Criminals attack ATMs on two fronts. One thief sees a big box of money, another sees financial data. In this second post, I will be looking at skimming and its countermeasures.
ATM fraud is often conducted right under your nose. The most basic fraud is trapping, an old method revived in recent years as a response to increased security measures. One version, the 'Mousetrap', sees a fake front placed over the cash dispenser to trap withdrawls. The 'Lebanese Loop' uses a device with a small piece of wire or film placed over the card slot to keep the card from being withdrawn. The PIN is observed by a camera and as the victim goes into the bank to report the problem, the thief steals the real card for later use. More sophisticated is 'Skimming'. Here, the criminal places a magnetic stripe reader over the card slot to record the card's data, again using a camera for the PIN. A clone of the card can then be made for cash withdrawls and shopping sprees.
So what security features are being implemented to counter this problem?
The most visible counter-measure is EMV, also known as Chip and Pin. This card system verifies payments with an integrated chip, considerably more secure than the magnetic stripe. The system has been rolled out across the EU, Canada, Mexico and many others. This doesn't include the USA, where the cost of overhauling payment systems is estimated at $10 billion. Cards needing to be international, all EMV cards still carry the magnetic strip. Card data stolen in EMV countries is simply sent to a country without the technology.
The other option is to upgrade ATMs themselves. Technology for fingerprint verified transactions exists today, but banks don't have the money to replace their machines and cards due to the poor economy. The only viable option is to use retrofitted kits such as TMD Security's Card Protection Kit (CPK). The CPK is compatible with all makes and models and cannot be seen from the outside of an ATM. It creates an electromagnetic field over the card slot, disabling skimmers while allowing transactions to continue. It can detect when materials such as plastic, iron, paper or wood have been placed onto the machine, or when it is being tampered with by a drill or other tools. It even has an anti trapping function where the machine will keep the card on predefined conditions. CPK has been installed in 100,000 machines worldwide including all of Norway, where trapping and skimming is now non-existant.
Next installment in ATM Security: Malware
Sources:
http://www.tmdsecurity.com/Products?
http://www.atmmarketplace.com/whitepapers/1793/Anti-skimming-Technology-and-EMV-for-the-ATM
http://www.alderleyedge.com/news/article/4170/cash-machine-fraud-hits-alderley
Wikipedia: ATM, Lebanese Loop, EMV
Saturday 14 January 2012
Friday 13 January 2012
Small Time Crime - Online Blackmail
Many people breaking the law are not hardened criminals but part-timers, making a little cash on the side. In this series of articles, I show you the small time scams and how to avoid getting stung.
Cam sex is booming, with thousands of men going online nightly, looking for a woman to cam with. The disproportionate ratio of men to women is something the blackmailer takes advantage of. Using feminine names on chat sites such as yahoo, he chats to men online and goes on cam with them, playing footage of an attractive girl through free software such as manycam. He records footage of the victim masturbating on cam and threatens to send it to people the victim knows via their facebook page.
How do I guard against this?
1. Don't wank on cam. Abstinence is your best protection.
2. Don't accept files via messenger. Blackmailers will send you malware dressed as a picture to find your contact information. Simply a name and an IP address can be enough to track somebody down.
3. Don't use your facebook email to chat. Emails are searchable on facebook and will lead a blackmailer straight to you. Furthermore, don't reuse the first half of your address with a different provider, eg your email is james@gmail.com and you sign into yahoo chat as james@yahoo.com.
4. Don't give out your email. Seems obvious but the extortionist may ask you for your information to set up another cam date.
Following these steps should keep you safe in your online chat endeavours.
Cam sex is booming, with thousands of men going online nightly, looking for a woman to cam with. The disproportionate ratio of men to women is something the blackmailer takes advantage of. Using feminine names on chat sites such as yahoo, he chats to men online and goes on cam with them, playing footage of an attractive girl through free software such as manycam. He records footage of the victim masturbating on cam and threatens to send it to people the victim knows via their facebook page.
How do I guard against this?
1. Don't wank on cam. Abstinence is your best protection.
2. Don't accept files via messenger. Blackmailers will send you malware dressed as a picture to find your contact information. Simply a name and an IP address can be enough to track somebody down.
3. Don't use your facebook email to chat. Emails are searchable on facebook and will lead a blackmailer straight to you. Furthermore, don't reuse the first half of your address with a different provider, eg your email is james@gmail.com and you sign into yahoo chat as james@yahoo.com.
4. Don't give out your email. Seems obvious but the extortionist may ask you for your information to set up another cam date.
Following these steps should keep you safe in your online chat endeavours.
ATM Security Part 1: Physical Access
Criminals attack ATMs on two fronts. One thief sees a big box of money, another sees financial data. In this post, I will be dealing with the security of physical access.
With freestanding ATMs holding as much as $20,000 they make an attractive target for attack. The most common is the "smash and grab", where the attacker removes the entire machine with a truck and rope.
American Special Risk is a company that insures ATMs. Of the 300 claims it covers annually 80% involve the entire machine being removed, with an average payout of $15,000. Thieves trying to open the safe on site will attack with heavy duty tools or explosive gas such as oxy acetylene, normally used as welding fuel. Alternatively, staff with the safe combination can either access the money for themselves, or be coerced through bribery or threat of harm.
Security measures centre around four features: Installation, safe strength, lock strength and recovery. With ATM prices ranging from $2,000 to $10,000, the standard of protection varies greatly between machines.
Installation
All ATMs are installed with a concrete base. Though secure enough not to be carried off, concrete alone is no match for a powerful truck. A good quality installation will include steel rods on the base of the ATM buried deep into the ground. This has proved successful in countering smash and grab attacks.
Safe Strength
ATM safes come in two flavours: business hours and UL291 Level 1. Business hour safes are relatively weak, designed for when staff are in visual contact with the machine, with the money being stored in a stronger safe overnight. These are typical for smaller retail outlets and bars. Underwriters Laboratory is a testing an certification organisation and their 291 standard certifies an ATM safe to be suitable for 24 hour unsupervised storage. These are considerably stronger and can withstand heavy duty attacks for up to ten minutes, by which time police would likely be on the scene. Good quality installation and safe makes the machine invulnerable to ram raids and only gas attacks have any chance of success.
Lock Strength
No matter how strong your safe, somebody needs to have the code. Entry level ATMs come with simple dial locks. These are largely mechanical and have only one combination, making inside jobs easy and anonymous. More costly electronic locks can be programmed with multiple codes, one for each staff member, as well as duress codes that will open the safe but set of an alarm at a control centre. Top of the line are Cencon locks, designed to operate as part of a wider computerised system of machines with features such as one time access codes for single use by armoured cash replenishers. These are used only by the largest chain outlets and banks.
Recovery
If all fails, dye packs and GPS can be used to render the cash useless and track the thief. However, these have not been as widely adopted as one might expect. Dye packs rely on radio transmitters and magnetic plates to operate, installation costing around $3000 and each pack around $400. GPS devices require a direct line of sight to to a satellite and fail if encased too deep inside the machine or if kept in an enclosed space. While more advanced GPS systems that bypass these problems are on the market, these go for around $2000. Price alone puts both of these systems out of reach of the small business owner.
You get what you pay for. Cheap machines are a low-risk, low reward target for thieves while top of the line systems survived hurricane Katrina. Most owners will settle somewhere inbetween, leaving ATMs a popular choice for the determined, professional criminal.
Subscribe to:
Posts (Atom)