Why ATM Fraud Will Continue to Grow

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/atm-fraud-will-continue-to-grow-p-1955

ATM fraud losses are increasing globally, and we can expect to see this
trend continue as the U.S. ramps up its migration to EMV at the point of
sale.

ATMs and other self-service payments devices, such as pay-at-the-pump gas
terminals, have always been prime targets for criminals. These unattended
terminals are easy to compromise with card skimmers and well-placed cameras
designed to capture PINs as they're entered on PIN pads.

A new report from the European ATM Security Team shows that global ATM
fraud losses increased 18 percent to €156 million (U.S. $177.5 million) in
the first half of this year, compared to the same period a year ago. EAST
attributes much of that increase to an 18 percent rise in global
card-skimming losses, which account for €131 million (U.S. $149 million) of
that total.

What's more, most of those ATM fraud losses are being reported within
non-EMV-compliant markets, such as the United States and the Asia-Pacific
region, particularly Indonesia, EAST notes.

"International skimming losses have risen for the past four reporting
periods [two years], and EAST is working closely with Europol to raise
awareness of this issue in Asia-Pacific and the Americas," says Lachlan
Gunn, executive director of EAST. Gunn will address some of these
international trends Oct. 27 at Information Security Media Group's Fraud
Summit in London.

Fraud Migration

Everyone talks so much about a migration to card-not-present fraud once EMV
is in widespread use at the point of sale at U.S. merchants. But we forget
that fraud is migrating to self-service channels, too, where EMV is not yet
used.

And fraudsters aren't just targeting ATMs. At the recent National
Association of Convenience Stores convention in Las Vegas, I heard reports
that pay-at-the-pump attacks are also on the rise.

One reason why attacks are up at ATMs, as well as gas pumps, is that the
EMV liability shift date for these devices is later, so magnetic-stripe
transactions at those devices remain the norm, at least for now.

While the liability shift date for U.S. merchants was Oct. 1, Visa's and
MasterCard's EMV liability shift date for self-serve gas pumps is not until
Oct. 1, 2017. For ATMs, the liability shift is Oct. 1, 2016, for MasterCard
and Oct. 1, 2017, for Visa.

Getting Around EMV

Meanwhile, fraudsters are using techniques that will prove effective at
self-service channels even after the EMV rollout for these devices is
complete.

Card-trapping attacks were up 18 percent from the first six months of 2014
to the first six months of 2015, according to EAST. This type of fraud
involves "trapping" a card in the ATM's card reader, so that a user thinks
the ATM has malfunctioned and has "eaten" his card. In reality, a fraudster
has manipulated the card reader to trap the card so he can retrieve it
later. EMV cards are not immune to this type of attack, especially if the
PIN also is compromised by a well-placed camera.

Also on the upswing, according to EAST, are attacks involving ATM malware,
such as Carbanak, which compromise the ATM's software and operating system.

Commonly known as "jackpotting" attacks, these malware attacks command ATMs
to dispense cash without the need for a card. While we first heard about
this type of attack impacting ATMs in Eastern Europe, jackpotting has since
been identified in the U.S. and other parts of the world (see Alert: Indian
ATMs Face New Attacks).

As EMV for debit transactions becomes commonplace, fraudsters will move
from skimming to shimming attacks, which have already popped up in Mexico.
In these attacks, a shimmer is placed inside the ATM's card reader to
intercept and capture communications between the chip card, once inserted,
and the ATM's EMV kernel. Because card numbers on EMV chips are not
encrypted, shimmers can capture that data, along with the PIN, if a camera
also is installed near the PIN pad.

ATMs: Prime Targets

Unattended ATMs will continue to be among fraudsters' favorite targets. The
best way to guard against ATM attacks is to regularly inspect devices for
skimming and shimming devices and frequently test ATM software.

Banking institutions also should regularly review transaction logs for
suspicious activity. Inspection of logs is what clued banks into some of
the early jackpotting attacks.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!