Article
Panellists put a finger on the solution to card fraud
The way to stop ATM skimming and card fraud is to make it a crime that doesn't pay, a panel of security experts says.
October 16, 2013 by Suzanne Cluckey — Owner, Suzanne Cluckey Communications
According to Michael Caswell, when dealing with fraudsters, "It's not a question of when you'll be compromised, it's a question of when they'll use what you already have out there."
Since Caswell is a special agent with the U.S. Secret Service, one assumes he knows whereof he speaks.
Where he spoke was at the ATM & Mobile Executive Summit last month in Washington, D.C., as a panelist in a session called "Staying Ahead of the Fraudsters."
Caswell was joined by Mimi Hart, CEO of MagTek Inc. — the company that spearheaded the development of secure card readers in 2005 — and Adam Meyers, director of intelligence at CrowdStrike, a security technology company that helps enterprises and governments protect their intellectual property and national security information. Kurt Helwig, president and CEO of the Electronic Funds Transfer Association, moderated the session.
To drive home his point about the volume of data in the hands of cyber criminals, Caswell showed real-time video of a data dump of information from thousands of skimmed accounts.
And, Caswell said, collecting this data is easier than ever for criminal gangs. He described how ATM fraudsters are now using wireless devices that eliminate the need to return to an ATM terminal to retrieve the device and the information stored on it — often the riskiest part of the skimming operation.
"Now with wireless, they can sit some 100-plus yards away in a car just capturing information, then stream it overseas and automatically start imprinting credit cards if not doing online purchases with it," he said.
He said professional crime organizations like to buy an ATM and drop ship it overseas so that they can deconstruct the machine and figure out where its vulnerabilities are — and craft virtually imperceptible card reader overlays.
Hart said the industry needs a better way to stop fraud than trying to catch data theft at the point of attack. "You cannot stop skimming," she said. "It's physically impossible because the data is in the clear. Instead of trying to prevent somebody from actually doing the skimming, we have to have a way to stop the payout when they go to use the card.
There are two effective ways to do this currently, she said:
The first is dynamic authentication of the card, a process in which the "fingerprint" (i.e., the arrangement of magnetic particles on the stripe) of a card presented at retail is compared with a fingerprint of the card recorded at issuance and stored in a database.
The second is mobile payments, which can provide several "tiers" of protection, including data encryption and tokenization, biometrics (as used on the new fingerprint secured iPhone 5S) and other means.
Both Hart and Caswell said they thought mobile held real potential for reducing payments fraud.
Meyers was less optimistic.
"In the computer security world, that's the biggest concern — this stuff moving to mobile. We've already seen some of the fraudsters and malicious actors writing malware for various mobile platforms like Android to compromise that two-factor authentication. ... The bad guys know it's moving towards mobile and they're already there."
Caswell acknowledged that it always seemed that law enforcement was playing catch-up with fraudsters. But with a platform such as a mobile device — "a computer that happens to make telephone calls" — he believed there were more opportunities to create a robust security system.
In addition, he said, ensuring device integrity was a matter of educating consumers, FIs and even law enforcement about potential threats, including viruses introduced into the device through mobile-based activities as seemingly inocuous as online gaming and social networking.
Meyers added that even indiscriminate capturing of QR codes from unknown sources could provide entry for a malware expoit.
The best solution, he said, was for mobile handset makers to give security companies access to the root systems of their devices — something they don't currently allow.
Meyers explained that anti-virus protection now available for mobile devices resides in the user space, but an attacker who wants to compromise the device is going to be operating "well underneath that, with root access into the kernel," Meyers said. "So [anti-virus software] is just making you feel better, in most cases."
He said that a year ago, CrowdStrike wrote an exploit demonstrating to handset makers how Chinese attackers might gain entry to the Android mobile platform and deliver a remote access toolkit to the device, thus giving them complete control over the data in the handset.
"It took a team of two people about 14 days to do it. And one of the key takeaways from that presentation was that if you don't provide root access to some of the vendors that are out there, then the only person who's going to have access is the bad guys or somebody who jailbreaks their own phone."
Hart said that best approach to security was multi-factor authentication at every stage of a transaction — verifying the card and token, the card data, the encrypting device, the amount being charged, and the receiver of the transaction data.
All of the panelists agreed that EMV, while not perfect, did make transactions more secure. And Meyers said that the more security fraudsters had to defeat, the less profit there was to be made.
"If you raise the cost to the adversary, they're not going to keep pace with you. They're going to find a lesser road go down."
Read more about security.
photo: jack spades
About Suzanne Cluckey
Suzanne’s editorial career has spanned three decades and encompassed all B2B and B2C communications formats. Her award-winning work has appeared in trade and consumer media in the United States and internationally.
Included In This Story
ATM Industry Association (ATMIA)
The ATM Industry Association, founded in 1997, is a global non-profit trade association with over 10,500 members in 65 countries. The membership base covers the full range of this worldwide industry comprising over 2.2 million installed ATMs.
