ATM Fraud in Broad Daylight

Before you hit play and watch this news story, just know that the Bad Guy didn’t even have to try as hard as he did. This crime is easier to commit than this news segment shows, and there are places a whole lot more vulnerable than an ATM vestibule in the middle of the day.

It’s an important case because we rely more and more heavily on ATM/Debit and Credit Cards as we move toward a cashless society. And they’re all vulnerable to the type of attack detailed here. New card skimmers are showing up that get the mag stripe data, and are coupled with small cameras that watch you enter your PIN. The info is sent to a Bad Guy via a wireless network, and the Bad Guy makes a new mag stripe card, drives across town, withdraws money out of another ATM with your PIN, and disappears into the sunset. You’ll never see your money again.

Roll ‘em:

Basically, the Bad Guy just needs a few seconds to attach a skimmer to the ATM and attach a camera to a convenient location in view of the keypad. Everything can be pre-programmed, so this whole operation can be done in the blink of an eye. The system works by wirelessly transmitting all of the information to the crook, at a safe distance from the ATM.

The point is it’s easy to read magnetic stripes, it’s easy to re-encode magnetic stripes, and it’s easy to buy a bunch of blank credit-card-sized magnetic stripe cards and encode those stripes with stolen numbers. Since merchants don’t verify that you have a genuine— or even genuine-looking— card anymore, a Bad Guy can copy your card and use it at any gas station, any ATM, or any self-service kiosk, and probably not get caught.

(Security Break: What value does the card’s 3 or 4 digit security code add?)

To make things worse, there are a wide variety of ways to get the magnetic stripe info off a card, and because of that, attacks like this continue to grow in popularity. Some easy ways:

• Card skimmers on ATM’s, gas pumps, or even in shops – like in the video above, it only takes a few seconds to install a skimmer and an optional camera, and they can be extremely difficult to detect;
• Waiters at restaurants get your physical card for long enough to copy it, with or without a magnetic stripe reader. They simply take the stolen information and either sell it online, or if they’re truly ambitious, they fabricate a copy card themselves with inexpensive, widely available equipment;
• Browsers and websites can be compromised, or you could be phished – in which case, the Bad Guy gets everything you type and everything you see on your screen, including not only the information on the card, but also things like names, billing addresses, and whatever else you enter for the transaction.

(Security Break: What does signing the back of the card do?)

So, what can be done about this?

There are a few things consumers can do to dramatically improve security in their life, like monitoring their transactions, using known ATM machines and keeping an eye out for changes, etc. But just like passwords are no longer considered a sufficient means of protecting access to online accounts due to things like phishing, relying on a magnetic stripe on a credit card is just not enough to protect your financial transactions. Adding a second method to verify that the account owner is, in fact, the person conducting the transaction would offer material benefit.
So how would this work?

Transaction verification systems call you for approval (usually just pressing the # key) before dispensing the cash or completing the transaction, if the transaction looks suspicious.

I believe more and more banks will be implementing transaction verification systems for just this reason: It’s simple, and it works.

Getting a Break in the Case Against Computer Crime

It’s an us-against-them time in IT security. The more bad economic news I see, the more I understand the Bad Guy’s motive. Hacking, once a sport for the well-educated and well-off, is now a desperate measure for financial gain.

How many IT folks have been laid off in the last few months? How many are worried and anxious? How many are really angry on top of it? Attacks have never been more sinister because they’re conducted by really skilled people, sometimes with insider knowledge. Identity theft, man-in-the-middle attacks, malware gone mad – the list is endless, and attacks are growing in number, not just in intensity.

Keeping ahead of these threats keeps many of us up at night. So, this blog and the new Internet Talk Radio Show by the same name, will focus on breaking open cases of data theft, network intrusion, and other attacks on the systems and information us security guys strive to protect.  Each post will focus on a specific threat – looking at how it was (or could be) perpetrated, and how to protect against it.

About my approach: I’ve been blogging on-and-off for several years now while working on a two-factor authentication solution that I believe to be an incredibly powerful tool in the fight against data and identity theft. So as I map out an approach to thwart each attack, I will focus on authentication technologies and issues where applicable. That doesn’t mean I’ll limit which cases I takes on.

But two-factor authentication can do a lot, which is why I’ve continued to work with it, and I’m going to prove it. I love a good challenge. Here’s my two cents about two-factor authentication: Sometimes (incorrectly, IMO) called “strong authentication,” two-factor authentication requires items from two of the following three categories:

• Something you know;
• Something you have;
• Something you are.

Given the expense and complexity associated with biometrics, that means that, practically speaking, two-factor means “something you know” and “something you have.”

There’s a catch, though. The “something you have” must really act like something you have, and not like “something you know”, or the security degrades to several-of-one-factor, which is generally not as strong.

An example of something you have is a cell phone. Here’s an example of something you think is something you have, but is really something you know: magnetic stripe cards, such as credit cards, ATM cards, lots of driver’s licenses, hotel room keys, door lock systems, time tracking systems, and whatever else has that little brown/silver/whatever stripe on the back of the card.

Magnetic stripe cards fool you: While they look like something you have, they act like something you know! What does it mean to “act like” something you know? Well, what are the characteristics of knowledge vs. tangible property?

• You can write down or memorize “something you know”;
• In particular, Bad Guys can copy “something you know” without your, um, knowledge.
• You can easily make a copy of “something you know”;

Now, think again about the magnetic stripe card. While it may be hard for you to make a physical copy of an American Express card, that’s rarely the issue: There are a great many cases where the merchant doesn’t even see the card. (Ever wonder why photographs on credit cards didn’t take off?) Heck, at this point, most modern merchants never see the card at all, even in retail stores-Target, Costco, and most of the other places I shop fall into this category.

So, if the merchant doesn’t see the card, what is it interested in? That’s right, the information on the card-the stuff encoded in the magnetic stripe, the stuff you know. It is not something you have. Something you have can only be in one person’s possession at a time.

I used the all-too-popular, honestly scary magnetic stripe card for a reason. For our first case, we’ll look at a case of ATM fraud, how easy it was for a Bad Guy to siphon a checking account at a public ATM in broad daylight, and why PCI regulations won’t help at all. Stay tuned.

Let the investigation begin….

Security Break Live hits the radio!

Join Steve and co-host John Quain, CBS Up to the Minute tech correspondent and New York Times writer, Friday Feb. 13th as they take on ATM Fraud in Broad Daylight.

Is there anything you can do about the security risk of mags stripe cards? ATMs are the easiest to steal, and the latest case, where a bank ATM was rigged to steal card after card in broad daylight, shows that PCI regulations can’t stop the Bad Guys.

Find out the places you go every day that put you and your bank account most at risk. Gas stations? Movie theaters? Listen in, call in, or join them on live chat as they discuss strategies to protect your ATM cards and credit cards.

Listen Friday, Feb. 13th – 9:00am PT / 12:00am ET at: