While ATM skimming scams are sure to continue leading up to the country's EMV migration next year, the time to take advantage of these schemes is limited for criminals, and they are without a doubt looking to leverage new attacks against money machines, experts say.
Angel Grant, senior manager at security firm RSA, told SCMagazine.com that variations in skimming devices, as well as tactics used to steal payment card data using the hardware, will likely be plentiful – and clever – a last hurrah for fraudsters, so to speak, as merchants prepare to implement the global Europay, MasterCard and Visa (EMV) standard by Oct. 2015, the date when fraud liability shifts from banks to retailers that haven't taken up the chip-and-PIN verification system.
In July, for instance, the European ATM Security Team (EAST) warned of fraudsters fitting ATMs throughout Europe with mini-skimmers, smaller versions of traditional skimming devices that more easily escape detection. With the stolen data, criminal gangs likely aimed to create bogus magnetic stripe cards for use in the U.S., or other areas slow to adopt EMV.
“The hardware in ATM skimmers has been a threat for awhile,” Grant said. “You often see them at point-of-sale terminals at gas stations, for instance, and we will see more of them in the course of the next year. They are going to capitalize on the fact that the U.S. has not migrated to EMV. And they know the window of opportunity is going to shrink over time,” she said.
Until the migration to EMV is complete, banks should encourage their customers to take some anti-skimming measures, that Diana Kelley, executive security advisor at IBM, said can thwart inevitable attacks.
“It's a very old school [concept], but covering up your PIN as you are entering it does help,” Kelley said, explaining that criminals often couple skimmed card data with PIN information recorded by pinhole cameras they've also installed.
“Do take a look at the ATM that you are using,” Kelley also advised. “Some of the skimmers are half hanging off of the ATMs and aren't as elegant as the ones you see in the news. And use the more heavily monitored ATMs, in a bank lobby for instance, versus one that's in an unmanaged location.”
Kelley also advocated additional measures for fraud prevention, such as the use of out-of-band authentication for ATM transactions, which might include a banking app that verifies whether cardholders are actually at ATMs flagged as dispensing money from their accounts. Many banks already offer basic email alerts notifying customers of various transactions, she explained.
Doug Johnson, senior vice president of the American Bankers Association (ABA), told SCMagazine.com that there is already a “high degree of cooperation with banks and [ATM] manufacturers, who are always on the lookout to find ways to beat skimming technology.”
“It's an arms race with the all ATM vendors,” Johnson said of efforts to thwart fraud.
Diebold, the largest U.S. manufacturer of ATMs, is one vendor that has tried to tackle skimming fraud. Its ActivEdge card reader, for instance, requires users to insert their card via the long edge for transactions, making skimmers designed for traditional machines ineffective.
But attackers continue to craft new threats to make headway in spite of technological advancements.
Last September, new ATM malware, called Ploutus, hit researchers' radars. The malware, known for causing money machines in Mexico to spit out money, was transferred into ATMs via the CD-ROM drive. Attackers then sent a 16-digit command code using the ATM keypad, followed by additional malware instructions through a command line. From there, attackers could schedule the desired time for cash to be dispensed, researchers found. In only a couple of weeks time, an updated English-language version of Ploutus was discovered by analysts.
RSA's Angel Grant said that the industry can also expect to see more attacks targeting web-based ATM control panels.
In April, the Federal Financial Institutions Examination Council (FFIEC) warned financial institutions, particularly small- to medium-sized banks using the web-based control panels, of criminals leveraging “unlimited operations,” defined as “a category of ATM cash-out fraud where criminals are able to withdraw funds beyond the cash balance in customer accounts or beyond other control limits typically applied to ATM withdrawals,” an FFIEC statement (PDF) said.
Grant explained that such attacks can be initiated via spear phishing attacks targeting bank employee's credentials, where attackers can then infiltrate targeted systems to modify ATM admin features.
FFIEC said, at the time, that a recent unlimited operations attack resulted in fraudsters extracting over $40 million using only 12 debit card accounts.
In response to growing threats against ATMs, Grant noted one silver lining: ATM manufacturers have begun to consider the “security of [ATM] transactions beyond the hardware,” she said.
Vendors have started analyzing customer transaction trends, for instance, in order to more efficiently identify suspicious behavior leading to fraud, she explained.
“In addition to skimmers, they are seeing new types of attacks. [Accordingly] they are developing a consortium around attacks that are targeting consumers and creating technical standards,” Grant said.
In July, ATM makers Diebold and Wincor Nixdorf announced their plans to found an industry association with the sole focus of improving ATM security. As part of the effort, the companies plan to amass information on known, and potential, attack scenarios impacting ATMs in order to develop technical standards for “secure ATMs and ATM components,” Diebold said in its release. The association of manufacturers and suppliers will be implemented under Dutch law, the firm said, but will also seek input from other stakeholders and parties, such as banks and IT service providers.
“A lot of organizations are trying to take advantage of risk-based analytics to be able to detect suspicious banking patterns or behavior,” Grant said. “In the past, they've never really looked at it from that perspective,” she added.
A year in review: ATM fraud
Fall 2013: Researchers at Safensoft and Trustwave detailed a new ATM malware threat, called Ploutus, which was detected infecting machines in Mexico. Symantec then discovered an updated English-language version of the malware.
Winter 2013: Researchers at the annual Chaos Communication Congress demonstrated how criminals could store malware on USB drives and upload the threat to ATM machines running Windows XP in order to withdraw money.
January: Thirteen individuals were indicted in Manhattan in connection with a $2 million card skimming operation where Bluetooth-enabled devices were installed on gas pumps.
March: Seventeen defendants were indicted in Chicago for their involvement in an international ATM skimming scheme targeting machines in the city. The individuals allegedly netted approximately $250,000.
April: FFIEC alerts financial industry of attacks on web-based ATM control panels, primarily targeting small- to medium-sized financial institutions.
July: The European ATM Security Team provides fraud update on mini-skimmers being used in ATMs across Europe.