Best Practices for Preventing Skimming Published Version 09
-
Upload
rohit-singh -
Category
Documents
-
view
216 -
download
0
Transcript of Best Practices for Preventing Skimming Published Version 09
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
1/48
Best Practicesfor Preventing
ATM SkimmingInternational minimum security guidelinesand best practices
Produced by the ATM Industry Association
Contributors Include:
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
2/48
FOR ATMIA MEMBERS USE ONLY Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA FOR USE BY ATMIA MEMBERS ONLY | All Rights Reserved | www.atmia.com
Page 2 of 48
Copyright Information
Copyright 2009 ATMIA, All Rights Reserved.
Should you wish to oin ATMIA's Anti Skimming portal on www.atmia.com,e-mail Mike Lee, ATMIA's CEO, at [email protected]
Disclaimer
The ATM Industry Association (ATMIA) publishes this best practice manual in furtherance of its non-profit andtax-exempt purposes to enhance protection of the ATM against skimming. ATMIA has taken reasonablemeasures to provide objective information and recommendations to the industry but cannot guarantee theaccuracy, completeness, efficacy, timeliness or other aspects of this publication. ATMIA cannot ensurecompliance with the laws or regulations of any country and does not represent that the information in thispublication is consistent with any particular principles, standards, or guidance of any country or entity. Thereis no effort or intention to create standards for any business activities. These best practices are intended to beread as recommendations only and the responsibility rests with those wishing to implement them to ensurethey do so after their own independent relevant risk assessments and in accordance with their own regulatoryframeworks. Further, neither ATMIA nor its officers, directors, members, employees or agents shall be liablefor any loss, damage or claim with respect to any activity or practice arising from any reading of this manual;all such liabilities, including direct, special, indirect or inconsequential damages, are expressly disclaimed.Information provided in this publication is "as is" without warranty of any kind, either express or implied,including but not limited to the implied warranties of merchantability, fitness for a particular purpose, orfreedom from infringement. The name and marks ATM Industry Association, ATMIA and related trademarks arethe property of ATMIA.
Please note this manual contains security best practices and should not be left lyingaround or freely copied without due care for its distribution and safekeeping.
ATM INDUSTRY ASSOCIATION GLOBAL SPONSORS 2009
UNITED STATES INTER-CONTINENTAL AND REGIONAL SPONSORS SEPTEMBER 2009
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
3/48
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 3 of 48
Table of ContentsTABLE OF FIGURES .......................................................................................................................................4
FOREWORD ....................................................................................................................................................5
EXECUTIVE SUMMARY...................................................................................................................................6
ACKNOWLEDGEMENTS................................................................................................................................10
CHAPTER 1. INTRODUCTION .....................................................................................................................11
1.1. A BRIEF HISTORY OF SKIMMING ............................................................................................................... 12
1.2. WHAT IS SKIMMING? ...............................................................................................................................12
1.3. IS CHIP AND PIN THE ANSWER?................................................................................................................ 13
1.4. THE NEED FOR GREATER PUBLIC COMMUNICATION ................................................................................... 14
1.5. A CALL TO ACTION.................................................................................................................................15
CHAPTER 2. CLASSIFICATION SYSTEM FOR ATM SKIMMING & PIN-COMPROMISE ...............................16
2.1. ATM SKIMMING & PIN COMPROMISE CLASSIFICATION ............................................................................... 16
2.1.1. ATM Skimming Classification (ASK-) .......................................................................................... 16
2.1.2. ATM PIN-Compromise Classification (APC-) ............................................................................. 21
2.2. CASE STUDIES: EXAMPLES OF ATM SKIMMING DEVICES .............................................................................. 26
2.3. CODES FOR ASK AND APC SYNTAX.......................................................................................................... 29
CHAPTER 3. PCI GUIDELINES ON PREVENTING SKIMMING .....................................................................33
3.1. WHAT/WHO IS PCI? ..............................................................................................................................33
3.2. THE PCI STANDARDS..............................................................................................................................33
3.3. HOW DO THE PCI STANDARDS ADDRESS SKIMMING? .................................................................................. 35
CHAPTER 4. BEST PRACTICES FOR PREVENTING CAPTURE OF MAGNETIC STRIPE DATA DURING
ATM TRANSACTIONS...................................................................................................................................38
4.1. PROTECTION OF THE MAGNETIC STRIPE DATA........................................................................................... 38
4.2. INTEGRATION WITH IT SYSTEMS............................................................................................................... 39
4.3. ROLE OF THE CONSUMER IN FRAUD PREVENTION....................................................................................... 40
4.4. SUMMARY .............................................................................................................................................. 40
CHAPTER 5. BEST PRACTICES FOR PREVENTING INTERCEPTION OF CUSTOMER PIN........................42
5.1. PIN SECURITY OVERVIEW........................................................................................................................425.2. EDUCATING THE CUSTOMER ....................................................................................................................42
5.3. MANUFACTURING CHANGES FOR THE EPP AND FASCIA .............................................................................. 43
5.4. ADVANCEMENT OF BIOMETRICS TO REPLACE PIN ...................................................................................... 43
5.5. SUMMARY OF BEST PRACTICES FOR PROTECTING PINS .............................................................................. 44
CHAPTER 6. FURTHER READING AND LINKS ...........................................................................................45
6.1. USEFUL READING ...................................................................................................................................45
6.2. STANDARDS DOCUMENTATION .................................................................................................................. 45
6.3. RELEVANT LINKS ....................................................................................................................................46
CHAPTER 7. CHECKLIST OF RECOMMENDATIONS FOR PREVENTING SKIMMING.................................47
7.1. SUMMARY OF RECOMMENDATIONS ............................................................................................................ 477.2. CHECKLIST OF RECOMMENDATIONS........................................................................................................... 48
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
4/48
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 4 of 48
Table of Figures
Figure 1. Card Entry Area Skimming Device suggested classification syntax summary ......................17Figure 2. Internal skimming method summary .....................................................................................18Figure 3. Remote and secondary near-proximity skimming technique summary ................................19Figure 4. Attachment methods and common power source summary .................................................19Figure 5. Storage capability of ATM skimmers communication, download summary .........................20Figure 6. Activation and encryption summary .....................................................................................20Figure 7. Feature, capacity & endurance summary .............................................................................21
Figure 8. Common external PIN compromise method summary ..........................................................23Figure 9. Common internal PIN compromise method summary...........................................................23Figure 10. Remote and secondary PIN-compromise device summary..................................................23Figure 11. Attachment methods and common power source summary ...............................................24Figure 12. Storage, communications, and download summary ...........................................................24Figure 13. Activation and encryption summary ...................................................................................25Figure 14. Additional PIN-compromise device feature summary.........................................................25Figure 15. PCI standards overlap in payment transaction life cycle ...................................................37
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
5/48
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 5 of 48
Foreword
Today, skimming is one of the most widespread and organised crimesdirected at the ATM, as well as at Point of Sale devices.
The Anti Skimming Forum of ATMIA believes this manual will help toreinforce the ATMs Trusted Environment as well as the reputation of the
ATM as a safe and convenient self-service banking device.
It sets out international minimum security guidelines and best practicesfor preventing skimming at ATMs.
To combat fraud, it is imperative that all ATM deployers in all regionsand countries take best practices very seriously, and implement allguidelines and best practices contained herein to the greatest extentpossible.
ATMIA Anti Skimming Forum
August, 2009
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
6/48
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 6 of 48
Executive Summary
Please note that this Executive Summary cannot replace reading the
whole manual. The summary is merely a guide as to the content and main
principles of prevention of skimming at ATMs.
1. Recent indicators show sharp rises in incidents of skimming on anincreasingly global scale.
2. ATMs were first confirmed to be targeted by new styles anddesigns of skimming device in the late 1990s. Inspection of the
ATM uncovered scratches and marks on the fascia that indicated adevice of some type had probably been previously attached to themachine.
