Portals and Rails

About


Portals and Rails, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Portals and Rails and look forward to collaborating with you.

April 14, 2014


Danger Ahead! ATM Cash-Outs

The Federal Financial Institutions Examination Council (FFIEC) issued a warning in April to financial institutions about criminals continuing to launch attacks against ATM and web-based card management systems, especially those of small- to medium-size financial institutions (FI). Dubbed "unlimited operation" by the U. S. Secret Service, this type of attack can saddle a financial institution with fraud losses in the millions of dollars. As we highlighted in a post from last May, a bank in Oman experienced this type of attack in late 2012, which resulted in a loss to the bank of almost $40 million. Imagine the impact of a loss of that magnitude to a small to midsized FI.

These attacks are especially concerning for a number of reasons. First, the criminal organizations that carry them out are highly sophisticated and well-organized, and they have an international reach. The Oman attack included a money mule network across 26 countries—including the United States—performing more than 36,000 withdrawals in a 12-hour period.

Second, unlike typical counterfeit card fraud attacks that involve a large number of accounts, the criminals behind the card management system frauds need to compromise only a small number of card accounts. The attack that resulted in the $40 million loss involved only 12 accounts. Early in this type of operation, the criminals generally obtain the PINs of the cards for these accounts by conducting some sort of covert surveillance (pinhole camera or shoulder surfing). They then counterfeit the cards using those PINs.

Third, the attacks are generally timed to take place around holidays, when bank, IT, and fraud monitoring staff levels are low.

Fourth, the criminals get remote access to the financial institutions' card management systems to reset account balances and card withdrawal parameters. They can then use the counterfeit cards over their pre-established transaction limits or balances and drain the ATMs of all cash. The criminals usually obtain access to FIs' networks using e-mail phishing schemes that target processor or network employees. Through gullible employees, malware is loaded onto the network that later gives the criminals access to the FIs’ card management systems.

Major online networks now have transaction velocity monitoring capability, which detects a high number of transactions on an individual account. This approach is necessarily only a secondary and reactive measure, not a preventive measure.

FIs should immediately address the risk mitigation steps that the new FFIEC warning outlines. Because the vast majority of small to midsized FIs depend on third-party processors to run their card management systems, it is imperative all FIs verify that their processors have the controls and safeguards in place to prevent such attacks, and they should insist on seeing validation of those controls.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 14, 2014 in ATM fraud, cards, cybercrime, fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a5119e4e38970c

Listed below are links to blogs that reference Danger Ahead! ATM Cash-Outs:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

December 23, 2013


Here We Go: Number 10!

As the year draws to a close, the Portals and Rails team would like to share its own Top 10 list of major payment-related events that took place in the United States this year.

  1. The Consumer Financial Protection Bureau finalized Dodd-Frank 1073 money transfer rules.
  2. The payments industry experienced increased regulatory scrutiny of third-party processors and high-risk business customers.
  3. Major global ATM cash-out fraud attacks—including many U.S. ATMs—totaled $45 million.
  4. FTC issued a proposal to ban telemarketers from using remotely created checks and payment orders.
  5. Debit networks sought a compromise on an EMV interface—while there is little movement on the issuance of EMV cards.
  6. The newly designed $100 bill with additional security features was released.
  7. Several major data breaches occurred, and identity theft occurrences skyrocketed.
  8. Cyber Monday online sales were up 17 percent, with phones and tablets representing almost a third of the total.
  9. Virtual currencies received increased public, legislative, and regulatory awareness after the U.S. Department of Justice took action to close down virtual currency operators Liberty Reserve and Silk Road.
  10. U.S. District Court Judge Richard Leon threw out Regulation II debit card interchange fees and routing rules.

And as we head into 2014, here are a few payments-related topics we will be following closely:

  • As regulators continue to monitor developments in the virtual currency market, will the usage of virtual currency as a legitimate medium of exchange expand among the merchant community?
  • Will 2014 finally be the “Year of the Mobile Payment” as stakeholders have yearned for over the last several years? What progress will be made in addressing the awareness, security, and education aspects of mobile payments?
  • With online and mobile commerce showing no signs of slowing down, what authentication solutions will be most widely adopted to prevent a rising tide of card-not-present fraud?
  • How will merchants and card issuers deal with EMV implementation?
  • What effects will the regulatory attention on third parties and high-risk businesses have on the due diligence practices of financial institutions?

Wishing you all happy holidays and a fraud-free 2014!

