

Branch Experience Redesign

Managing Operations
Manage Cost & Control Risk

Focusing on the Consumer

Grow Revenue & Improve Service

Accelerating the Self Service Revolution

Card Theft
Globally, we have seen a migration away from card theft to more sophisticated attacks, particularly SKIMMING, the trend is beginning to be reversed with the introduction of EMV card technology

Card Trapping

Card Swapping

Honey Trap

10

10

Card Theft : Card Trapping

Card trapping devices are inserted within the card reader module and allow the card to be entered by the consumer

11

11

Card Theft : Card Trapping

Lebanese Loops Romanian Loops Algerian V Loop

Wire Loop
Dental Floss Metal Wire

Match Stick

12

12

Card Theft : Lebanese Loops

Lebanese Loops are the most common type of card trap but there are many designs

Lebanese Loops were first discovered in Venezuela in the early 1990s when the most common design was made from X-Ray film and attached with super-glue The colour of the Lebanese Loop makes it difficult for a consumer to notice

The success of the attack depends upon the strength of the glue and the loop itself

13

13

Card Theft : Lebanese Loops

KEY ATTRIBUTES OF THE LOOP a.) One-way flap that allows the card to enter but prevents it from returning

b.) The length of the loop determines if the card is read by the ATM or not
If the loop is long enough and allows the card to be read, most applications will present the PIN entry screen

c.) Prevention of shutter of the cardreader from closing fully or not

If closed, reduces detection but harder to remove the card

14

14

Lebanese Loop : ATM attack

An individual (ATM Thief) who apparently is making a bank transaction at the ATM.

15

Placing the trap

What really is he doing?
He is placing a trap in the ATM cardreader to capture the next users card

16

The Victim
Here we see the next client using the ATM, after the trap has been set

He inserts his card and begins his transaction

17

The ATM card is confiscated.

The customer is confused. asking himself, Why has my card been confiscated? However, here we see the cavalry coming to help, (HELP?).

18

Honest Samaritan Offering HELP

Here we see the thief pretending to help What he is really doing is trying to gain the victims PIN, now that he has captured his card

19

Gaining access to the PIN

The good Samaritan convinces the chump he can recover the card if he presses his PIN at the same time the Samaritan press cancel and enter

keys

20

Situation Hopeless, He leaves

After several attempts the victim is convinced his card has been confiscated.

The victim and the Samaritan leave the ATM.

21

Recovering the Card

Satisfied the area is clear, the thief returns to recover the confiscated card from his trap.

He not only has the card, he also has the PIN the chump provided unknowingly.

22

The Escape
In possession of the card and the PIN, he leaves the ATM with $4,000 from the victimsaccount.

23

The Trap
The trap is made up of XRAY film, which is the preferred material by thieves; Simply because of the black color which is similar in appearance to

the slot on the card reader.

24

Placing the TRAP

The trap is then inserted into the ATM slot. Care is taken not to insert the entire film into the slot. The ends are folded and contain glue strips for better adhesion to the inner and outer surface of the slots.

25

Invisible
Once the ends are firmly glued and fixed to the slot, it is almost impossible to detect by unsuspecting clients.

26

How is your card confiscated?

Slits are cut into both sides of the trap This prevents your card being

returned prior to completing your transaction.

27

Retrieval of Confiscated card

As soon as the Chump is gone, and they have your PIN , the thief can remove the glued trap, by grasping the folded tips, he simply

pulls the trap out that has retained your card..

28

Romanian Loop

29

29

Romanian Loop
Romanian

Loops use VHS or Audio Tape and a simulated card entry slot to attach and disguise the loop A plastic flap is used that allows the card to be entered but closes up and prevents the card from being returned

30

30

Dental Floss Loops

Dental Floss Loops have a surprising strength but still allow the shutter to close Dental Floss is often attached to a plastic/x-ray material flap to prevent the card being returned

Algerian V card traps

Algerian V card traps are entered within the card reader transport and may cause the card to jam in a position where the card is out of sight to the consumer but may be fished out It is commonly made from cardboard such as the metro tickets Algerian V Card traps are not as effective like other loops

31

31

Card Data Compromise

32

32

Data Compromise
Alternative to obtaining the physical card is obtaining the card data Card Skimming means copying the track2 information on the magnetic strip of the card Skimming exploits the fundamental weakness in the magnetic stripe technology Track 2 is the most commonly used track for international and domestic transactions and is usually the target of skimming attacks Skimming at and around the ATM location is perpetrated in many ways; i. ii. Door Access ATM Cardreader a.) Swipe b.) Dip c.) Motorized
33 33

Data Compromise : Skimming Attacks on Cardreader

There are various innovative designs used by criminals to target motorised cardreaders such as; Directly to cardreader entry slot Moulded around cardreader slot Modified anti-fraud device

34

Data Compromise : Wireless Skimming Activities

ATM fraud has been linked to usage of wireless devices that transmits skimmed card data and PIN information directly to the criminal who is comfortably positioned a safe distance from the point of compromise

It is no longer safe for criminals to risk arrest by retrieving the wireless

skimming device because the technology is of low cost, thus creating a disposal technology Card skimmers can easily sell off the stolen information, buy new wireless equipment without being arrested

35

Data Compromise : Wireless Skimming Devices

Wireless Fake PIN pad overlay

Wireless Cardreader

Wireless Miniature Camera

36

Data Compromise : Skimming Attacks on Cardreader

37

38

Anti-Skimming ATM Security Solutions

With the reality of ATM skimming, a simple ATM security camera is no longer a sufficient safeguard

Considerations for Anti-Skimming ATM Security Solutions:

Helps prevent skimming crimes without interrupting ATM customer

transactions.
Detects the presence of foreign devices placed over or near an ATM card reader slot. Provides a full range of ATM card trapping, tamper and false-front protection. Helps protect the integrity of cardholders personal financial information during ATM transactions. Can integrate with alarm detection and surveillance systems for layered protection.

39

ATM Anti-Skimming Devices

40

PIN Compromise on ATM

Shoulder Surfing Fake PIN Pad Overlay PIN Interception Spy Camera Telescope

41

PIN Security Preventing PIN Interception

PIN pad security dictated by MasterCard and VISA Require encrypted PIN pad (EPP) in place The EPP is a sealed module that immediately encrypts the PIN entry

No raw PIN numbers are accessible to electronic hackers

Tampering of EPP renders it unusable requiring shipment back to manufacturer

For online communication, 3DES standards strengthens the encryption algorithm used to protect the secrecy of PIN as it is sent from ATM to bank for verification

42

Data Compromise : Social Engineering

Phishing : is a way of attempting to acquire sensitive information such as usernames, passwords and debit/credit card details by masquerading as a trustworthy entity in an electronic communication Smsishing : SMS phishing (SMSishing) occurs when you receive an SMS message that is purportedly sent from a reputable source, such as your bank, asking for personal details Vishing : is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP (VoIP), to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of "voice" and phishing Carelessness with PIN & Card : Provision of PIN & Card to 3rd party for cash withdrawal
43

Accessing the Cash - False ATM presenter

ATM Fraud performed through addition of traps in front of the dispense point
Device covers or disguises the normal dispense point ATM dispenses notes to false front and never presented to consumer Consumer mistakenly assumes the ATM has malfunctioned After customer leaves, criminal removes false fronts and takes the currency

44

Accessing the Cash Transaction Reversal

Use a variety of methods to create an error condition at the ATM resulting in a transaction reversal due to reported inability to dispense cash though cash is legitimately accessible by force E.g. o ATM user requests to withdraw $100 o User carefully removes only a portion of the notes e.g. $70 o $30 left in presenter o Several seconds later, ATM times out and sends an error message o ATM retracts the remaining banknotes o Dispenser is not able to count banknotes o Transaction reversed
45

ATM Physical Attacks

ATM physical attacks are normally perpetrated with the intention of gaining access to the cash within the ATM safe or ATM security enclosure Some of the most common methods include ; Ram Raid Explosive Attack (gas and non-gas) Cutting (e.g. rotary saw, blow torch, thermal lance, diamond drill) The success of ATM physical attacks is often measured by what percentage of the cash is stolen and the speed by which the attack is completed

