Security Awareness

The Dangers of using ATM

How to Protect yourself?

Presented by Reaz Baichoo (CISSP)

 The Dangers of using ATM
How to Protect yourself?

The purpose of this presentation is to make the audience aware of the dangers of
using ATMs and how to protect from ATM Frauds

In no case the reader should use any techniques presented to perform ATM Frauds.
It is for awareness ONLY and the Author disclaims of any liability thereafter

© Reaz Baichoo (CISSP) - 2007

 Agenda
• Introduction
• General practices
• ATM Fraud Techniques
• PIN Security
• Accessing the Cash
• ATM Burglary attacks
• Conclusion
 Introduction
• Consumers – Trust and depend on ATM

• ATM – conveniently meet consumers Banking

needs

• ATM – one of many EFT devices vulnerable to

fraud attacks
 Introduction
• Fraud at the ATM – more difficult than at a POS
• But still Widespread
• ATM Fraud techniques
– Shoulder surfing
– Card Skimming
– Software tampering
– Hardware modifications
 Introduction

Recent Global ATM consumer research

indicates that one of the most important
issues for consumers when using an ATM
was personal safety and security (Decision
Analyst)
 Introduction
1%
ATM appearance 1%
9%
Simple instructions 11%
11%
Privacy completing transaction 7%

Financial Safety & Security 14%

16%
18%
Completing transaction quickly 11%
18%
Cost of Transaction 30%
26%
Personal safety & Security 19%

0% 5% 10% 15% 20% 25% 30% 35%

Most Important Second Most Important

Decision Analyst, Inc. 2002

 Agenda
• Introduction
• General practices
• ATM Fraud Techniques
• PIN Security
• Accessing the Cash
• ATM Burglary attacks
• Conclusion
 General Practices
• Video Surveillance

• Awareness and Consumer Education

• Remote Monitoring
General Practices - Video Surveillance

• Invaluable and Effective as a monitoring of ATM

and surrounding Area
• Assists in the deterrence and apprehension of
bank robbers
• legislatively mandated in many states
• Potential benefits in the surveillance of off-
premise ATMs
 General Practices – Awareness &
Consumer Education
• Joint effort involving
– Financial Institutions
– Consumer
– ATM Manufacturer / Service Provider
 General Practices – Awareness &
Consumer Education
• Financial Institutions
– stress the importance of awareness at ATM to
their customers
– promote vigilance in reporting irregularities
– Branch personnel, ATM services providers
and cash handlers – proper training to
recognize ATM Frauds
– Training to service technicians to conduct
detailed evaluation of key ATM components at
each visit
 General Practices – Awareness &
Consumer Education
• Consumer
– Use of same ATMs daily / weekly
– Attentive consumer
– Notices any irregular objects or any attached
notes
– Report discrepancy to Financial institutions
– Carefully review monthly account statements
– Use Internet banking to monitor any
uncommon activity on their account
 General Practices – Awareness &
Consumer Education
• ATM Manufacturers / Service Providers
– Criminal rings purchasing ATMs and placing
them in open market
– A repository for stolen card data and PIN
Numbers
– Promote consumers to use recognized ATMs
General Practices –Remote Monitoring

• Provide an automated means to monitor and

manage ATM network
• Communicate important messages that may
indicate the tampering with a machine
• Provides improved ATM availability and reduces
risk
• Quick identification of problem – remotely and
centrally
 Agenda
• Introduction
• General practices
• ATM Fraud Techniques
• PIN Security
• Accessing the Cash
• ATM Burglary attacks
• Conclusion
 ATM Fraud Techniques
• Card Theft

• Skimming Devices
 ATM Fraud Techniques – Card Theft

• Criminals use a variety of card trapping devices

• Encased in a plastic transparent film
• Inserted into the card reader throat
• Hooks attached to prevent card from being
returned to consumer
 ATM Fraud Techniques – Card Theft

• Criminal usually in close proximity

• Criminal offer support
• Suggest the user to enter the PIN again so that
he can view the entry and remember the PIN
• Criminal uses probe to extract the card (After
consumer left believing his card was captured by
ATM)
 ATM Fraud Techniques – Card Theft

Card Trapping Devices:

 ATM Fraud Techniques – Preventing
Card Theft
• Use remote diagnostics to monitor ATM, error
codes generated by card reader
• An increase in the occurrence of error codes
related to card readers could be an indication of
a fraud attempt
• Consumer and staff awareness
• Never enter PIN in front of Intruders
 ATM Fraud Techniques – Skimming
Devices
• Most frequently used method of illegally
obtaining card track data
• Devices used by criminals to capture stored data
in magnetic strip of the card
• Read and decipher info on magnetic stripes
through the application of small card readers in
close proximity or on top of the actual card
reader input slot
 ATM Fraud Techniques – Skimming
Devices
• Skimming devices can be smaller than a deck of
cards
• Can capture and retain information from more
than 200 cards
• Capture account numbers, balances and
verification codes
 ATM Fraud Techniques – Skimming
Devices
• Consumer believes the device is part of the ATM
equipment
• Sign instructing cardholders to swipe cards
through the additional reader for security
purposes or
• Portray the additional card reader as a card
cleaner
 ATM Fraud Techniques – Skimming
Devices

Skimming Devices:
 ATM Fraud Techniques – Skimming
Devices
Skimming Devices:
 ATM Fraud Techniques – Preventing
Skimming
• Attentiveness of ATM consumers, branch
personnel or ATM Service technician
• Visual clues – presence of adhesive tape
residue near or on card reader
• Therefore, awareness for consumers, Branch
personnel and ATM service Technician
 ATM Fraud Techniques – Preventing
Skimming
• Use Anti-skimming solutions:
– Control speed of the movement of the card or
– Intentional erratic movement of the card
during card insertion and return by the
motorized card reader – will confuse most
skimming devices
– Jitter techniques incorporated into some
newer card reader designs
 ATM Fraud Techniques – Preventing
Skimming
• Use Anti-skimming solutions:
– Install an auto alert system to monitor the
routine patterns of withdrawals to help
determine fraudulent withdrawals
– Migrate towards chip cards and chip card
readers – less susceptible to skimming
 Agenda
• Introduction
• General practices
• ATM Fraud Techniques
• PIN Security
• Accessing the Cash
• ATM Burglary attacks
• Conclusion
 PIN Security
• Shoulder Surfing

• Fake PIN Pad Overlay

• PIN Interception
 PIN Security – Shoulder Surfing

• Direct observation
• Watching what number that person taps onto the
keyboard
• Use miniature video cameras – easily obtained
and can be discretely installed close to the PIN
Pad
 PIN Security – Preventing Shoulder
Surfing
• Fix mirror on the fascia of the ATM – users will
see behind as they enter their info
• Ergonomic design of the ATM to prevent
shoulder surfing
• Consumer – allow body to cover the area of pin
entry
 PIN Security – Preventing Shoulder
Surfing
• Educate users
• Place ATM in high-traffic area, with illuminated
signage panels and surrounding street lights
provide a secure and welcoming environment to
customers
 PIN Security – Fake PIN Pad Overlay

• Fake PIN pad placed over original keypad

• Overlay captures the PIN data and stores info
into its memory
• Fake PIN pad then removed and recorded PINs
are downloaded
• Identical in appearance and size of original
keypad
 PIN Security – Fake PIN Pad Overlay

• Some are very thin and transparent to the

consumer
– PIN intercepted
– allows for transaction to proceed in normal
way
– Used in conjunction with card data theft to get
info needed to access unsuspecting
consumer’s account
 PIN Security – Fake PIN Pad Overlay

• Criminal may also attach a portable

monitor and card reader on top of the
actual ATM’s monitor and card reader to
obtain card and PIN info
– Card will not be returned to consumer
– After consumer left, criminal will remove card
and use recorded PIN for fraud activities
PIN Security – Fake PIN Pad Overlay

PIN Pad Overlay

 PIN Security – Preventing Fake PIN
Pad Overlay
• Educate users to be aware of abnormalities in
look and feel of the keypad
• Pay attention to screen as they enter PIN
• No **** when entering PIN indicates a PIN Pad
overlay
 PIN Security – Preventing Fake PIN
Pad Overlay
• Use ATM monitoring software / services
e.g. to notify of repetitive “time-out
messages”
– could signify that a card was inserted but
transaction timed out due to no data entered
– PIN pad overlay has received the PIN entry
info
 PIN Security – PIN Interception

• After PIN entered, info is captured in electronic

format through an electronic data recorder
• Done either inside the terminal or as the PIN is
transmitted to host computer for online PIN
check
• Access to communication cable required –
therefore more easily done at off-premises
 PIN Security – Preventing PIN
Interception
• PIN pad security dictated by MasterCard
and VISA
– Require encrypted PIN pad (EPP) in place
– The EPP is a sealed module that immediately
encrypts the PIN entry
– No “raw” PIN numbers are accessible to
electronic hackers
– Tampering of EPP renders it unusable
requiring shipment back to manufacturer
 PIN Security – Preventing PIN
Interception
• For online communication, 3DES standards
strengthens the encryption algo used to protect
the secrecy of PIN as it is sent from ATM to bank
for verification
 Agenda
• Introduction
• General practices
• ATM Fraud Techniques
• PIN Security
• Accessing the Cash
• ATM Burglary attacks
• Conclusion
 Accessing the Cash
• False ATM presenter