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

December 23, 2013 in ATM fraud, crime, EMV, identity theft, regulators | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b03847b7e970d

Listed below are links to blogs that reference Here We Go: Number 10!:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 08, 2013


Money Mules: Unwitting Accomplices?

Recent news articles about the two major ATM cash-out frauds that yielded $45 million for the perpetrators have noted a critical element of the global crime—the extensive network of criminals that performed thousands of cash withdrawals over a few hours at ATMs in approximately 24 countries. Known as "money mules," these individuals help transport or launder stolen money and merchandise in exchange for a small share of the ill-gotten gains.

The mules in the ATM cash-out scheme were willing participants, but in many cases, individuals serving the role of a money mule may not be aware of their criminal involvement and may even themselves become victims of fraud. The most common tactics for enlisting the help of unknowing money mules are posting work-at-home advertisements on major legitimate employment websites, purchasing pop-up ads, or sending e-mails.

Earlier recruiting efforts were easy to spot because they often used poor grammar or spelling, were not specific in describing the job, and usually based the hiring company outside the United States. More recently, recruitment efforts have used well-written ads with high-quality graphics. These ads often stress the convenience of the position for the worker and the significant earnings potential. When hired, the individual is sometimes engaged as a mystery shopper or in some similar function to make the transfer of money or goods seem normal to the business operation. Some schemes initially engage the person in conducting legitimate transactions with the goal of developing a level of comfort for the individual with the process and the promise of bigger, more lucrative transactions to come in the future.

As with many crimes involving multi-level organizations, it is not the masterminds but the money mules who are most often apprehended. They are the ones whom law enforcement officers can locate relatively easily because they are the ones who provide their financial account information or shipping address as part of the transaction. Unknowing money mules risk criminal prosecution, financial loss, and smearing of their reputations. It’s also possible that they will themselves experience identity theft or fraud against their financial accounts because they may have provided sensitive personal information during the recruitment process.

As cybercrimes continue to spread, the mule recruitment efforts will expand and probably become more sophisticated. Individuals must exercise safer computer security practices, and financial institutions, consumer protection agencies, and law enforcement must continue to provide education about this type of scheme to help increase everyone’s ability to detect such fraud. Not only will early detection help prevent individuals from becoming unwilling victims, but also it will aid in the investigation of these criminal efforts by law enforcement.

Brian Krebs (KrebsonSecurity) has a good article, which includes a money-mule training video, providing more information about this type of crime to help individuals avoid getting caught up in one of these schemes. We welcome your suggestions on how the educational effort can be strengthened.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 8, 2013 in ATM fraud, identity theft, money laundering | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019104230264970c

Listed below are links to blogs that reference Money Mules: Unwitting Accomplices?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 20, 2013


ATM Cash-Outs: A Major Escalation

The banking news this week has been dominated by the story about the two ATM cash-out schemes that netted the criminals a total of $45 million. (We mentioned the $40 million fraud involving prepaid cards issued by a bank in Oman in a post earlier this month.) The news articles and opinion pieces have focused on what I consider secondary aspects of this attack—counterfeit card production and prepaid cards. Some observers have pointed to this attack as further justification for a faster move to EMV reader capability in the United States. While it is certainly true that an EMV-only environment will virtually eliminate counterfeit card crimes such as this, the reality is that a dual EMV-magnetic stripe environment is going to exist, both here in the United States and the rest of the world, for quite some time. And while some categorize the United States as the only EMV holdout, the fact that 94 percent of the ATM cash withdrawals took place at ATMs outside the United States shows that we are not the non-EMV island that we are often portrayed as. Others have pointed out that the targeted cards were tied to prepaid accounts, implying or outright stating that a prepaid card management application is less secure than a regular debit card management application. This is not the case, as the fraud was not a product or an access device issue.

The real threat from this attack comes from the criminals' ability to gain access to the card management application on a real-time basis. It is still unclear whether they gained the account number and PIN from accessing the card management system or through the more traditional skimming means. What is clear is that they had the ability to continually replenish account balances and reset usage limit parameters during the 10–13 hour attack that involved more than 3,600 withdrawal transactions from ATMs located in 26 different countries. The investigation of the two processors located in India will tell if there was some level of insider involvement or if the criminals learned how to gain access to the card application and make the changes to keep the fraudulent attack going.

