May 20, 2013
ATM Cash-Outs: A Major Escalation
The banking news this week has been dominated by the story about the two ATM cash-out schemes that netted the criminals a total of $45 million. (We mentioned the $40 million fraud involving prepaid cards issued by a bank in Oman in a post earlier this month.) The news articles and opinion pieces have focused on what I consider secondary aspects of this attack—counterfeit card production and prepaid cards. Some observers have pointed to this attack as further justification for a faster move to EMV reader capability in the United States. While it is certainly true that an EMV-only environment will virtually eliminate counterfeit card crimes such as this, the reality is that a dual EMV-magnetic stripe environment is going to exist, both here in the United States and the rest of the world, for quite some time. And while some categorize the United States as the only EMV holdout, the fact that 94 percent of the ATM cash withdrawals took place at ATMs outside the United States shows that we are not the non-EMV island that we are often portrayed as. Others have pointed out that the targeted cards were tied to prepaid accounts, implying or outright stating that a prepaid card management application is less secure than a regular debit card management application. This is not the case, as the fraud was not a product or an access device issue.
The real threat from this attack comes from the criminals' ability to gain access to the card management application on a real-time basis. It is still unclear whether they gained the account number and PIN from accessing the card management system or through the more traditional skimming means. What is clear is that they had the ability to continually replenish account balances and reset usage limit parameters during the 10–13 hour attack that involved more than 3,600 withdrawal transactions from ATMs located in 26 different countries. The investigation of the two processors located in India will tell if there was some level of insider involvement or if the criminals learned how to gain access to the card application and make the changes to keep the fraudulent attack going.
So how should bankers and card management processors address these concerns? I would suggest they consider an immediate review and understanding of their card management application access controls that identify the personnel having the authority to make "on-the-fly" changes to specific account parameters. Some access is required for actions such as flagging a reported lost or stolen card, but other parameters should be completely off limits or tightly controlled and monitored. Another safeguard would be to have account velocity monitoring, which would identify unusual card usage activity or usage from different parts of the world occurring at about the same time.
This highly sophisticated and coordinated attack is a game changer for the security controls of all types of card management applications. Let us know how you are responding.
By Dave Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
May 13, 2013
Which Is Riskier, Change or Avoiding It?
There is no denying that any level of change brings with it some level of risk. However, sometimes avoiding change can result in even greater risk. That is the quandary many retail banks find themselves in today as they grapple with the issues of mobile banking and payments and their role in the bank's overall delivery-channel strategy. Sustainability and regeneration are principles normally associated with the community development and environmental arenas, but they can be easily applied to the banking industry and its consumer delivery channels.
Numerous research studies document a large gap in banking attitudes and product or channel usage between the Gen Y or millennial customers and the older customer segments (those who are over 35, if you consider that old). (The Retail Payments Risk Forum discussed some of this research in a paper posted on our website in April.) Younger customers have less loyalty to bank brand, readily adopt new technology, are highly influenced by advertising and peers, expect free or low-cost banking products and services, and are driven by convenience. While they do have a higher overall trust level of banks compared to nonbanks, the gap is not anywhere near as large as that of the older customer segment. The younger segments have eagerly adopted online and mobile banking and are viewed as the early adopters of mobile payments. In fact, when they select a financial institution, the quality and expansiveness of the mobile banking offering is a major factor in their decision.
So what does this changing landscape have for the future of the traditional brick-and-mortar-branch delivery channel? For some time, banks have tried to establish branches primarily as sales centers while moving basic service transactions to alternative automated, less-expensive delivery channels. This effort will continue, but banks must also regenerate their overall delivery-channel strategy to provide sales and service capabilities through virtual channels in order to attract and retain the growing Gen Y customer segment. This regeneration and sustainability effort involves the "right sizing" of each channel to provide their existing and future customers with the appropriate level of services and features as well as capacity to meet service quality goals. Not only will this effort require risk assessments to be continually made for each delivery channel, but also to develop a holistic risk assessment of each customer across all delivery channels.