• Transaction Reversal
 Accessing the Cash – False ATM
presenter
• Fraud performed through addition of traps in
front of the dispense point
• Device covers or disguises the normal dispense
point
• ATM dispenses notes to false front and never
presented to consumer
• Consumer mistakenly assumes the ATM has
malfunctioned
• After customer leaves, criminal removes false
fronts and takes the currency
 Accessing the Cash – False
ATM presenter
• Simplest method – use adhesive tape that
blocks the cash dispenser and holds delivered
banknotes
• Another method – use motorized devices that
transport the delivered notes into dedicated bins
 Accessing the Cash – False
ATM presenter
False ATM presenter:
Accessing the Cash – Preventing
False ATM presenter
• Enhance presenter door mechanics with a more
robust locking mechanism
• Modify firmware and hardware
– After note stack reaches a certain position within the
presenter, the final delivery of the note stack is done
entirely by belts without assistance of the push plate
– With an external false cover, there will be much lower
force pushing notes against the tape resulting in most
or all notes to be retracted
 Accessing the Cash –
Transaction Reversal
• Use a variety of methods to create an error
condition at the ATM resulting in a transaction
reversal due to reported inability to dispense
cash – though cash is legitimately accessible by
force
 Accessing the Cash –
Transaction Reversal
E.g.
• ATM user request to withdraw $100
• User carefully remove only a portion of the notes
e.g. only $60
• $40 left in presenter
• Several seconds later, ATM times out and sends
an error message
• ATM retracts the remaining banknotes
• Dispenser is not able to count banknotes
• Transaction reversed
Accessing the Cash – Preventing
Transaction Reversal

• Many financial institutions deter this fraud by

ALWAYS debiting the account for full amount of
the transaction and dealing with short dispense
claims as they occur

• Monitor the “Time out on Withdrawal” ad

resulting retract: if this error is on a specific card,
it may be an indication of fraudulent activity
 Agenda
• Introduction
• General practices
• ATM Fraud Techniques
• PIN Security
• Accessing the Cash
• ATM Burglary attacks
• Conclusion
 ATM Burglary attacks
• Physical attacks attempted on the safe inside
the ATM
• Through mechanical or thermal means
• Goal is to penetrate the ATM open safe to
remove cash
 Preventing ATM Burglary attacks
• Certification level of safe - UL 291 Level 1
recommended as minimum for ATMs in
unsecured and unmonitored locations
• Alarms and sensors to detect physical attacks
• Ink stain technologies that will ruin and make
unusable any removed banknotes
Preventing ATM Burglary attacks -
Lock and Closing Devices
• Mechanical locks
– Allow the opening of safe door only through the
combination of different keys
– Each keys in the hands of different person
• Electronic Locks
– Higher level of functionality
– Allow multiple combinations, each assigned to a
different ATM maintenance facilitator
– Different passwords for operator, supervisor and
conveyor
– Allow opening of safe during specific time periods
(pre-programmed)
– Report remotely to monitoring system
Preventing ATM Burglary attacks –
Alarms and Sensors
• Alarms
– Detect open / closed state of the safe door
– Monitor different parameters that can be indicative
of a robbery attempt
• Sensors
– Temperature sensor to detect piercing with torch
– Tilting sensor to detect detachment of safe (for
transportation)
– Vibration sensor to detect piercing with toola
(drilling, cutting)
– Door sensor to detect if door is tampered with
outside of cash handler or servicing
Preventing ATM Burglary attacks -
INK Dye
• Consist of Detectors and Ink Dyeing
• Bank notes stained with ink when control
system detects an abnormality in monitored
parameters
• Stained notes can no longer be circulated
making robbery attempt fruitless
• Dyeing of banknotes triggered unauthorized
attempt to open the safe
 Agenda
• Introduction
• General practices
• ATM Fraud Techniques
• PIN Security
• Accessing the Cash
• ATM Burglary attacks
• Conclusion
 Conclusion

• The ATM fraud is not the sole problem of banks

alone
• A coordinated and cooperative action on the
part of the bank, customers and the law
enforcement machinery is required
• The ATM frauds not only cause financial loss to
banks but they also undermine customers'
confidence in the use of ATMs
• It is therefore in the interest of banks to prevent
ATM frauds
 References

• Diebold, Incorporated – “ATM Fraud and

Security”, 2002.
• http://www.crime-
research.org/articles/preventive-measures-
ATM-frauds/
• http://www.tdctrade.com/econforum/hkma/hkm
a031004.htm
• http://www.utexas.edu/police/alerts/atm_scam/