Jump to content
DarkyAngel

Bank Fraud & ATM Security

Recommended Posts

Posted

ATMs Fraud Trends

?sta nu e un thread despre 'cum s? furi' , ci 'cum s? te protejezi'.

According to the last 2011 survey in 27 European countries, card skimming is still the most prevalent crime, however 61% of European countries reported a decrease due to use of anti-fraud devices and implentation of Europay, EMV technology embedded in ATMs providing two-factor authentication which drastically lowers the risk of stolen credentials.

In the same time we have noted an increase in cash trapping attacks where cash dispensing slot are targeted by fraudsters who replacing these ATM’s components with fake devices.

In the US, ATM fraud is expected to increase, this is due to the transition to EMV standards in Europe, Asia, Latin America and Canada where EMV embedded chip cards are much more difficult to counterfeit than magnetic stripe cards available in US, therefore most ]criminal organizations are likely to view the US as an attractive target.

ATM fraud has become more sophisticated, and the attacks are highly organized. Investments have been made to develop fraudulent devices that take advantage of trends in terms of components: miniaturization, storage, wifi communication, and battery life; in terms of organization: a business model has been developed where each player skimmers, developers, mules collect data and sale information, and a card fraud duplicator, are a part of the whole chain of this underground industry.

Types of ATM Threats

  • Card & Currency fraud which covers attacks conducted to steal cash and /or to steal details of consumers credentials to produce fake cards for fraudulent transactions.
    • Skimming, still the most frequent type of attack reported, uses devices (skimmers) to capture cardholder data from the magnetic stripe IE copying the TRACK2 information on the magnetic stripe of the card. In general a skimming device is installed over the top of the ATM’s card reader, sometimes installed inside the ATM. The skimmer will capture card data prior to the ATM card reader, the data will be stored and transmitted to attackers. The skimming is often combined with other devices, cameras, and a fake keypad to capture the PIN number.
    • Card trapping aims to steal the consumer’s card and use it at a later time by the attacker, this attack is combined with the use of other devices, cameras, and the fake keypad described previously.
    • Currency trapping, fishing used to steal the cash, it can be through a false dispenser (trapping attacks) or using wires, probes to prevent cash being dispensed (fishing), the attacker will retrieve the cash as soon as the consumer leaves the ATM.
    • Transaction reversal, attempt to create an error condition at the ATM resulting in a transaction reversal due to reported inability to dispense cash.
    • Dummy ATMs; ATMs bought and setup by criminals and installed in pedestrian traffic areas for the one purpose of reading consumer card data. Machines are powering by batteries or any nearest power socket.

    [*]Logical / Data Attacks

    • Targeting the ATM’s software OS, logical attackers include authors of a virus and hackers who install malware. The logical attack is still one of the most difficult to detect, the impact can be very high as it will impact and compromise thousands of consumer’s data. The logical attacks include malware and viruses.
    • Hackers attempt to install malware in order to violate integrity, confidentiality and authenticity of data transactions. The purpose is to gather cardholder data and dispense cash. Attacks can be either locally or remotely executed. Local attacks are performed through downloading malware or sniffing communication between card reader and ATM Central Unit using a USB drive connected to the ATM computer. The system should be locked to prevent any unauthorized program running.
    • Remote attacks target the ATM networks and attempt to compromise the communication with the host, these attacks are more critical because a hacker does not need to open up the ATMs.
    • As ATM technology knowledge becomes widespread, monitoring systems access through web browsers or TELNET enables an easy access to attackers who can hijack ATM management systems and perform management functions.
    • ATM networks are still vulnerable to similar IP based networks attacks. Remote attacks such as Eavesdropping, Spoofing, Denial Of Service, Sniffing, and Virtual Channel Theft are almost always carried out by criminal organizations.

    [*]Physical attacks

    • Physical attacks are usually perpetrated to gain access to the cash and all valuable ATM components such as the safe, the top hat, presenter and depositor or in some other cases, the entire ATM. Depending on the component targeted, the attacks can be described as below:
    • Because it contains the cash, the safe is still the first common target. The perpetrator;s efforts concentrate on the locks, handles and hinges of the safe. In some cases the top hat is targeted to steal the ATM hard drive or for attaching skimming devices or USB devices to download malware. The presenter and depositor can be subject to attacks where perpetrators attempt to access an ATM’s cash sources (deposits) therefore they will use several methods: cutting, drilling, burning devices (torch), pulling the safe door, using pry bars, bombs and other explosive devices. Other physical attacks will attempt to remove the ATM, and move it to another location, ramming the ATM with a car or truck, pulling it using a chain and a car, or lifting it from its foundation with forklift.

How to Secure Your ATM

Securing the ATM’s infrastructure becomes one of the most challenging tasks. The process requires business, IT and third party vendors’ involvement. ATM security is a combination of physical security, which is basically how to secure the assets, logical security, or how to protect operating systems from malware, and finally the fraud from skimming attacks.

In practice

An ATM Security Policy should be in place, or a related section should be added in the current Security Policy. All ATMS should comply with PCI DSS, and all third parties, contractors, and providers involved in ATM processing should comply with PCI DSS standards.A regular internal audit should be conducted to ensure compliance with the security policy.

The ATM location should comply with the “Crime Prevention Through Environmental Design” concept which provides guidelines and a set of rules on proper facilities design and environment, which affects human behavior by reducing the occurrence of crimes. It addresses landscaping, entrances, facilities, lighting, road placements, and traffic circulation patterns.

The ATM location should be far from any glass walls and close to a solid wall. There should be no direct access to the ATM, and bollards should be added to prevent car jacking.

An ATM located in an open area visible with proper lighting in place will help to prevent criminal activities. TheATM should be well fixed to its location

An onsite validation process should be put in place to approve the ATM location by key players: Bank or site owner, ATM vendor, ATM supplier, ATM Cash Replenishment companies, and local police intelligence (who can report the crime history of the location). During maintenance, if ATM vault access is needed then we should close the branch, office, withdraw cash and put it in a vault during all maintenance operations. An Intrusion Detection System should be in place in all areas where the ATM is located.

The ATM should include its own alarm system, CCTV cameras embedded, the pin keyboard should not be covered by the system, CCTV should be connected to a recorder and centralized screening system.

Consumers can increase PIN protection by avoiding any shoulder surfing attacks.

Including GPS as an additional component to an ATM can help to localize it in theft cases, as compensating control, an active cash protection by using ink, glue or gas for cash destroying.

Include an ATM review in the annual Risk Review

A process review should be in place to review lost audit trails and security notifications, according to security policies, standards and best practices. The process review includes changing user profiles, tracking all unsuccessful logins or attempts to access. The process review includes use of privileged user accounts and all major events such as restarting stop change in execution mode.

Admin should not interact directly from their personal computers or laptops. The PIN number should never been transmitted or stored in clear text regardless the media or channel used. ATM network communication should be encrypted using a strong encryption protocol, 3DES, AES, the WEP protocol is prohibited.

Conduct a regular Ethical Hacking testing and vulnerability scanning on the ATM’s network which include wireless access point presence testing, the exercise covering Black box penetration testing, Malware analysis and source code review of the ATM’s firmware.

All passwords should be changed from manufacturer’s defaults. Disposal process in place for the ATM, the HDD has to be cleaned at the end of life. Only administrator’s profiles users can access ATMs through terminal services / server. Patch management should be in place and followed prior to installing any patches, fixes on ATMs, all updates should be tested prior to applying in production.

Anti Virus protection should be implemented for all ATMs. Restrict physical access to ATMs, block all unnecessary ports, cables and switches protection particularly in shared occupancy facilities.

Patch installation on the ATM required disconnecting the ATM from the network and putting it off line during the installation process. To avoid any disruption in customer services, planning should take place.

All data on ATM HDD should be encrypted to prevent any unauthorized access during third party maintenance or in theft cases.

Educate people, employees, consumers, third party technicians, through training, awareness, share best practices, random checks should be conducted by employees, inspecting the reader from skimming devices during ATM maintenance and cash replenishment.

A detection system that senses and sends an alert — and/or takes the ATM offline — when anything is attached to the card reader, keypad or fascia. Keep records of all security complainsuse sensors and detection systems which can trigger alerts or shutdown an ATM if any external device is attached to the card reader or keypad. Use of jitter technology and other behavioral software can detect and stop all transactions which do not match the cardholder profile.

Third parties, contractors and providers responsibilities should be clearly defined and mentioned in SLA in case of fraud conducted through ATM interface software or unapproved software installation.

Employees should not have full access to the ATM. Segregation of duties, least privilege and business needs access should be followed to mitigate the risk associated. Implement a password policy according to the best practices and track all sharing password cases through regular control, be sure to change the default password.

Access control should be in place with 2 factors of authentication. Harden the ATM Operating System and disable all unnecessary user accounts (guest). User accounts should be locked after 3 unsuccessful attempts. Develop an incident response process, in case of attacks identified, with response plan including tasks and personal assignments.

Next Steps…

Organizations need to assess and review the risk profile of their ATM, because threats can vary depending on the location, environment, facilities, CCTV, etc . A Risk

Analysis will outline all vulnerabilities and related countermeasures or compensating control to reduce and contain the risk which includes prevention and detection controls.

The first is prevention through security policies, procedures, baselines, technical by using firewalling; prevent unauthorized equipment from being physically plugged into ATM, deterrent controls through using of CCTV cameras, and educating people through awareness training.

The second one is detection by monitoring, alerts notification, regular logs review, and vulnerability assessment.

Physical security, logical security and fraud should not be addressed separately, as attacks become more sophisticated, issues need to be addressed from physical perspective, logical perspective and fraud perspective.

Multilayered security methods are the most effective. Layered security should be in place, perimeter security through physical access control, firewalls, hardening the ATM’s Operation System to secure and close all unnecessary ports and make them unavailable for hackers and worms, regular pen testing, secure maintenance process, use of centralized monitoring tools.

Monitoring is still one of most important steps to secure ATMs. ATM monitoring capabilities provide a set of messages, status, notifications and alarms which can be analyzed and identify problems or security concerns, IE: notification of continual card reader failure might be an indication of tampering attacks.

As the human factor is still the weakest link, employees, consumers, and providers should be aware of ATM threats, therefore awareness program should be developed and conducted, the program includes presentations, hands on training using multimedia presentations, formal session training, movies, flyers, etc. to ensure a large communication and audience.

A holistic strategy will drive and protect Automated Teller Machines channels at all level.

*European ATM Security Team

*InfoSec Resources – Bank Fraud & ATM Security

Posted (edited)

Toata problema cu CC-urile trebuie privita dintr-un alt punct de vedere .

Nu exista expresia "am banii pe card" . Expresia corecta este "am banii intr-un cont bancar ,la care cont am si un card atasat" .

Avand banii intr-un cont bancar ,banca respectiva se obliga sa aiba grija de banii mei . Daca cineva neautorizat imi acceseaza contul si il si goleste prin orice mijloace ,mie nu poate decat sa mi se rupa pula .Banca e obligata sa-mi dea banii pe care i-am avut in cont .

Daca banca imi pune la dispozitie un bancomat de unde pot scoate bani si cineva a montat pe bancomatul lor un sistem de copiere/citire/furt de date ,nu e problema mea ca nu e bancomatul meu si nici nu am chef sa imi incarc memoria cu imagini de bancomate reale si bancomate fictive .

Edited by daatdraqq
Posted

Fa-ti casco la cardul de credit si poate o sa primesti despagubiri :)

Mai omule ,nu e problema mea ca banca accepta plata cu cc-ul online doar (Atentie) tastand numarul cardului+numele scris pe card + 3 cifre de pe spate . E o prostie imensa din punctul meu de vedere.Aceste date sunt foarte usor de aflat .

Posted (edited)

sa fim seriosi totusi..sa va dau un exemplu:

acum o luna ma duc la o banca nu dau numele dar este cam pe primele 3 locuri in romania sa platesc o factura, intru in banca coada de 15 persoane aerul conditionat lipsa...las pe altcineva sa imi tina randul si ies afara sa fumez..afara coada si la atm 5 persoane, doua persoane rezolva treaba la cel de al 3-lea iese belea: baga cardul in atm, tasteaza el limba, pin, cont, suma da enter apare pe ecranul atm-ului doua ferestre apartinand managerului de dos "cmd.exe" unde incerca sa se conecteze spre niste link-uri https la care primea niste raspunsuri cu o gramada de erori inapoi de la serverul lor, atm-ul scoate frumos chitanta si atat afisand acele eroari (se deschideau si se inchideau..fara nici un rezultat), omul incepe sa injure in stanga si in dreapta, incepe sa ne intrebe pe noi restul care stateam in fata sediului bancii daca stim despre ce este vorba. Ii recomandam sa intre in sediu si sa ceara explicatii, intra in banca ii se spune ca trebuie sa stea la coada :D, omul face scandal pana un angajat iese afara si se uita la atm nedumerit si zice sa mai astepte ca e problema pe retea.Omul explica ca il asteapta taxiul ca nu este din localitate si ca trebuie sa prinda un tren si ca nu are unde sa stea peste noapte in oras..la care angajatul bancii suna la bucuresti sediul central tehnic de unde i se spune ca trebuie sa restarteze atm-ul, angajatul restarteaza atm-ul dupa care porneste si da aceleasi eroari, suna din nou la sediul central de unde ii se comunica ca este o problema majora si atm-ul trebuie scos din sursele de curent pentru cateva ore adica inchis, asta si face. Ii recomandam omului sa se duca la o filiala din oras sau la ghiseu sa scoata banii, asta a si facut i-am lasat si loc la rand in fata mea..cand ajunge la ghiseu surpriza suma ceruta fusese retrasa cu 32 de minute inainte de la atm-ul bancii respective. Suparat maxim omul din nou scandal, vine paza il linisteste dupa care primeste raspunsul: asteptati raspuns de la bucuresti ca si noi de asemeni, mai erau 30 min si se inchidea banca, nu am stat sa vad ce a urmat mi-am rezolvat factura si am plecat dar am ramas cu o impresie proasta despre acea banca si in general a celor din Ro.

concluzia mea ar fi ca mai intai sa isi puna sistemele la punct pentru clientii lor si pe urma sa se ocupe de fraude

Edited by seby05

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...