Let us know what changes, if any, you are making in your overall delivery-channel strategy to address the changing demographics of existing and potential bank customers.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
May 06, 2013
Staying One Step Ahead of ATM Attacks
Ever since the first ATMs were installed in the United States more than 40 years ago, criminals have used a variety of methods to steal money, through either physical or virtual attacks on machines or customers. The early ATMs were installed primarily through the exterior wall of bank branches, so they were generally as secure as the building's cash vault. Consequently, the attacks generally took the form of robbing customers using or employees servicing an ATM.
The industry reacted, with some state regulatory nudging, with camera surveillance, improved lighting and visibility, privacy screens, drive-up reconfigurations, and customer safety education programs. When less-armored, freestanding cash dispensers began to appear in retail locations, criminals turned to trying to pull the entire ATM out from its floor or wall anchors and then cracking it open at a remote location.
As criminals grew more sophisticated, they turned their attention from such aggressive physical attacks to stealthier ones. In one such activity, referred to as "skimming," they place false card readers over the real ones to capture the data on the cards' magnetic stripe so they can create a counterfeit card. The criminals may generally also install a pinhole camera positioned to capture the customers entering their PINs on the keypad. Card skimming has become a major problem for the card payments industry overall and has been an impetus for the migration to chip cards throughout the world and finally in the U.S.
Some recent efforts to attack ATMs have involved gaining unauthorized access to the applications controlling ATM transaction authorizations. In an incident in Oman that took place earlier this year, cyberthieves established real-time access to the authorization files on a foreign bank's prepaid card application system and changed the balance available for withdrawals. They also continually reset the daily usage counters. Using a large gang of money mules with counterfeit cards and the PIN to access the prepaid account, the criminals conducted a coordinated attack, making continuous cash withdrawals at numerous foreign ATMs until the cash supply at all the ATMs was exhausted. This gang netted the equivalent of almost US$39 million—yes, that's not a typo, it was $39 million.
It now appears there is a trend, at least in Europe, of criminals resorting to physical attacks on the ATMs again. Gangs have been injecting explosive liquids and gases into ATMs, then igniting them to blast open the ATM vault to gain access to the currency cassettes. I believe it is only a matter of time before such attacks are initiated here in the United States.
These activities emphasize that criminal attacks against our payments system will continue to take different forms and target all payment channels. In a comprehensive risk management plan, stakeholders must always anticipate the next type of attack and take the necessary and prudent preventive measures. Sometimes we are lulled into a sense of complacency with mature payment channels and focus all our efforts on the emerging channels or payment products. How long has it been since you have done a risk evaluation on your ATM delivery channel?
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
April 29, 2013
It's Time for Better Online Authentication Solutions
I recently read a news story in my daily news feed about litigation between a bank and corporate customer related to an account takeover, and the liability of the loss from a fraudulent transfer. Unfortunately, it seems that I am reading these types of stories far too often these days.
Online corporate account takeovers are an important issue in the payments risk world and have been the subject of our blog in the past. Even with stringent security procedures in place, including two-factor authentication (2FA) and out-of-band verification, companies remain high-risk targets. Undoubtedly, employees will slip up and procedures will be ignored, actions that ultimately result in fraudsters getting their hands on account or network credentials that give them access to corporate bank accounts. Although ongoing and comprehensive employee education is vital, improving authentication techniques and requiring their use are critical to better mitigate online account takeover risks.
Requiring some form of authentication is better than requiring none. Yet the current state of our “some” generally consists of a user name coupled with knowledge-based authentication of a password and, if 2FA is being used, usually a set of challenge questions. Knowledge-based authentication is often ineffective due to the use of weak passwords and the ability of fraudsters to find answers to challenge questions through public sources or social engineering. So then, what is the most effective and reasonable authentication standard moving forward? Biometrics? Security tokens? Dynamic password generators?
Fortunately, both the public and private sectors are working to develop improved authentication solutions. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a federal initiative developed to encourage collaboration between the public and private sectors in developing interoperable technology standards and policies whereby individuals and organizations can be authoritatively authenticated. In addition, the FIDO (Fast Identity Online) Alliance is a private-sector initiative created to change the nature of online authentication by developing specifications that will supplant the reliance on passwords. I do not know whether any of these groups or another entity will be successful in solving our authentication challenge, but I do know fraudsters are hoping their success isn’t any time soon. What are your thoughts on improving online authentication?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed