the risk management blog

2013 U.S. ATM Fraud Forecast

According to the Nilson Report, the world’s leading source of news and proprietary research on consumer payment systems, the United States currently accounts for 47 percent of global credit and debit card fraud even though it generates only 27 percent of the total volume of purchases and cash. Payment card fraud losses totaled $3.56 billion in 2010 in the U.S. from all general purpose and private label, signature, and PIN payment cards.

Below is a review of third party fraud that the payment card industry will most likely encounter in 2013.

Skimming will continue to have a big fraud presence at ATMs across the United States this year. Eastern Europe organized crime will continue to be the driving force. The most commonly used device is a realistic-looking card reader placed over the factory-installed card reader that scans and stores the card holder information as the unknowing victims inserts their card to complete a transaction. However, there have been a few isolated cases where criminals have tapped into the card reader to capture the track II data from the magnetic strip on the victim’s card. This data contains the primary account number, country code, and card expiration date.  But again, these have been isolated cases and currently should not drive major concern.

PREVENTION/MITIGATION

Both your ATM servicer and replenishment team should have written procedures to check for these devices when servicing your terminals. They should also receive training on what to look for and what to do if a skimming device is discovered.

Educate your customers; they are your first line of defense. Everything from flyers to splash screens can assist your customers and aid in a safe transaction.

The Card Trapping technique has been around since 1994 with introduction of the “Lebanese Loop”, an ATM fraud device that retains the customer’s card.  With the introduction of new tools, which have been devised to defeat and sometimes emulate the look of modern card readers, this fraud method is back on the rise. Capturing the card in a low tech manner is the appealing part of this scheme, but since the device can only capture one card at a time, it has limited appeal to organized crime. Therefore, this activity will likely be present, but have only a small impact.

PREVENTION/MITIGATION

Work with your ATM servicer to ensure they are closely inspecting the ATM at each service, particularly card reader faults, and report any unusual findings. Educate your customers in areas where this activity is occurring, encouraging them to immediately report and deactivate cards out of their control to minimize chance of losses.

Similar to card trapping, Cash Trapping utilizing cash claws is the trend with frustrated terminal owners in Europe. According to the European ATM Security Team (EAST), millions of dollars are being lost to this latest gadget in the criminal toolbox. The “claw” blocks the currency from being dispensed to the customer and allows the perpetrator to retrieve their reward after the frustrated consumer departs.

At least one major ATM manufacturer has developed a countermeasure to thwart these attacks, but there are low tech repurposed devices that yield similar results for which there are no known security enhancements to stop these attacks. Fortunately, there have been only two reported cases to date in the United States utilizing this method. However, it’s important not to let down one’s guard; this activity is sure to make its way to the U.S. this year.

PREVENTION/MITIGATION

As with skimming, work with your ATM servicer to ensure they are closely inspecting the ATM at each service, particularly dispenser faults, and report any unusual findings. For both servicers and customers alike, be on the alert for sticky residue around the exit shutter or cash pocket of the ATM.

The first ATM malware designed specifically for ATM machines surfaced in 2007. A Siberian organized crime faction hired an individual to write a Trojan virus. This heist was performed on as many as 20 ATMs in the Ukraine and Russia.  The attack was responsible for the beginning of what is now the worst fear for ATM security experts – ATM Malware!

Unfortunately that malware was only the beginning. There have been several other cases, including in the United States. In 2010, a bank employee installed malicious code on his employer’s ATMs and was able to siphon at least $200,000 from the hacked machines before he was caught.

There are two current malware methods known to date – first, malware that hijacks customer information and second, malware that is written to cause the ATM to dispense excessive funds.

Hijacking Malware

This malware is installed on the ATM and steals a copy of the customer’s PIN and card information. As with skimming, it is very lucrative. However, with Payment Card Industry (PCI) requirements of encrypted pin pads and other safety features for cardholder protection, this attack vector should not be a risk in the United States at this time.

Cash Dispense in Excess Malware

This type of fraud too requires significant expertise. It consists of rewriting parts of the ATM software and installing it on the host. Then, a willing subject must go to the ATM with the “trigger card” and perform a transaction to enable the ATM to follow the altered code instructions to present mass quantities of currency to the criminal cardholder. This is a very real threat with the potential for great loss to a terminal owner.

PREVENTION/MITIGATION

On ATMs that rely on Windows operating systems, your network, IT security department, ATM manufacturer, and servicer all need to be working carefully together to ensure a set of best practices are followed, starting with patch management, firewall configuration, and up-to-date virus definitions. Staying on top of any anomalies in your ATM network may be the next red flag for a zero day attack. This is an area that the uncertainty is not if, but when. Be vigilant on this front.

In conclusion, ATMs this year will continue to be a target for criminal enterprise and we will need to work closely together to minimize further damage to the industry. When it comes to fighting ATM crime, we all make better partners than competitors. In the spirit of improving industry security, make this the year you build relationships where you were previously reluctant because those people in your peer group are also your competitors. Communication is an important key to improved ATM security.

Authored by: Shawn Strain, Lowers Risk Group Consultant