Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Tope Dare
Sales & Marketing Manager NCR (Nigeria)
1 1
Perpetrators migrate
No ATM Estate is 100% secure Knowledge is critical Intelligence is critical Planning imperative and essential
2 2
1,459 ATMs were robbed throughout Europe during the first half of 2009, equaling 4.5 crimes or attacks annually for every 1,000 ATMs
According to the police records in Lithuania; 26 ATMs were robbed in from November 2007 to November 2008, equaling 18 crimes per thousand ATMs Lithuania has 1,471 ATMs
In the past, they targeted the big banks such as Bank of America and Citibank Technology advances have made it easier for criminals to obtain both card PIN and the sensitive data held in the magnetic stripe Gangs will place realistic-looking false fascias containing magnetic stripe readers on the front of genuine ATMs to collect information, and install minicams masquerading as security cameras in order to record PIN numbers as they are entered on the ATM keypads
4% 7%
Cost Reduction
Insider threats are an emerging risk with potential for significant account data compromise
Managing Operations
Manage Cost & Control Risk 14%
35%
Transaction reversal
Cash trapping
ATM deployers need a risk management strategy that minimizes reputational damage and financial Consumer Customer Experience losses due to ATM Intimacy & crime PersonalLoyalty ization
Card trapping
Deposit manipulation
Regulatory Compliance
Cost Reduction
Multivendor Strategies
Consumer Intelligent Customer Experience Deposit & Intimacy & PersonalTruncation Loyalty Grow Revenue & Improve Service ization
Managing Operations
Manage Cost & Control Risk
Card Theft
Globally, we have seen a migration away from card theft to more sophisticated attacks, particularly SKIMMING, the trend is beginning to be reversed with the introduction of EMV card technology
Card Trapping
Card Swapping
Honey Trap
10
10
Card trapping devices are inserted within the card reader module and allow the card to be entered by the consumer
11
11
Wire Loop
Dental Floss Metal Wire
Match Stick
12
12
Lebanese Loops were first discovered in Venezuela in the early 1990s when the most common design was made from X-Ray film and attached with super-glue The colour of the Lebanese Loop makes it difficult for a consumer to notice
The success of the attack depends upon the strength of the glue and the loop itself
13
13
b.) The length of the loop determines if the card is read by the ATM or not
If the loop is long enough and allows the card to be read, most applications will present the PIN entry screen
14
14
15
16
The Victim
Here we see the next client using the ATM, after the trap has been set
17
The customer is confused. asking himself, Why has my card been confiscated? However, here we see the cavalry coming to help, (HELP?).
18
19
keys
20
21
He not only has the card, he also has the PIN the chump provided unknowingly.
22
The Escape
In possession of the card and the PIN, he leaves the ATM with $4,000 from the victimsaccount.
23
The Trap
The trap is made up of XRAY film, which is the preferred material by thieves; Simply because of the black color which is similar in appearance to
24
25
Invisible
Once the ends are firmly glued and fixed to the slot, it is almost impossible to detect by unsuspecting clients.
26
27
28
Romanian Loop
29
29
Romanian Loop
Romanian
Loops use VHS or Audio Tape and a simulated card entry slot to attach and disguise the loop A plastic flap is used that allows the card to be entered but closes up and prevents the card from being returned
30
30
31
31
32
32
Data Compromise
Alternative to obtaining the physical card is obtaining the card data Card Skimming means copying the track2 information on the magnetic strip of the card Skimming exploits the fundamental weakness in the magnetic stripe technology Track 2 is the most commonly used track for international and domestic transactions and is usually the target of skimming attacks Skimming at and around the ATM location is perpetrated in many ways; i. ii. Door Access ATM Cardreader a.) Swipe b.) Dip c.) Motorized
33 33
34
35
Wireless Cardreader
36
37
38
transactions.
Detects the presence of foreign devices placed over or near an ATM card reader slot. Provides a full range of ATM card trapping, tamper and false-front protection. Helps protect the integrity of cardholders personal financial information during ATM transactions. Can integrate with alarm detection and surveillance systems for layered protection.
39
40
41
For online communication, 3DES standards strengthens the encryption algorithm used to protect the secrecy of PIN as it is sent from ATM to bank for verification
42
44
46
47
The theft has seriously damaged the store, which remains closed as it undergoes structural checks
48
49
50
51
52
Denomination Fraud
This involves changing the real value of the notes/cash to a lower value both on the ATM and the switch
e.g. If $100 --- $20 Withdrawal Result; Request for $100 = 5 x $100 notes = $500
53
54
55
ATMs are becoming vulnerable to new and more numerous threats from both internal and external sources with the ever increasing usage of open architectures/environments; i. Microsoft operating systems ii. Broadband-leased TCP/IP network iii.Semi-commercial off-the shelf (COTS) software system, iv. Non-proprietary communication protocols v. Increased usage of Internet Technology
56
Experience has shown that security breaches or failures can have a dramatic effect on customers willingness and confidence in using ATMs
The ATM industry would be impacted by diminished transactions and increased flow to other more expensive channels of cash availability, for example, teller operations, or even a loss of customers
57
2 Emerging Threats - Zero-Day Attacks - Buffer Overflows - Code Injection - Application Exploits
58
60
61
Numerous factors must be taken into consideration: ATM certification, staging and deployment, access control, connectivity and communication, operation management and monitoring, software management, continuity and disaster recovery etc
A key factor for any future ATM software policy is to take into account PCI
62
(b) Integrity is the ability of the system to continue to function in the way intended. It requires protection against tampering with the system
(c) Availability is the ability of the system to remain in operation during expected time periods and with acceptable levels of service. It requires protection against denials-of-service
63
64
The Payment Card Industry Security Standards Council (PCI SSC) is an open global forum, comprised of the five global payment brands--AmericanExpress, JCB, Discover Financial Services, MasterCard Worldwide, and VISA Inc PCI SSC was launched in 2006, and is responsible for the development, management, education, and awareness of the PCI Security Standards
66
REQUIREMENT
1: Install and maintain a firewall configuration to protect cardholder data 2: Do not use vendor-supplied defaults for system passwords and other security parameters 3: Protect stored cardholder data 4: Encrypt transmission of cardholder data across open public networks 5: Use and regularly update anti-virus software or programs 6: Develop and maintain secure systems and applications 7: Restrict access to cardholder data by business need-to-know 8: Assign a unique ID to each person with computer access 9: Restrict physical access to cardholder data 10: Track and monitor all access to network resources and cardholder data 11: Regularly test security systems and processes 12: Maintain a policy that addresses information security for employees and contractors
67
Implement strong access control measures Regularly monitor and test networks
Maintain an information security policy
68
69
70
71
72
73
74
75
What can be Done to the ATM to Comply with future PCI ATM Requirements?
Provide PCI certified EPPs, and use them for both PIN entry and the entry of cryptographic data, such as encryption keys Provide anti-skimming card reader devices Provide shield over PIN pads Develop secure applications, following the PA-DSS standard Provide two-factor authentication to the ATM or enforce strong password management Install, configure and maintain a firewall and firewall rule set on the ATM Provide for secure communication from the ATM to the financial host. An SSL implementation in native mode is appropriate. Another option is to support IPSec Protect communication link between card reader to system or use an encrypting card read
Protect communication link from the EPP to the processor. If a USB connection, make sure that a USB sniffer cant be introduced to the channel to read the encrypted PIN blocks
Develop or install third-party integrity application to prevent the insertion of Malware Protect audit and log files from alteration or deletion
76
77
However, the scope of System Security Definition needs to include all technologies, processes and people that are part of the system and could be vulnerabilities
78
This rating schema quickly provides an indication of the greatest potential dangers to the ATM system For greatest effectiveness, the process should not focus deeply on numbers but more on discussions of potential risks and their probability of occurrence
79
E.g. i.) all passwords should be changed from manufacturers defaults Ii.) hard disks cleaned at end of life
80
81
Monitoring could be accomplished through automated detection systems, or perhaps random audits of technology and process
Additionally, Intrusion Detection should have a documented process for response if an attack is identified, including tasks and personnel
82
ATM Software Defense System: Firewalls, Anti-Virus, Port Protection and Patching
For ATMs communicating through a shared or outsourced network, a local firewall is necessary. Firewalls can be implemented in software as part of the ATM's operating environment, or in a hardware device located in or next to the ATM A software-based firewall has the most security as it cannot be compromised through physical access alone Endpoint security tools that include firewalls, antimalware also provide port protection options A system of patching ATM software is required. Once the number of ATMs in an estate reaches any significant number, a central software distribution tool will reduce expenses while protecting the integrity of the ATMs and preventing downtime
83
84
86
87 87