46

47

Ram Raid : Smash and Grab

The theft has seriously damaged the store, which remains closed as it undergoes structural checks
48

Aftermath of Ram Raid

49

Gas Explosives Attack

50

Preventing ATM Burglary attacks

Certification level of safe - UL 291 Level 1 (15 minute door attack) is unsecured at unmonitored locations CEN L safes made of composite steel and concrete costruction are recommended Alarms and sensors to detect physical attacks Ink stain technologies that will ruin and make unusable any removed banknotes

51

ATM attack and vandalism : Ink' Dye ATM Protection Measure

Consist of Detectors and Ink Dyeing Technology Bank notes stained with ink when control system detects an abnormality in monitored parameters Stained notes can no longer be circulated making robbery attempt fruitless Dyeing of banknotes triggered unauthorized attempt to open the safe

52

Denomination Fraud
This involves changing the real value of the notes/cash to a lower value both on the ATM and the switch

e.g. If $100 --- $20 Withdrawal Result; Request for $100 = 5 x $100 notes = $500

53

ATM Software Security

54

Evolution of ATM Software Environment

Until recently, ATMs were deployed within a proprietary, closed environment

Over the years, there has been increase in ;

i. migration and usage of the Microsoft operating systems (Windows XP)

ii. growing support and acceptance for the CEN XFS-J/XFS (CEN =Comit Europeen De Normalisation) iii. device interface standards Migration from the so-called closed to open means of communication such as WOSA, TCP/IP and increasing usage of web based technology requires the need for a ATM Software Security Best Practice and in particular software security guide

55

Trends In ATM Architecture/Environment

ATMs are becoming vulnerable to new and more numerous threats from both internal and external sources with the ever increasing usage of open architectures/environments; i. Microsoft operating systems ii. Broadband-leased TCP/IP network iii.Semi-commercial off-the shelf (COTS) software system, iv. Non-proprietary communication protocols v. Increased usage of Internet Technology
56

ATM Software Security : The Impact on FIs

Failing to implement an ATM Software Security Policy is detrimental to the well-being of a Financial Institutions or IADs channel, customer relationship, reputation and brand equity

Experience has shown that security breaches or failures can have a dramatic effect on customers willingness and confidence in using ATMs

The ATM industry would be impacted by diminished transactions and increased flow to other more expensive channels of cash availability, for example, teller operations, or even a loss of customers

57

Global Risks to the ATM Software Environment

1 Traditional Threats - Viruses - Worms - Trojans

4 Business risk - Regulatory Compliance - Security Audits

2 Emerging Threats - Zero-Day Attacks - Buffer Overflows - Code Injection - Application Exploits

3 Internal Threats - Insider attack - Unauthorized Change - Untested Patching

58

Security Threats to IP ATMs

Imagine a disaster scenario: An Internet worm spreads from the Internet onto a private financial institution networks and infects ATMs. Not only are those ATMs unable to operate, but they themselves begin to spread the worm to other ATMs and workstation/server computers on the network In August 2003 the Nachi (aka Welchia) Internet worm did just that it crossed over into secure networks and infected ATMs of two financial institutions the first confirmed case of malicious code penetrating cash machines. The machines were built using Windows XP Embedded, which, like most versions of Windows, was vulnerable to the RPC security bug exploited by the Nachi worm In January of 2003, the SQL Slammer (aka Sapphire) worm indirectly shutdown 13,000 Bank of America ATMs. In this case, the worm affected the database servers the ATMs rely on (Switch)
59

Security Threats to IP ATMs

The primary new threats facing IP ATMs are: A. Internet Protocol worms, and other malicious code, penetrating the defenses of the ATM itself or the IP network it is connected to B. Disruption of the IP network and denial of service C. Passive collection of transaction data for malicious purposes These threats could be either incidental (due to the similarity of desktop and server PCs to the hardware and operating systems running on the ATM, and standardization of the IP protocol itself) or specific (targeting the ATM device or financial institution)