So how should bankers and card management processors address these concerns? I would suggest they consider an immediate review and understanding of their card management application access controls that identify the personnel having the authority to make "on-the-fly" changes to specific account parameters. Some access is required for actions such as flagging a reported lost or stolen card, but other parameters should be completely off limits or tightly controlled and monitored. Another safeguard would be to have account velocity monitoring, which would identify unusual card usage activity or usage from different parts of the world occurring at about the same time.

This highly sophisticated and coordinated attack is a game changer for the security controls of all types of card management applications. Let us know how you are responding.

David LottBy Dave Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 20, 2013 in ATM fraud, cybercrime | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01901c607e9d970b

Listed below are links to blogs that reference ATM Cash-Outs: A Major Escalation:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 06, 2013


Staying One Step Ahead of ATM Attacks

Ever since the first ATMs were installed in the United States more than 40 years ago, criminals have used a variety of methods to steal money, through either physical or virtual attacks on machines or customers. The early ATMs were installed primarily through the exterior wall of bank branches, so they were generally as secure as the building's cash vault. Consequently, the attacks generally took the form of robbing customers using or employees servicing an ATM.

The industry reacted, with some state regulatory nudging, with camera surveillance, improved lighting and visibility, privacy screens, drive-up reconfigurations, and customer safety education programs. When less-armored, freestanding cash dispensers began to appear in retail locations, criminals turned to trying to pull the entire ATM out from its floor or wall anchors and then cracking it open at a remote location.

As criminals grew more sophisticated, they turned their attention from such aggressive physical attacks to stealthier ones. In one such activity, referred to as "skimming," they place false card readers over the real ones to capture the data on the cards' magnetic stripe so they can create a counterfeit card. The criminals may generally also install a pinhole camera positioned to capture the customers entering their PINs on the keypad. Card skimming has become a major problem for the card payments industry overall and has been an impetus for the migration to chip cards throughout the world and finally in the U.S.

Some recent efforts to attack ATMs have involved gaining unauthorized access to the applications controlling ATM transaction authorizations. In an incident in Oman that took place earlier this year, cyberthieves established real-time access to the authorization files on a foreign bank's prepaid card application system and changed the balance available for withdrawals. They also continually reset the daily usage counters. Using a large gang of money mules with counterfeit cards and the PIN to access the prepaid account, the criminals conducted a coordinated attack, making continuous cash withdrawals at numerous foreign ATMs until the cash supply at all the ATMs was exhausted. This gang netted the equivalent of almost US$39 million—yes, that's not a typo, it was $39 million.

It now appears there is a trend, at least in Europe, of criminals resorting to physical attacks on the ATMs again. Gangs have been injecting explosive liquids and gases into ATMs, then igniting them to blast open the ATM vault to gain access to the currency cassettes. I believe it is only a matter of time before such attacks are initiated here in the United States.

These activities emphasize that criminal attacks against our payments system will continue to take different forms and target all payment channels. In a comprehensive risk management plan, stakeholders must always anticipate the next type of attack and take the necessary and prudent preventive measures. Sometimes we are lulled into a sense of complacency with mature payment channels and focus all our efforts on the emerging channels or payment products. How long has it been since you have done a risk evaluation on your ATM delivery channel?

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 6, 2013 in ATM fraud, crime, identity theft, risk management | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017eeadcbd0a970d

Listed below are links to blogs that reference Staying One Step Ahead of ATM Attacks:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 11, 2013


The ATM: Disappearing Soon from a Location near You?

The ATM industry in the United States is facing a set of regulatory and operating rule deadlines that might impact the industry as much as similar deadlines did during 2005–08. Back then, ATM owners were required to upgrade their terminals to support the more secure Triple Data Encryption Standard (3DES) to safeguard ATM transaction messages during transmission. To comply, ATM owners faced the expense of hardware and software upgrades. Because a number of ATM independent sales organizations (ISOs) were operating older machines that required replacement rather than upgrades, they sold off their businesses claiming they could not support these additional expenses. Although the total number of ATMs is difficult to determine, most people in the industry agree that the 3DES requirement resulted in fewer of them.

Now it's "déjà vu all over again" for many ATM owners. Two recent changes to regulatory and operating rules require additional investment in their ATM fleets. The first of these is the accessibility provisions of the 2010 American with Disabilities Act (ADA) that include, but are not limited to, a voice guidance requirement, Braille signage, and input controls for visually-impaired individuals. These provisions were published in September 2010. ATM owners had a compliance date of March 2011 and an enforcement date of March 2012. An online Wall Street Journal article written near the 2012 deadline estimated that half of the ATMs in the United States did not fully comply with the new requirements. Because many ATM owners were in near compliance at the time of the deadline, the current level of incomplete compliance is not known. I understand, however, that several ATM owners, particularly ISOs with low-volume cash dispensers, have still not upgraded their ATMs. Despite a number of lawsuits filed by visually-impaired individuals against noncompliant ATM owners, many appear to be continuing to operate while hoping to go undetected. The act allows an exemption to an ATM owner if the upgrade would be an "undue burden," but the burden is on the owner to seek the exemption and prove the burden.

The second change comes from the recently announced liability-shift roadmaps for EMV chip implementation by Visa and MasterCard. MasterCard set a deadline of October 2016; Visa, a year later. Currently, the card issuer bears losses from fraudulent card transactions at the ATM. After those dates, if a counterfeit card is used at an ATM that has not been upgraded to handle EMV cards—in which case the ATM has to read the card's magnetic stripe back-up—the ATM owner will bear the loss resulting from that fraudulent transaction.

Even more pressing is MasterCard's liability shift for non-U.S.-issued Maestro card transactions at U.S. ATMs, scheduled for April 19, 2013. The National ATM Council, an industry group for ATM ISOs, has formally requested MasterCard to both delay this shift and push back the overall liability shift deadline to synchronize with Visa's 2017 date. Already struggling with the increased costs resulting from the upgrade decision, ISO ATM owners fear that absorbing counterfeit card losses would devastate their financial condition. I suspect that as many of them have done with the ADA requirements, many may continue to postpone upgrade expenses and just hope that their machines are not targeted. However, as I noted in a recent post, criminals tend to attack the weakest elements of their target.

ATM usage continues to face competition from debit POS (purchases and cash-back) as well as the expanding mobile payments channel. With ATMs being such a high fixed-cost operation, the impact of additional upgrade expense at a time when usage is decreasing is likely to take a toll on the number of operating ATMs. What do you think?

David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 11, 2013 in ATM fraud, EMV, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017ee92da6ff970d

Listed below are links to blogs that reference The ATM: Disappearing Soon from a Location near You?:

Comments

FFIEC came up with two factor authentication guidelines in 2005 and followed it up with additional guidelines in 2012 or so. Still, there are so many banks that don't use 2FA in the USA. If big banks have managed to escape regulation for 8 years, it'd be much easier for ATM operators to fly under the regulatory radar for at least a few more years. So, I predict that ATMs will continue as they are and don't expect them to disappear anytime in the near future, at least not due to the current spate of regulation.

Posted by: Ketharaman Swaminathan | March 15, 2013 at 06:44 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 23, 2012


Consumer protection: What to do when the consumer’s the threat?

How much for a cockroach in my take-out? What should the burger joint give me for gaining weight from eating their cheeseburgers? Consumers seeking a quick payday through frivolous lawsuits are old news in the food industry. What you may not know is that financial institutions must battle the same problem, as malicious actors twist consumer protection legislation for their own profit.

An American Banker article described how a federal court in Pennsylvania dismissed a lawsuit brought against a credit union claiming that one of their ATMs lacked a mandatory Electronic Funds Transfer Act (EFTA) sticker disclosing fees. This was just one in a string of lawsuits filed by the same plaintiffs. Some financial institutions have decided to settle instead of taking their chances in court. Some of the plaintiffs mentioned in the American Banker article have apparently decided to make a living by scoping out ATMs where stickers have fallen off or been removed, making transactions at these machines, and then filing suit against the unsuspecting operator.

This consumer behavior represents a type of second-order compliance risk. In addition to the formal consequences of noncompliance with regulation, financial institutions (FI) must also consider that some bad actors may attempt to undermine their compliance efforts. As a practical matter, FIs can manage this risk by validating EFTA compliance each time the ATM is serviced. As the machine is being refilled with cash and receipt paper, servicers should check for the disclosure sticker and have extras on hand in case it has been removed. The FI should maintain records of verification and/or replacement.

These lawsuits also raise larger questions. The other week I blogged about how the Federal Reserve has at times attempted to correct market failures in the payments industry. However, the unintended consequences of legislation discussed in this post demonstrate that government failure is also a risk. Government failure is any time that a government intervention to overcome a market failure results in a less efficient outcome than if no action had been taken. The case of these ATM vigilantes shows that legislation meant to protect the consumer can sometimes be used to justify wasteful lawsuits. In addition to determining if there is a legitimate market failure to correct, policymakers also need to consider the potential for government failure and unintended consequences of regulation before passage.

Jennifer WindhBy Jennifer C. Windh, a senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

April 23, 2012 in ATM fraud, banks and banking | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168ea9883db970c

Listed below are links to blogs that reference Consumer protection: What to do when the consumer’s the threat?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 27, 2010


Could the fight against ATM fraud use the help of biometrics?

Biometrics is defined as "the measurement and analysis of unique physical or behavioral characteristics especially as a means of verifying personal identity." There are several different identifiers that may be used in biometrics, including fingerprint and hand geometry, voice and vein recognition, as well as retina, iris, and facial scans. The concept of biometric technology as a customer authentication tool to protect the identity and accounts of individuals from fraud or theft is promising. However, relinquishing something as personal as a unique trait may leave some skeptical and others simply unnerved.

But can privacy concerns or consumer apprehension over the use of biometrics overcome the need to address the growing instances of ATM fraud?

Physical attacks on ATMs increase
According to Javelin Strategy & Research, in 2009, 10 percent of fraud victims in the United States experienced fraudulent ATM cash withdrawals. These schemes typically involve the use of a skimming device that may sit above the actual card reader and capture PIN entries. Other methods are more brazen and involve the physical act of pulling an ATM from the wall or floor and disassembling it elsewhere. Additional types of ATM attacks may involve data breaches, social engineering, and software vulnerabilities.

Successful adoption of biometric technology
Although the thought of biometric technology may conjure up images of George Orwell's 1984, for years now, several major Japanese banks have been using some form of biometric technology to combat ATM fraud. One example is the Bank of Tokyo-Mitsubishi, which uses palm vein-pattern biometrics for account and identity authentication. After inserting the card and entering a PIN, the user holds his or her hand over a sensor on the ATM for verification purposes. Because palm vein patterns are unique to each individual, others are not able to withdraw money using stolen cards. The palm vein information is stored in the card itself, which also keeps the biometric information hidden from bank employees.

In 2006, a new Japanese law made banks liable for fraudulent ATM withdrawals. Prior to the law's passage, banks did not impose withdrawal limits and did not protect against losses due to theft. As a result of the new law, today more than 90 percent of Japan's banks use some form of vein-pattern recognition.

Biometrics obstacles
A lack of standardization and the costs of implementation ring in at the top of the list when we consider why the financial services industry is apprehensive about integrating this technology. Also topping the list are privacy concerns and general consumer apprehension. But surprisingly, consumers have offered positive feedback when asked about the use of biometrics to combat fraud. In fact, when asked what they would choose, more consumers preferred using biometrics as an additional authentication tool over a one-time password device.


Additional Authentication Methods at ATMS by Age
Enlarge Enlarge


Will banks be willing to invest the time and money into technology that may or may not become an industry standard? Or are some banks waiting for other banks to serve as pioneers in the United States before they invest in biometric ATM machines?

Creating a chain of trust
U.S. consumers have historically shown reluctance to embrace new technologies until their reliability and trustworthiness have been vetted in the marketplace for a number of years. Part of building this trust will require building a track record of robustness with respect to both security and reliability. While concerns about biometrics may abound, these concerns can be addressed by educating the user and industry.

The concept of biometrics shows great potential for combating ATM fraud, but is it the panacea? Or is the key simply using technology more advanced than that employed by the bad guys, staying one step ahead of them rather than one step behind?

By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

September 27, 2010 in ATM fraud, biometrics, fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0133f4a074cc970b

Listed below are links to blogs that reference Could the fight against ATM fraud use the help of biometrics?:

Comments

Oddly enough this article came out recently:

AUTOMATED BIOMETRIC RECOGNITION TECHNOLOGIES 'INHERENTLY FALLIBLE,' BETTER SCIENCE BASE NEEDED

http://www8.nationalacademies.org/onpinews/newsitem.aspx?RecordID=12720

This isn't to say that combining a biometric with a card and PIN could make it less 'inherently fallible'...

The biometric needs to be reliable enough to replace one of the authentication factors with a more effective method. Otherwise you are creating more work/effort/barrier for the consumer to transact with the payment method.

Posted by: Mike Urban | September 29, 2010 at 06:01 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


November 2014


Sun Mon Tue Wed Thu Fri Sat
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30            

Archives


Categories


Powered by TypePad