Académique Documents
Professionnel Documents
Culture Documents
Should you wish to join ATMIA's Anti Skimming portal on www.atmia.com, e-mail Mike Lee, ATMIA's CEO, at mike@atmia.com
Disclaimer
The ATM Industry Association (ATMIA) publishes this best practice manual in furtherance of its non-profit and tax-exempt purposes to enhance protection of the ATM against skimming. ATMIA has taken reasonable measures to provide objective information and recommendations to the industry but cannot guarantee the accuracy, completeness, efficacy, timeliness or other aspects of this publication. ATMIA cannot ensure compliance with the laws or regulations of any country and does not represent that the information in this publication is consistent with any particular principles, standards, or guidance of any country or entity. There is no effort or intention to create standards for any business activities. These best practices are intended to be read as recommendations only and the responsibility rests with those wishing to implement them to ensure they do so after their own independent relevant risk assessments and in accordance with their own regulatory frameworks. Further, neither ATMIA nor its officers, directors, members, employees or agents shall be liable for any loss, damage or claim with respect to any activity or practice arising from any reading of this manual; all such liabilities, including direct, special, indirect or inconsequential damages, are expressly disclaimed. Information provided in this publication is "as is" without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or freedom from infringement. The name and marks ATM Industry Association, ATMIA and related trademarks are the property of ATMIA.
Please note this manual contains security best practices and should not be left lying around or freely copied without due care for its distribution and safekeeping. ATM INDUSTRY ASSOCIATION GLOBAL SPONSORS 2009
Copyright 2009 ATMIA FOR USE BY ATMIA MEMBERS ONLY | All Rights Reserved | www.atmia.com
Page 2 of 48
Table of Contents
TABLE OF FIGURES .......................................................................................................................................4 FOREWORD ....................................................................................................................................................5 EXECUTIVE SUMMARY...................................................................................................................................6 ACKNOWLEDGEMENTS................................................................................................................................10 CHAPTER 1. INTRODUCTION .....................................................................................................................11 1.1. 1.2. 1.3. 1.4. 1.5. A BRIEF HISTORY OF SKIMMING ............................................................................................................... 12 WHAT IS SKIMMING? ............................................................................................................................... 12 IS CHIP AND PIN THE ANSWER?................................................................................................................ 13 THE NEED FOR GREATER PUBLIC COMMUNICATION ................................................................................... 14 A CALL TO ACTION................................................................................................................................. 15
CHAPTER 2. CLASSIFICATION SYSTEM FOR ATM SKIMMING & PIN-COMPROMISE ...............................16 2.1. ATM SKIMMING & PIN COMPROMISE CLASSIFICATION ............................................................................... 16 2.1.1. ATM Skimming Classification (ASK-) .......................................................................................... 16 2.1.2. ATM PIN-Compromise Classification (APC-) ............................................................................. 21 2.2. CASE STUDIES: EXAMPLES OF ATM SKIMMING DEVICES .............................................................................. 26 2.3. CODES FOR ASK AND APC SYNTAX .......................................................................................................... 29 CHAPTER 3. PCI GUIDELINES ON PREVENTING SKIMMING .....................................................................33 3.1. 3.2. 3.3. WHAT/WHO IS PCI? .............................................................................................................................. 33 THE PCI STANDARDS .............................................................................................................................. 33 HOW DO THE PCI STANDARDS ADDRESS SKIMMING? .................................................................................. 35
CHAPTER 4. BEST PRACTICES FOR PREVENTING CAPTURE OF MAGNETIC STRIPE DATA DURING ATM TRANSACTIONS ...................................................................................................................................38 4.1. 4.2. 4.3. 4.4. PROTECTION OF THE MAGNETIC STRIPE DATA........................................................................................... 38 INTEGRATION WITH IT SYSTEMS............................................................................................................... 39 ROLE OF THE CONSUMER IN FRAUD PREVENTION ....................................................................................... 40 SUMMARY .............................................................................................................................................. 40 PIN SECURITY OVERVIEW........................................................................................................................ 42 EDUCATING THE CUSTOMER .................................................................................................................... 42 MANUFACTURING CHANGES FOR THE EPP AND FASCIA .............................................................................. 43 ADVANCEMENT OF BIOMETRICS TO REPLACE PIN ...................................................................................... 43 SUMMARY OF BEST PRACTICES FOR PROTECTING PINS .............................................................................. 44 USEFUL READING ................................................................................................................................... 45 STANDARDS DOCUMENTATION.................................................................................................................. 45 RELEVANT LINKS .................................................................................................................................... 46 SUMMARY OF RECOMMENDATIONS ............................................................................................................ 47 CHECKLIST OF RECOMMENDATIONS........................................................................................................... 48
CHAPTER 5. BEST PRACTICES FOR PREVENTING INTERCEPTION OF CUSTOMER PIN........................42 5.1. 5.2. 5.3. 5.4. 5.5. 6.1. 6.2. 6.3. 7.1. 7.2.
Page 3 of 48
Table of Figures
Figure 1. Card Entry Area Skimming Device suggested classification syntax summary ......................17 Figure 2. Internal skimming method summary .....................................................................................18 Figure 3. Remote and secondary near-proximity skimming technique summary ................................19 Figure 4. Attachment methods and common power source summary .................................................19 Figure 5. Storage capability of ATM skimmers communication, download summary .........................20 Figure 6. Activation and encryption summary .....................................................................................20 Figure 7. Feature, capacity & endurance summary .............................................................................21 Figure 8. Common external PIN compromise method summary ..........................................................23 Figure 9. Common internal PIN compromise method summary ...........................................................23 Figure 10. Remote and secondary PIN-compromise device summary..................................................23 Figure 11. Attachment methods and common power source summary ...............................................24 Figure 12. Storage, communications, and download summary ...........................................................24 Figure 13. Activation and encryption summary ...................................................................................25 Figure 14. Additional PIN-compromise device feature summary .........................................................25 Figure 15. PCI standards overlap in payment transaction life cycle ...................................................37
Page 4 of 48
Foreword
Today, skimming is one of the most widespread and organised crimes directed at the ATM, as well as at Point of Sale devices. The Anti Skimming Forum of ATMIA believes this manual will help to reinforce the ATMs Trusted Environment as well as the reputation of the ATM as a safe and convenient self-service banking device. It sets out international minimum security guidelines and best practices for preventing skimming at ATMs. To combat fraud, it is imperative that all ATM deployers in all regions and countries take best practices very seriously, and implement all guidelines and best practices contained herein to the greatest extent possible.
Page 5 of 48
Executive Summary
Please note that this Executive Summary cannot replace reading the whole manual. The summary is merely a guide as to the content and main principles of prevention of skimming at ATMs.
1. Recent indicators show sharp rises in incidents of skimming on an increasingly global scale. 2. ATMs were first confirmed to be targeted by new styles and designs of skimming device in the late 1990s. Inspection of the ATM uncovered scratches and marks on the fascia that indicated a device of some type had probably been previously attached to the machine. 3. Today, the number of different designs and a multitude of technologies used to create ATM skimming devices necessitates the development of an ATM skimming-classification system. The best defense may vary according to the type of device used for the skimming attack. 4. Card skimming is defined as the unauthorized capture of magnetic stripe information by modifying the hardware or software of a payment device, or through the use of a separate card reader. Skimming is often accompanied with the covert capture of customer PIN data. Armed with this information the fraudsters will create dummy cards and raid the customers account. Increasingly, card details captured through skimming at an ATM in one country will be used to commit fraud in another country. 5. UK Payments published figures show that counterfeit card losses in the UK fell by 68 percent in the four years to 2008 because the introduction of chip and PIN makes it harder for criminals to use fake cards in ATMs and shops in the UK. Now, UK card information is being used to create counterfeit cards that are then used in other countries. 6. Fraud committed abroad using UK card information increased from 23.8 million in 2004 to 132.8 million in 2008. In particular, fraud committed in the US using data from UK issued cards has increased by 181 percent since 2005, totaling 31.7 million in 2008. A recent UK Payments publication notes that As more and more countries around the world progress their chip and PIN rollouts, it is expected that fraud will continue to shift towards countries such as the USA, which as yet has no plans to implement chip and PIN.
7. Solutions for preventing the copying of magnetic stripe data at the ATM include devices (protruding illuminated hardware) aimed at preventing the attachment of the skimming machine, solutions that involve a jitter (rapid stop-start motion) movement that will nullify attempts to record card information when a foreign device is detected at or near the ATM card entry slot. 8. As the most used retail banking channel, for many the ATM represents the face of banking. Banks need to communicate the nature of the problem to the media and customers without creating fear and uncertainty. It is important to communicate how chosen solutions to skimming work and any implications this will have for an ATMs appearance or performance. 9. Customers can lessen the potential impact of skimming by protecting their PIN, the front door key of their bank accounts, by covering the keypad with their free hand when entering the code. 10. Card skimming is an international problem and its prevention requires a consistent global approach. 11. The new international classification system for skimming devices includes card entry skimming devices, targeting specific types of card-activation interface such as Motorized, Swipe, Dip and Contactless, internal skimming devices (such as pre-head tap skimmers and malware capable of obtaining non-encrypted card data within the ATM system), remote & secondary near-proximity skimming devices, for example, hand-held machines and tapping equipment, as well as ancillary or support technology like attachment methods, power sources, card data storage methods (such as integrated memory chips, local SD data cards and MP3 recorders), integrated cameras (for PIN-compromise) and radio receivers as well as activation methods like remote control. 12. ATM PIN- compromise devices in the classification system include external PIN-compromise devices (such as spy cameras, keyboard overlays and binoculars), internal PIN-compromise devices (such as electronic tapping equipment or malicious software), remote & secondary PIN-compromise devices (such as lobby door false keyboards), as well as ancillary or support technology like attachment and activation methods, power sources, storage communications & download capability (such as radio receivers). 13. Each of the current PCI standards, PCI PIN Transaction Security (PCI PTS), PCI Payment Application Data Security Standard (PCI PA DSS) and PCI Data Security Standard (PCI DSS), have material relevant to preventing skimming. The PCI PTS program is the program that addresses the issue of skimming most directly. Each of the standards that are designed for devices that accept the direct input of payment card data have a requirement to secure the path from the card reader to the security processor within the device. This requirement covers both the path from the Integrated Circuit Card reader (ICCR), as well as the magnetic strip card reader (MSR). For details of specific requirements, see Chapter 3.
14. Moving away from the magstripe and using secure identity management and credentialing to provide access to this channel has proven to be the most effective way to minimize the losses due to card skimming. However the complete removal of the magstripe is not anticipated to occur in the near future, so protecting this sensitive data is crucial in mitigating the risks and losses associated with card skimming. 15. There are several methods to keep sensitive account information contained on the magstripe safe from fraudsters; the most effective method is the use of chip-based cards that house the data on microchips instead of magnetic stripes, making data more difficult to steal and cards more difficult to reproduce. Contactless cards provide another alternative to the magstripe. If the magstripe is used, out-of-band authentication using a cell phone or a biometric reader can provide a second form of authentication that can be used as alternate methods for conducting secure transactions at the ATM. 16. Anti-skimming solutions can be deployed to help detect and prevent the application and usage of card skimming devices. Card readers can be equipped with some type of foreign object detection technology and can alert a financial institution or law enforcement in the event that a skimming device is installed to the fascia of an ATM. Jitter technology is a process that controls and varies the speed of movement of a card as it is inserted through a card reader, making it difficult to read card data. Other anti-skimming technologies are effective in identifying, jamming or disturbing skimming devices when they are attached to the ATM. Video surveillance and monitoring are additional security measures that are effective methods for deterring or detecting placement of card skimmers and other fraudulent devices such as PIN overlays and mini cameras. 17. Regular inspections of ATMs by cash machine owners for evidence of tampering and unusual attachments should be conducted. Local staff including ATM servicers must be trained to look for fraudulent devices and be educated on the appropriate action to be taken should they discover a skimming device on a machine. 18. A self-contained, secure environment including physical and logical access control and enhanced identity management is essential in securing an ATM. The use of intelligent fraud-detection systems to monitor for unusual spending patterns and identify fraud before it is discovered by the cardholder. 19. The consumer must be educated to be vigilant and inspect the ATM before using it. Consumers must also be educated on how to protect their PIN. Shielding the entry of the PIN with their hand and body is just one way a consumer can prevent someone from viewing it.
20. Information sharing of fraud related activity with industry stakeholders can help to identify current threats and trends and facilitate deployment of the most effective fraud mitigation tactics. There is also an opportunity to influence regulatory requirements to support fraud prevention tactics that will in turn help demonstrate the return on investment for security spend. 21. One of the weakest links in any ATM transaction is the entry of the customer PIN. The PIN in its current form is static and always four (or, in some countries, six) numbers. Despite improvements in the security of the transmitted PIN and account data via 3DES, no significant improvements or best practices have emerged to protect the physical entry of the customer PIN at the ATM. 22. Investigation is encouraged of new technologies to create EPPs that incorporate a scramble methodology to number placement at each transaction. 23. Biometrics offers a difficult to duplicate replacement to a static numerical PIN. As each fingerprint or retinal scan is unique, it is clearly more robust than a four digit PIN. As it may be a costly enterprise, deployment of biometrics as a means to move away from the customer PIN may be several years away. 24. A multi-layered approach to preventing skimming is the best methodology, integrating customer education and vigilance about PINs, technological investigation, industry information-sharing, manufactured security solutions and compliance to security standards for protecting card data and PINs. Chip and PIN technology has a proven record in reducing skimming and is highly recommended worldwide by the ATM Industry Association.
Acknowledgements
The ATMIA is indebted to the contribution of the following industry experts in assembling these Anti Skimming Best Practices, in addition to all members of its Anti Skimming Forum: Douglas Russell, Director, DFR Risk Management Ltd Terrie Ipson, Marketing Manager, Diebold Andrew Jamieson, Technical Manager, Witham Laboratories Wynne Evans, Consultant, Wynne Evans Communications Steve Weeks, Commercial Manager, ATM Parts Co Jeffery Miller, Service Manager, Edge One Incorporated George Athanasakis, Director, Australian Technology Management Pty Ltd Mike Urban, Sr Director, Fraud Solutions, FICO Cyndi Spencer, formatting editor
Chapter 1. Introduction
Skimming: A Current and Increasing Global Threat Recent indicators show sharp rises in incidents of skimming on an increasingly global scale. In April, 2009, EAST (European ATM Security Team) reported a 129 percent increase in card skimming incidents in 2008 over the previous year. A total of 10,302 cases were reported. Yet Europe is not alone. Skimming is occurring throughout the world, from Russia to the USA, from Australia to the Middle East, from South Africa to South America. For example, a glance through the financial media for just one month, July 2009, reveals the growing nature of the international threat of card skimming at the ATM. In Las Vegas it was reported that there were 75 skimming attacks over a three month period compared to previous rates of 2-3 incidents a year. In Sydney Australia, the New South Wales Fraud Squad reported 60 skimming attacks in the first four months of 2009, with a spokesman stating that the devices used are becoming smaller, more sophisticated and capable of storing more data. In April it was reported that nine Romanian nationals had been arrested in relation to skimming attacks on Australian ATMs. In California it was also reported that skimmers and card duplicators could be bought from overseas sellers via the internet for a few thousand dollars. It would appear that there is a global epidemic. Yet card skimming is not new. Early forms of skimming device and indeed dummy ATMs installed in empty shop fronts were used to capture card information in the nineties. What has changed is the scale and geographical spread of such attacks. What do we mean by card skimming at the ATM?
This raises a number of issues: What are the implications of the introduction of chip and PIN technology in some countries? What percentage of card skimming takes place at ATMs rather than at POS devices? What are the best ways to prevent this happening and what are the implications for consumer behavior / confidence in the ATM network and indeed the banks?
When we talk of ATM Fraud it is important to distinguish between the point of compromise (where the data is captured) and the location at which the actual fraud takes place. In the UK, for example published figures for ATM fraud (where cash has been fraudulently withdrawn from an ATM) will normally involve stolen cards (and PIN details), ID theft where a legitimate card is used on a fraudulent account or in some instances cases where a card has been captured at the ATM by a criminal using a Lebanese loop style device. In the case of card skimming, though card details may be captured at an ATM in the UK, the dummy (counterfeit) card created using this information could well be used in another country. Indeed, recent developments mean this is more likely. From a consumer perspective another feature of this counterfeit fraud is that they will frequently be unaware of the fraud until they receive a statement or a transaction is refused at a store or ATM due to insufficient funds.
A recent UK Payments publication notes that As more and more countries around the world progress their chip and PIN rollouts, it is expected that fraud will continue to shift towards countries such as the USA, which as yet has no plans to implement chip and PIN. ATM manufacturers have introduced a number of solutions aimed at preventing or nullifying attempts to copy magnetic stripe information at the ATM. These have included devices (protruding illuminated hardware) aimed at preventing the attachment of the skimming machine, solutions that involve a jitter (rapid stop-start motion) movement that will nullify attempts to record card information by making it impossible to get a reading and detectors that send alerts, either direct to the branch or to an ATM monitoring system, when a foreign device is detected at or near the ATM card entry slot. A leading South African retail bank recently announced that it was using pepper spray technology - if cameras observe that someone is tampering with the ATM another machine will eject pepper spray in order to disable the criminals until an armed response team arrives. The technology is currently being deployed at 11 high-risk sites.
fraudsters. People will need to know how the prevention device will affect the appearance and operation of the ATM, as indeed will the police. Similarly, people will want to know whether a fraud prevention device will have implications for the speed of operation. ATM manufacturers have worked closely with deployers so that ATM performance is not impaired by the introduction of jitter solutions and on customer education - in particular on the use of screen layouts to verify the appearance of devices that act as a deterrence protrusion. It is important to encourage positive action. One thing people can do to lessen the potential impact of skimming is to do everything in their power to protect the PIN, including covering the keypad with their free hand when entering the code. Card skimming at the ATM has become an international problem, with professional criminals operating globally. Wherever you are based, the threat is there and your customers accounts are at risk. The introduction of chip and PIN does not necessarily change the point of compromise since the lack of a globally introduced solution means all cards continue to carry magnetic stripe data for use in non chip-compliant countries. What has happened is that the location of the actual fraud spend may change. Card account details captured in the UK can be used to withdraw funds in countries with weaker controls.
Activation Methods (AC) Encryption Methods (EC) Additional Features (FX) Capacity & Endurance (actual values used)
Figure 1 below summarizes the types of Card Entry Area Skimming Devices and suggests appropriate classification syntax:
Motorized Readers
Directly to card-entry slot Molded around entry area False front covering larger area Modified anti-fraud device inhibitor Overlay of anti-fraud inhibitor Attachment to anti-fraud inhibitor Other M1 M2 M3 M4 M5 M6 M0 Other D0
DIP Readers
Directly to card-entry slot Molded overlay covering DIP reader False front covering larger area D1 D2 D3
Swipe Readers
Overlay covering swipe reader Mounted below or left of swipe reader Mounted above or right of swipe reader False front covering larger area Other S1 S2 S3 S4 S0
Contactless Readers
Overlay covering contactless reader C1
Other
Figure 1. Card Entry Area Skimming Device suggested classification syntax summary
Power Source
Integrated non-rechargeable batteries Integrated rechargeable batteries Separate battery pack From ATM power From other constant power source PS1 PS2 PS3 PS4 PS5
Figure 5 summarizes the storage capability of ATM skimmers and the various communication and download technologies.
Storage
None Local integrated chip Local data / SD card MP3 / MP4 (or equivalent) recorder Cell phone storage ST1 ST2 ST3 ST4 ST5
Other
ST0
Other
Encryption
None AES EC1 EC2
The maximum endurance from the power source, and the maximum number of cards whose data can be captured, are important characteristics of ATM skimming devices. Figure 7 provides a reminder of some additional features of ATM skimming devices and the important statistics of endurance and capacity.
Features
Integrated camera Receiver for PIN-compromise device Screened for anti-skimming interference Motorized card transport Other FX1 FX2 FX3 FX4 FX0 Other Source: DFR Risk Management Ltd.
One of the most favored locations for many models of ATM is the light panel or light diffuser which is often directly above the ATM keyboard. False panels are also used to disguise cameras and may be positioned above, left or right of the ATM keyboard. In environments where it is common to have advertising leaflet boxes in close proximity to the ATM, they are modified to conceal one or more cameras. Other additions to the ATM which are utilized to disguise cameras include safety or rear-view mirrors. Where ATMs are installed with a canopy to provide shelter from sunlight and rain, cameras are often hidden in the canopy. Some ATM skimming devices are packaged with an integrated camera. The second method of PIN-compromise is fake keyboards and keyboard overlays. Often these devices still allow the genuine keyboard to be activated when the PIN is entered on the PIN-compromise device. Sizes of device vary from almost an exact size-match with the genuine keyboard through a full fake-keyboard shelf to a false-front covering a large area of the ATM fascia. The third method involves a less technical approach and can be characterized as personal or human surveillance. Covert shoulder-surfing, which involves the perpetrator looking over the shoulder of the victim as they enter their PIN, is one of the most popular personal surveillance techniques. Shouldersurfing may also be more overt and includes the perpetrator pretending to be helpful to the victim (the helpful stranger approach). Long- range lenses, including telescopes and binoculars, are also used to observe PIN entry. As are the attachment of strategically positioned mirrors or the exploit of particular angles which allow the reflection of the keyboard to be observed. Even differently colored dust is used to compromise PINs. Figure 8 summarizes common external PIN-compromise methods.
Camera Location & Packaging
In light diffuser / light panel In leaflet box In false panel above PIN pad In false panel right of PIN pad In false panel left of PIN pad In safety mirror In sun / rain canopy Integrated with skimmer Other SC1 SC2 SC3 SC4 SC5 SC6 SC7 SC8 SC0
Keyboard
Exact-size keyboard overlay Shelf / full-panel keyboard overlay False-front covering larger area Other KB1 KB2 KB3 KB0
Camera Type
Spy camera Cell phone camera Video camera Other TC1 TC2 TC3 TC0
Surveillance
Shoulder surfing - covert Shoulder surfing assist victim Long -range lens / telescope Mirror Colored dust Advertising panel reflection Other SV1 SV2 SV3 SV4 SV5 SV6 SV0 Source: DFR Risk Management Ltd.
Remote Keyboards
Door-entry keyboard PIN-activation / validation keyboard Stand-alone terminal RK1 RK2
Other
RC0
Other
Power Source
Integrated non-rechargeable batteries Integrated rechargeable batteries Separate battery pack From ATM power From other constant power source Other PS1 PS2 PS3 PS4 PS5 PS0 Source: DFR Risk Management Ltd.
Other
ST0
Other
Encryption
None AES DES 3DES Other EC1 EC2 EC3 EC4 EC0 Source: DFR Risk Management Ltd.
ASK-M1-AM1-PS1-ST2-CD2-AC1-EC0 The above example of Sofia skimmer has the following identified characteristics: Targeted at Motorized card readers and fitted directly to the card entry slot (ASK-M1) Attached with adhesive tape (AM1) Powered by integrated non-rechargeable batteries (PS1) Integrated chip used for local storage (ST2) Miniature sockets used to connect for download of data (CD2) Activated (switched on) using a switch (AC1) Non-standard encryption used to protect from interrogation (EC0)
ASK-M3-AM1-PS3-ST1-CD3-AC1-EC1 The above example has the following known characteristics: Targeted at Motorized card readers, packaged into a false front covering a larger area (ASK-M3) Attached with adhesive tape (AM1) Powered by separate battery pack (PS3) No identified local storage (ST1) Transmits card data using analogue RF transmitter (CD3) Activated by a switch (AC1) No encryption (EC1)
APC-KB2-AM1-PS3-CD7 The above example has the following known characteristics: False keyboard integrated into full shelf (APC-KB2) Attached with adhesive tape (AM1) Separate battery pack (PS3) GSM cell phone used to transmit PIN data (CD7)
APC-SC3-TC1-AM1-PS3-ST1-CD3-AC1 The above example has the following known characteristics: Camera in panel above keyboard (APC-SC3) Spy camera (TC1) Attached with adhesive tape (AM1) Separate battery pack (PS3) No local storage (ST1) Sends image of PIN entry via analogue RF transmitter (CD3) Activated by switch (AC1)
ASK-M2 Details available about the above example are limited, thus short designator string.
ASK-D2-AM1-ST2-PS3-CD2 The above example has the following known characteristics: Targeted at Dip readers and designed to cover the genuine reader (ASK-D2) Attached with adhesive tape (AM1) Local storage of data on the board (ST2) Separate battery pack within skimmer case (PS3) Sockets for download of data (CD2)
Method
Always on (switched) Proximity detector Remote control Card / transaction activated Other Adhesive tape Glue Screw / Bolt Friction fit Weld / Fuse Other Overlay covering contactless reader Other None Socket / USB Analogue RF Bluetooth Wi-Fi (802.11) SMS / MMS / Text GSM / Data Digital RF (non specific) Other Directly to card entry slot Molded overlay covering DIP reader False front covering larger area Other None AES DES 3DES Other Integrated skimmer Receiver for skimming device Other Integrated camera Receiver for PIN compromise device
Code FX3 FX4 FX0 IP1 IP2 IP0 IS1 IS2 IS0 IT1 IT2 IT3 IT4 IT0 KB1 KB2 KB3 KB0 M1 M2 M3 M4 M5 M6 M0 PS1 PS2 PS3 PS4 PS5 PS0 RC1 RC2 RC0 RD1 RD2 RD3 RD4
Type
Features (ASK) Features (ASK) Features (ASK) Internal Compromise of Modules (APC) Internal Compromise of Modules (APC) Internal Compromise of Modules (APC) Internal Compromise of ATM System Internal Compromise of ATM System Internal Compromise of ATM System Internal Compromise of Card Reader Internal Compromise of Card Reader Internal Compromise of Card Reader Internal Compromise of Card Reader Internal Compromise of Card Reader Keyboard Keyboard Keyboard Keyboard Motorized Readers Motorized Readers Motorized Readers Motorized Readers Motorized Readers Motorized Readers Motorized Readers Power Source Power Source Power Source Power Source Power Source Power Source Remote Cameras Remote Cameras Remote Cameras Secondary DIP devices Secondary DIP devices Secondary DIP devices Secondary DIP devices
Method
Screened for anti-skimming interference Motorized card transport Other ATM integrated security camera tap Internal keyboard tap Other Internal communications tap Software / Malware / Trojan Other Pre-head tap Read head tap Card reader PCB parasite Card reader data line tap Other Exact-size keyboard overlay Shelf / full-panel keyboard overlay False-front covering larger area Other Directly to card entry slot Molded around entry area False front covering larger area Modified anti-fraud device inhibitor Overlay of anti-fraud inhibitor Attachment to anti-fraud inhibitor Other Integrated non-rechargeable batteries Integrated rechargeable batteries Separate battery pack From ATM power From other constant power source Other ATM location CCTV ATM location spy camera Other Door-access skimmer Card cleaning device Card activation / validation device Stand alone terminal
Code RD0 RE1 RE2 RE3 RE4 RE0 RH1 RH0 RK1 RK2 RK3 RK0 RS1 RS2 RS3 RS4 RS0 S1 S2 S3 S4 S0 ST1 SC1 SC2 SC3 SC4 SC5 SC6 SC7 SC8 SC0 ST5 ST0 SV1 SV2 SV3
Type
Secondary DIP devices External modem / communications hub External modem / communications hub External modem / communications hub External modem / communications hub External modem / communications hub Hand-held skimming device Hand-held skimming device Remote Keyboards Remote Keyboards Remote Keyboards Remote Keyboards Secondary swipe devices Secondary swipe devices Secondary swipe devices Secondary swipe devices Secondary swipe devices Swipe Readers Swipe Readers Swipe Readers Swipe Readers Swipe Readers Storage Camera Location & Packaging Camera Location & Packaging Camera Location & Packaging Camera Location & Packaging Camera Location & Packaging Camera Location & Packaging Camera Location & Packaging Camera Location & Packaging Camera Location & Packaging Storage Storage Surveillance Surveillance Surveillance
Method
Other Modem tap Telephone exchange tap Communication hub tap Wi-Fi intercept Other Pocket sized skimmer Other Door-entry keyboard PIN-activation / validation keyboard Stand-alone terminal Other Door-access skimmer Card cleaning device Card activation / validation device Stand alone terminal Other Overlay covering swipe reader Mounted below or left of swipe reader Mounted above or right of swipe reader False front covering larger area Other None In light diffuser / light panel In leaflet box In false panel above PIN pad In false panel right of PIN pad In false panel left of PIN pad In safety mirror In sun / rain canopy Integrated with skimmer Other Cell phone storage Other Shoulder surfing - covert Shoulder surfing assist victim Long-range lens / telescope
Type
Surveillance Surveillance Surveillance Surveillance Camera Type Camera Type Camera Type Camera Type
Method
Mirror Colored dust Advertising panel reflection Other Spy camera Cell phone camera Video camera Other
In addition to these standards, a PCI PIN audit security program also exists, but this is currently maintained independently by Visa and MasterCard, not by PCI SSC (although this is expected to change within the next few years). These different standards address different aspects of the payment process.
PCI PTS
PCI PTS is actually a series of standards that address the security of the hardware and firmware into which customer PINs are entered and encrypted during a transaction.
At the time of writing, the following standards exist under the PCI PTS program: PCI POS PED addresses the security of PIN Entry Devices (PEDs) that are operated within an attended shop style environment. PCI EPP covers the security of Encrypting PIN Pads (EPPs) that are used to enter and encrypt PINs within larger, generally unattended, devices such as ATMs, ticketing machines, fuel dispensers, etc. PCI UPT covers the overall security of such larger unattended devices such as those noted above; with the exception of ATMs. PCI ATM covers the security of unattended devices that provide for the withdrawal or deposit of cash. At the time of writing, this standard is under development and has not yet been published. PCI HSM addresses the security of Hardware Security Modules (HSMs) that are used to generate, re-encrypt (or translate), or verify customer PINs; or to manage the keys used in PIN Entry Devices which encrypt customer PINs directly.
PCI PA DSS
PCI PA DSS provides a set of security requirements for software that is involved in the authorization or settlement of payment transactions. This standard was created to ensure that such software does not prevent any company implementing the software from being compliant to the PCI DSS requirements. The scope of PA DSS can include the application software used in payment devices such as ATMs and PIN Entry Devices.
PCI DSS
PCI DSS is an umbrella standard that essentially covers any areas which are not directly covered by the other PCI standards. Any system that stores, processes, or transmits payment card data is in scope of the PCI DSS requirements. This standard provides a set of best practice guidelines for how any system and business that handles payment card data should provide security to this data.
PCI PIN
Finally, the PCI PIN standard is an audit program that confirms the key management practices for cryptographic keys that are used to encrypt customer PIN data.
Similar requirements exist in the PCI POS PED and PCI ATM standards. The above requirement is further clarified with the following statements:
Countermeasures include, for instance, active detection of skimmers, active disturbance of the skimming process, or notice to the cardholder on what the reader should look like. The protection of the reader may consist of resistance of the UPT cabinet/the reader enclosure against manipulation. Skimming attacks to recover payment card data may occur via either the attachment of external devices or attacking other areas (hardware or software) of the UPT. Both must be considered for this requirement. Access to the inside of the UPT for routine maintenance (e.g., replenishing paper) shall not allow access to clear-text account data, e.g., by making cabling which transmits the data physically inaccessible to routine maintenance personnel or encrypting the sensitive card data transmitted internally within the UPT between components.
Source: PCI UPT DTRs v1.0, April 2009, page 15
Therefore, the PCI PTS standards specifically make note that protections against skimming must go beyond merely securing the physical exterior of the payment device, as skimming may occur through the implanting of internal monitoring devices as well as external devices. To this end, the security of any openings, access hatches, or service panels must be considered, if such openings allow for access to plaintext card data. Because of this, in many instances, it is considered best practice to protect card data logically, using encryption, when routing it through exposed cabling and component within larger payment devices such as UPTs and ATMs.
This requirement should not be confused with a necessity for encrypting magnetic strip read heads, as this is not mandated by the standard and is often not necessary for smaller PIN Entry Devices that can more easily provide physical security to the path of the signals from the MSR to the security processor. It should also be noted from the PCI PTS requirements that although some guidelines are provided in regards to protection against the placement of a physical skimming device, these requirements are not the only options that exist. The guidance provided within these requirements does not intend to constrain or restrict the possible ways in which skimming can be prevented. In fact, one reason for this is so that the market can actively work on creating new and more advanced ways in which anti-skimming technology can be embodied and deployed. When considering the security requirements within the PCI PTS program requirements it is important to understand that these cover only the security of the data from the card reader to the internal security processor of the payment device. Once this data has reached the security processor it is up to the payment application and overall payment system in which the device operates to secure the data. This is where PCI PA DSS and PCI DSS add their assistance to the security of card data. These programs protect such data in two ways: (1) by securing the applications themselves; and (2) by securing the transmission of payment card data. PCI DSS and PA DSS require that payment applications, and the systems on which they are installed and operated, are secured in line with industry best practice. This includes removing any unnecessary services from the devices, securing remote access, using network security devices such as firewalls, IDS/IPS, regularly testing the security of systems, and so forth. PCI DSS has many individual compliance requirements, and it is beyond the scope of this document to cover them all. It is strongly recommended that the full PCI DSS requirements, as well as the ATMIA Software Security Best Practice document, is considered when devising an antiskimming strategy. PCI DSS also mandates that the transmission of card data across open, wireless, and public networks must be encrypted using strong cryptography. In these standards, such cryptography essentially means the use of triple DES, AES, RSA, or Elliptical Curve Cryptography.
Although this standard does not require the use of such encryption across all networks, it is strongly recommended that encryption is used whenever transmitting card data, as capture during transmission is a common skimming attack vector. The diagram in Figure 15 shows a pictorial representation of how the different PCI standards overlap to cover the life cycle of a payment transaction. This diagram shows that: The PCI PTS program covers the security of the data as it enters the ATM or payment device. The PA DSS program covers the security of the data as it is used in commercial payment software. And, the PCI DSS program covers the security of payment data as it is transmitted and processed within the broader payment network.
Chapter 4. Best Practices for Preventing Capture of Magnetic Stripe Data During ATM Transactions
4.1. Protection of the Magnetic Stripe Data
Card skimming is a global threat and it will continue to be an industry issue as long as the magnetic stripe containing the cardholders account information remains on the card. Moving away from the magstripe and using secure identity management and credentialing to provide access to this channel has proven to be the most effective way to minimize the losses due to card skimming. However the complete removal of the magstripe is not anticipated to occur in the near future, so protecting this sensitive data is crucial in mitigating the risks and losses associated with card skimming. There are several methods to keep sensitive account information contained on the magstripe safe from fraudsters; the most effective method is the use of chip-based cards that house the data on microchips instead of magnetic stripes, making data more difficult to steal and cards more difficult to reproduce. Contactless cards provide another alternative to the magstripe. If the magstripe is used, out-of-band authentication using a cell phone or a biometric reader can provide a second form of authentication that can be used as alternate methods for conducting secure transactions at the ATM. Anti-skimming solutions can be deployed to help detect and prevent the application and usage of card skimming devices. Card readers can be equipped with some type of foreign object detection technology and can alert a financial institution or law enforcement in the event that a skimming device is installed to the fascia of an ATM. Jitter technology is a process that controls and varies the speed of movement of a card as it is inserted through a card reader, making it difficult to read card data.
Card skimmers generally require a smooth intake of the card to get a good read of the magstripe. The design of the card reader bezel also plays an important role in the deterrence of the application of a skimmer. The design of the entrance of the card reader should prevent the attachment of skimming devices and /or make such devices obvious to the user. Other anti-skimming technologies are effective in identifying, jamming or disturbing skimming devices when they are attached to the ATM. Video surveillance and monitoring are additional security measures that are effective methods for deterring or detecting placement of card skimmers and other fraudulent devices such as PIN overlays and mini cameras. Regular inspections of ATMs by cash machine owners for evidence of tampering and unusual attachments should be conducted. Local staff including ATM servicers must be trained to look for fraudulent devices and be educated on the appropriate action to be taken should they discover a skimming device on a machine.
4.4. Summary
Some best practices for the mitigation of fraud due to card skimming: Building awareness among consumers, branch personnel, and ATM service teams can result in the detection of devices added to an ATM fascia. Visual clues such as tape residue near or on a card reader may indicate the former presence of a skimming device. Chip -based cards house data on microchips instead of magnetic stripes, making data more difficult to steal and cards more difficult to reproduce. Contactless cards, out-of-band authentication using cell phones and biometric readers are all new authentication technologies that can be used as alternate methods for conducting secure ATM transactions. Alert systems monitor routine patterns of withdrawals and notify operators or financial institutions in the event of suspicious activity.