60

Incorporation of ATMs within the corporate IT Software Security Policy

The modern ATM not only dispenses cash, but, depending on the country/region (and of course IT infrastructure), also delivers more complex services such as:
Customer specific 1 to 1 marketing opportunities Mobile Phone pre-paid top-up possibilities Financial services such as money transfer Cash-Coin / Check deposits Bills payment Lottery Ticketing (sport, music, travel etc) With these services, the ATM channel boundaries have been extended No longer are they operated within a silo, walled garden, but together and in conjunction with services operated by 3rd parties Through this boundary expansion, the need for so-called endpoint ATM security has become essential

61

Incorporation of ATMs within the corporate IT Software Security Policy

The need to incorporate ATMs within the corporate IT Software Security Policy or create a specific IT Software Security Policy is indisputable Establishing a comprehensive ATM IT Software Security Policy is a complicated undertaking

Numerous factors must be taken into consideration: ATM certification, staging and deployment, access control, connectivity and communication, operation management and monitoring, software management, continuity and disaster recovery etc
A key factor for any future ATM software policy is to take into account PCI

standards relevant to the ATM total environment

62

The 3-Pillars of Security

A powerful way for Information Security professionals to assess any IT systems overall security is to consider the three pillars of security: (a) Confidentiality is the ability of the system to resist inappropriate disclosure of information. It requires protection against data being inspected

(b) Integrity is the ability of the system to continue to function in the way intended. It requires protection against tampering with the system

(c) Availability is the ability of the system to remain in operation during expected time periods and with acceptable levels of service. It requires protection against denials-of-service

63

Data Encryption in an ATM Environment

Data encryption in an ATM system is implemented in (3)three distinct ways: (a) Data at rest on the ATM Any cardholder data that may be stored on the hard disk of the ATM should be protected from inappropriate inspection (b) Data in transit to/from the ATM The network traffic from the ATM may contain sensitive information, and should be properly protected (c) The encrypted PIN and secret keys associated with the financial transactions There are several well-established requirements for PIN and transaction cryptography and key management

64

PCI DSS IMPLEMENTATION FOR ATM NETWORK

PCI DSS addresses the security of cardholder data that is stored, processed, or transmitted.
The PCI Security Standards Council has defined and specified a set of requirements that merchants and service providers manipulating such sensitive data must implement PCI DSS defines a set of 12(twelve) high level requirements, which address six main areas: Build and Maintain a Secure Network Protect Cardholder Data

Maintain a Vulnerability Management Program

Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy
65

Understanding the PCI Framework for ATM Software

The Payment Card Industry Security Standards Council (PCI SSC) is an open global forum, comprised of the five global payment brands--AmericanExpress, JCB, Discover Financial Services, MasterCard Worldwide, and VISA Inc PCI SSC was launched in 2006, and is responsible for the development, management, education, and awareness of the PCI Security Standards
66

PCI DSS : Goals & Requirements

GOAL
Build and maintain a secure network Protect cardholder data Maintain vulnerability management program a

REQUIREMENT
1: Install and maintain a firewall configuration to protect cardholder data 2: Do not use vendor-supplied defaults for system passwords and other security parameters 3: Protect stored cardholder data 4: Encrypt transmission of cardholder data across open public networks 5: Use and regularly update anti-virus software or programs 6: Develop and maintain secure systems and applications 7: Restrict access to cardholder data by business need-to-know 8: Assign a unique ID to each person with computer access 9: Restrict physical access to cardholder data 10: Track and monitor all access to network resources and cardholder data 11: Regularly test security systems and processes 12: Maintain a policy that addresses information security for employees and contractors
67

Implement strong access control measures Regularly monitor and test networks
Maintain an information security policy

PCI DSS : Requirements With CIA Principles

68

PCI DSS : Goal 1

69

PCI DSS : Goal 2

70

PCI DSS : Goal 3

71

PCI DSS : Goal 4

72

PCI DSS : Goal 5

73

PCI DSS : Goal 6

74

ATM Environment with PCI DSS Setup

75

What can be Done to the ATM to Comply with future PCI ATM Requirements?
Provide PCI certified EPPs, and use them for both PIN entry and the entry of cryptographic data, such as encryption keys Provide anti-skimming card reader devices Provide shield over PIN pads Develop secure applications, following the PA-DSS standard Provide two-factor authentication to the ATM or enforce strong password management Install, configure and maintain a firewall and firewall rule set on the ATM Provide for secure communication from the ATM to the financial host. An SSL implementation in native mode is appropriate. Another option is to support IPSec Protect communication link between card reader to system or use an encrypting card read

Protect communication link from the EPP to the processor. If a USB connection, make sure that a USB sniffer cant be introduced to the channel to read the encrypted PIN blocks
Develop or install third-party integrity application to prevent the insertion of Malware Protect audit and log files from alteration or deletion
76

Lifecycle of ATM Operational Software

Lifecycle security covers everything from development through deployment to the continual maintenance of the systems in question

77

System Security Definition

The most crucial aspect is the interconnection of payment applications; a) the interconnection of the ATM application b) the Switch

However, the scope of System Security Definition needs to include all technologies, processes and people that are part of the system and could be vulnerabilities

78

ATM Risk and Vulnerability Assessment

With the ATM Security scope defined, the next step is to create a risk register that considers all potential vulnerabilities of the ATM system Vulnerabilities are then rated high, medium, or low in two dimensions, potential damage and probability of attack

This rating schema quickly provides an indication of the greatest potential dangers to the ATM system For greatest effectiveness, the process should not focus deeply on numbers but more on discussions of potential risks and their probability of occurrence

79

ATM System Security Policies

From the risk register, an ATM system security policy can be developed or an existing policy updated with reference to relevant standards (PCI and others security guidelines) and best practices

E.g. i.) all passwords should be changed from manufacturers defaults Ii.) hard disks cleaned at end of life

Iii.) encryption keys managed securely

Iv.) encrypted communications etc

80

ATM System Security Testing

Once ATM System Security policies have been created and introduced, the ATM system should be tested to ensure that the identified vulnerabilities are mitigated

Testing should span all potential vulnerabilities, including;

penetration testing of the ATM software

Wireless router security settings

81

Intrusion Detection and Response

This is the final phase, which covers the on-going functions of monitoring the system for signs of intrusion

Monitoring could be accomplished through automated detection systems, or perhaps random audits of technology and process

Additionally, Intrusion Detection should have a documented process for response if an attack is identified, including tasks and personnel

assignments, so that resources can be mobilized immediately

82

ATM Software Defense System: Firewalls, Anti-Virus, Port Protection and Patching
For ATMs communicating through a shared or outsourced network, a local firewall is necessary. Firewalls can be implemented in software as part of the ATM's operating environment, or in a hardware device located in or next to the ATM A software-based firewall has the most security as it cannot be compromised through physical access alone Endpoint security tools that include firewalls, antimalware also provide port protection options A system of patching ATM software is required. Once the number of ATMs in an estate reaches any significant number, a central software distribution tool will reduce expenses while protecting the integrity of the ATMs and preventing downtime
83

Encryption & Key Loading Best Practices

Central management of an encryption system is necessary to handle key management, revocation, and assignment Best practice is to load encryption keys through remote key management ,

to the encrypting pin-pad (EPP)

The role of key management is to ensure that the key remains secret through its lifecycle The principles of segregated roles and access, along with maintaining high levels of integrity through all stages are enforced using robust key management processes

84

ATM Password Policy

Vulnerabilities of ATMs for insider fraud arising from a weak password system are the following: Leaving the passwords set at the manufacturers default Allowing the same password to be used for multiple ATMs Accessing the service password prompt without an additional layer of security Resetting passwords without affecting the current programming Best practices for password security include: If more than one entity/person is servicing an ATM, establish a unique master password, then passwords and unique ids based on roles Set a strong and unique password for all accounts, especially the administrator account Change passwords every 90 days or within a reasonable period based on service timing
85

Summary of Checklist of Recommendations for ATM Software Security

86

87 87