In addition to following these best practices, there are several antiskimming solutions that financial institutions can implement to help mitigate risk. A multi-layered approach to securing the card reader is the best methodology. Foreign object detectionATMs equipped with this type of technology can alert a financial institution or law enforcement in the event that a skimming device is added on the fascia of an ATM. Jitter technologyis a process that controls and varies the speed of movement of a card as moves in and out of a card reader, making it difficult if not impossible to read card data. Card skimmers generally require a smooth intake of the card to get a good read of the magstripe. Card reader bezel designthe design of the entrance of the card reader should prevent the attachment of skimming devices and /or make such devices obvious to the user.
Anti-skimming technologiesare effective in identifying, jamming or disturbing skimming devices when attached to the ATM. Video surveillance and monitoringis an effective method for deterring or detecting placement of card skimmers and other fraudulent devices such as PIN overlays and mini cameras.
In summary, implementing multiple layers of security to help deter and detect fraudulent attempts provides the best approach to anti-skimming. Information sharing of fraud related activity with industry stakeholders can help to identify current threats and trends and facilitate deployment of the most effective fraud mitigation tactics. There is also an opportunity to influence regulatory requirements to support fraud prevention tactics that will in turn help demonstrate the return on investment for security spend.
Biometrics is becoming a visible technology being deployed across a wide variety of applications, from time clocks to computer access controls. While no technology is foolproof, biometrics offers a difficult to duplicate replacement to a static numerical PIN. As each fingerprint or retinal scan is unique, it is clearly more robust than a four digit PIN. As it may be a costly enterprise, deployment of biometrics as a means to move away from the customer PIN may be several years away.
It is worth noting that the DDA (Disability Discrimination Act) is a major obstacle in implementing any effective biometric technology for use at ATMs. For example, Nationwide Building Society developed and piloted Iris recognition technology at ATMs several years ago (featured on TV at the time) and then subsequently scrapped it.
2. A Chronology of Data Breaches Privacy Rights Clearing House, 3. Building Trust Securing the Payment System by Visa Inc.,
http://www.corporate.visa.com/st/main.jsp?src=home
4. ATMIA and Global ATM Security Alliance best practices: 4.1 Best Practices For Preventing Insider Fraud 4.2 Best Practices For ATM Physical Security, Version 2
CEN XFS-J/XFS (CEN =Comit Europeen De Normalisation; XFS = Extensions for Financial Services; J/XFS = Java Extensions for Financial Services) device interface standards At the time of writing, the PCI PIN program is maintained by Visa and MasterCard directly, not PCI SSC 3 At the time of writing, this new global standard in the making is unpublished. Other standards include PCI UPT (Unattended Payment Terminals) and PCI HSM (Hardware Security Modules).
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com Page 45 of 48
ISO Standards
ISO 11568 ISO standards for Cryptography Key Management for banks ISO 11770 ISO standards for Cryptography Key Management Lifecycle ISO / IEC 9564-1: Banking - Personal Identification Number (PIN) management and security - Part 1: Basic principles and requirements for online PIN handling in ATM and POS System ISO 13491 Banking Secure Cryptographic Devices (Retail) ISO 7810 Identification Cards Physical Characteristics ISO 7811 Identification Cards Recording Technique ISO 7812 Identification Cards Identification of Issuers ISO 7813 Identification Cards Financial Transaction Cards ISO 7816 Identification Cards Integrated Circuit(s) cards with contacts
X9.24 Part 1: Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques. FIPS 140-2 Specifications for security of Hardware Security Modules NIST SP 800 57 Recommendation for Key Management ANSI TR-31 Interoperable Secure Key Exchange Key Block Specification for Symmetric Algorithms ANSI Technical Guideline 3 (ANSI TG-3) Guideline for Financial Services EMV (Chip and PIN) http://www.emvco.com MasterCard POS Terminal Security (PTS)
http://www.mastercard.com/us/merchant/support/pts_program.html
Link up to anti skimming industry initiatives globally as this is a global problem with clearly identifiable international fraud migration patterns. Support chip and PIN as a global technology, but when the magstripe is in use, out-of-band authentication, using a cell phone or a biometric reader, can provide a second form of authentication that can be used to secure transactions at the ATM. Anti-skimming solutions can be deployed to help detect and prevent the application and usage of card skimming devices and to offer greater PIN protection, such as PIN shields. Conduct customer education campaigns on skimming and PIN protection. Know your adversary and his weapons study and apply the skimming classification system in this manual to create an international common language for skimming prevention AND study all the different types of skimming devices, both internal and external, remote and near, as well as all their supporting technologies. Study PCI security standards, namely, PCI PTS, PCI PA DSS and PCI DSS, especially where relevant to prevention of skimming. In particular, secure the path from the card reader to the security processor within the device, including the path from the Integrated Circuit Card reader (ICCR), as well as the magnetic strip card reader (MSR). Conduct regular inspections of ATMs by cash machine owners for evidence of tampering and unusual attachments. Use intelligent fraud-detection systems to monitor unusual spending patterns and identify fraud before it is discovered by the cardholder. Support continued R & D in the areas of improved technologies for preventing skimming, including investigating enhanced EPPs, biometric replacements for PINs, etc. Adopt a multi-layered security approach to prevent skimming using all of the above.