3. Today, the number of different designs and a multitude oftechnologies used to create ATM skimming devices necessitates thedevelopment of an ATM skimming-classification system. The bestdefense may vary according to the type of device used for theskimming attack.
4. Card skimming is defined as the unauthorized capture of magneticstripe information by modifying the hardware or software of apayment device, or through the use of a separate card reader.Skimming is often accompanied with the covert capture ofcustomer PIN data. Armed with this information the fraudsterswill create dummy cards and raid the customers account.Increasingly, card details captured through skimming at an ATMin one country will be used to commit fraud in another country.
5. UK Payments published figures show that counterfeit card lossesin the UK fell by 68 percent in the four years to 2008 because theintroduction of chip and PIN makes it harder for criminals to use
fake cards in ATMs and shops in the UK. Now, UK cardinformation is being used to create counterfeit cards that are thenused in other countries.
6. Fraud committed abroad using UK card information increasedfrom 23.8 million in 2004 to 132.8 million in 2008. In particular,fraud committed in the US using data from UK issued cards hasincreased by 181 percent since 2005, totaling 31.7 million in 2008.
A recent UK Payments publication notes that As more and morecountries around the world progress their chip and PIN rollouts, itis expected that fraud will continue to shift towards countries suchas the USA, which as yet has no plans to implement chip and PIN.
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
7/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 7 of 48
7. Solutions for preventing the copying of magnetic stripe data at theATM include devices (protruding illuminated hardware) aimed atpreventing the attachment of the skimming machine, solutionsthat involve a jitter (rapid stop-start motion) movement that willnullify attempts to record card information when a foreign device is
detected at or near the ATM card entry slot.8. As the most used retail banking channel, for many the ATM
represents the face of banking. Banks need to communicate thenature of the problem to the media and customers without creatingfear and uncertainty. It is important to communicate how chosensolutions to skimming work and any implications this will have foran ATMs appearance or performance.
9. Customers can lessen the potential impact of skimming byprotecting their PIN, the front door key of their bank accounts, bycovering the keypad with their free hand when entering the code.
10. Card skimming is an international problem and its preventionrequires a consistent global approach.
11. The new international classification system for skimming devicesincludes card entry skimming devices, targeting specific types ofcard-activation interface such as Motorized, Swipe, Dip andContactless, internal skimming devices (such as pre-head tapskimmers and malware capable of obtaining non-encrypted carddata within the ATM system), remote & secondary near-proximityskimming devices, for example, hand-held machines and tappingequipment, as well as ancillary or support technology likeattachment methods, power sources, card data storage methods
(such as integrated memory chips, local SD data cards and MP3recorders), integrated cameras (for PIN-compromise) and radioreceivers as well as activation methods like remote control.
12. ATM PIN- compromise devices in the classification system includeexternal PIN-compromise devices (such as spy cameras, keyboardoverlays and binoculars), internal PIN-compromise devices (suchas electronic tapping equipment or malicious software), remote &secondary PIN-compromise devices (such as lobby door falsekeyboards), as well as ancillary or support technology likeattachment and activation methods, power sources, storagecommunications & download capability (such as radio receivers).
13. Each of the current PCI standards, PCI PIN Transaction Security(PCI PTS), PCI Payment Application Data Security Standard (PCIPA DSS) and PCI Data Security Standard (PCI DSS), havematerial relevant to preventing skimming. The PCI PTS programis the program that addresses the issue of skimming most directly.Each of the standards that are designed for devices that accept thedirect input of payment card data have a requirement to secure thepath from the card reader to the security processor within thedevice. This requirement covers both the path from the IntegratedCircuit Card reader (ICCR), as well as the magnetic strip cardreader (MSR). For details of specific requirements, see Chapter 3.
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
8/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 8 of 48
14. Moving away from the magstripe and using secure identitymanagement and credentialing to provide access to this channelhas proven to be the most effective way to minimize the losses dueto card skimming. However the complete removal of the magstripeis not anticipated to occur in the near future, so protecting this
sensitive data is crucial in mitigating the risks and lossesassociated with card skimming.
15. There are several methods to keep sensitive account informationcontained on the magstripe safe from fraudsters; the most effectivemethod is the use of chip-based cards that house the data onmicrochips instead of magnetic stripes, making data more difficultto steal and cards more difficult to reproduce. Contactless cardsprovide another alternative to the magstripe. If the magstripe isused, out-of-band authentication using a cell phone or a biometricreader can provide a second form of authentication that can beused as alternate methods for conducting secure transactions at
the ATM.16. Anti-skimming solutions can be deployed to help detect and
prevent the application and usage of card skimming devices. Cardreaders can be equipped with some type of foreign object detectiontechnology and can alert a financial institution or law enforcementin the event that a skimming device is installed to the fascia of an
ATM. Jitter technology is a process that controls and varies thespeed of movement of a card as it is inserted through a card reader,making it difficult to read card data. Other anti-skimmingtechnologies are effective in identifying, jamming or disturbingskimming devices when they are attached to the ATM. Video
surveillance and monitoring are additional security measures thatare effective methods for deterring or detecting placement of cardskimmers and other fraudulent devices such as PIN overlays andmini cameras.
17. Regular inspections of ATMs by cash machine owners for evidenceof tampering and unusual attachments should be conducted. Localstaff including ATM servicers must be trained to look forfraudulent devices and be educated on the appropriate action to betaken should they discover a skimming device on a machine.
18. A self-contained, secure environment including physical and logical
access control and enhanced identity management is essential insecuring an ATM. The use of intelligent fraud-detection systems tomonitor for unusual spending patterns and identify fraud before itis discovered by the cardholder.
19. The consumer must be educated to be vigilant and inspect theATM before using it. Consumers must also be educated on how toprotect their PIN. Shielding the entry of the PIN with their handand body is just one way a consumer can prevent someone fromviewing it.
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
9/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 9 of 48
20. Information sharing of fraud related activity with industrystakeholders can help to identify current threats and trends andfacilitate deployment of the most effective fraud mitigation tactics.There is also an opportunity to influence regulatory requirementsto support fraud prevention tactics that will in turn help
demonstrate the return on investment for security spend.21. One of the weakest links in any ATM transaction is the entry of
the customer PIN. The PIN in its current form is static and alwaysfour (or, in some countries, six) numbers. Despite improvements inthe security of the transmitted PIN and account data via 3DES, nosignificant improvements or best practices have emerged to protectthe physical entry of the customer PIN at the ATM.
22. Investigation is encouraged of new technologies to create EPPsthat incorporate a scramble methodology to number placement ateach transaction.
23. Biometrics offers a difficult to duplicate replacement to a staticnumerical PIN. As each fingerprint or retinal scan is unique, it isclearly more robust than a four digit PIN. As it may be a costlyenterprise, deployment of biometrics as a means to move awayfrom the customer PIN may be several years away.
24. A multi-layered approach to preventing skimming is the bestmethodology, integrating customer education and vigilance aboutPINs, technological investigation, industry information-sharing,manufactured security solutions and compliance to securitystandards for protecting card data and PINs. Chip and PINtechnology has a proven record in reducing skimming and is highly
recommended worldwide by the ATM Industry Association.
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
10/48
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 10 of 48
Acknowledgements
The ATMIA is indebted to the contribution of the following industryexperts in assembling these Anti Skimming Best Practices, in addition toall members of its Anti Skimming Forum:
Douglas Russell, Director, DFR Risk Management Ltd
Terrie Ipson, Marketing Manager, Diebold
Andrew Jamieson, Technical Manager, Witham Laboratories
Wynne Evans, Consultant, Wynne Evans Communications
Steve Weeks, Commercial Manager, ATM Parts Co
Jeffery Miller, Service Manager, Edge One Incorporated
George Athanasakis, Director, Australian TechnologyManagement Pty Ltd
Mike Urban, Sr Director, Fraud Solutions, FICO
Cyndi Spencer, formatting editor
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
11/48
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 11 of 48
Chapter 1. Introduction
Skimming: A Current and Increasing Global Threat
Recent indicators show sharp rises in incidents of skimming on anincreasingly global scale.
In April, 2009, EAST (European ATM Security Team) reported a 129percent increase in card skimming incidents in 2008 over the previousyear. A total of 10,302 cases were reported. Yet Europe is not alone.
Skimming is occurring throughout the world, from Russia tothe USA, from Australia to the Middle East, from South
Africa to South America.
For example, a glance through the financial media for just one month,July 2009, reveals the growing nature of the international threat of cardskimming at the ATM. In Las Vegas it was reported that there were 75skimming attacks over a three month period compared to previous rates of2-3 incidents a year. In Sydney Australia, the New South Wales FraudSquad reported 60 skimming attacks in the first four months of 2009, witha spokesman stating that the devices used are becoming smaller, moresophisticated and capable of storing more data. In April it was reportedthat nine Romanian nationals had been arrested in relation to skimmingattacks on Australian ATMs.
In California it was also reported that skimmers and card duplicatorscould be bought from overseas sellers via the internet for a few thousanddollars. It would appear that there is a global epidemic.
Yet card skimming is not new. Early forms of skimming device and indeed
dummy ATMs installed in empty shop fronts were used to capture cardinformation in the nineties. What has changed is the scale andgeographical spread of such attacks.
What do we mean by card skimming at the ATM?
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
12/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 12 of 48
1.1.A Brief History of Skimming
Skimming started to gain momentum as a method ofundermining plastic card-based systems in the mid to late
1980s.
At that time, the most common modus operandi was for criminals tooperate in retail premises: typically, the food and beverage industry andat fuel (gas) stations. The devices used to copy the magnetic stripe, whilelarge by todays standards, were often just small enough to be concealed inthe perpetrators clothing or hidden out of sight below the cash desk.
ATMs were first confirmed to be targeted by new styles and designs ofskimming device in the late 1990s. Prior to the first ATM skimmingdevice being recovered, there had been various incidents globally,
including one, in which the logical and physical evidence pointed towardsskimming as the most likely method of card-compromise.
Analysis of the historical usage of cards (that were subsequently identifiedas being compromised) eventually narrowed down the likely CPC(common point of compromise) or CPP (common point of purchase) to aparticular ATM. Inspection of the ATM uncovered scratches and marks onthe fascia that indicated a device of some type had probably beenpreviously attached to the machine.
Today, the volume of skimming incidents is considerable, as discussed inthe previous section. There is also a considerable number of differentdesigns and a multitude of technologies used to create skimming devices.
So significant is the number, that it has become increasingly important tocreate an ATM skimming-classification system.
The purpose of the classification system is to ease communication withinthe industry and, with law-enforcement, to globally standardize recordingof skimming crimes, as follows:
Enables measurement of trends
Provides country comparisons
Highlights patterns and the migration of particular devices
Aids the industry in deciding which anti-skimming initiatives andsolutions are best-suited as a defense against particular types of
ATM skimming device
1.2.What is Skimming?Card skimming is defined as the unauthorized capture of magnetic stripeinformation by modifying the hardware or software of a payment device,or through the use of a separate card reader. Skimming is oftenaccompanied with the covert capture of customer PIN data. Armed withthis information, the fraudsters create dummy cards and raid the
customers account.
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
13/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 13 of 48
This raises a number of issues:
What are the implications of the introduction of chip and PINtechnology in some countries?
What percentage of card skimming takes place at ATMs rather
than at POS devices? What are the best ways to prevent this happening and what are
the implications for consumer behavior / confidence in the ATMnetwork and indeed the banks?
When we talk of ATM Fraud it is important to distinguish between thepoint of compromise (where the data is captured) and the location atwhich the actual fraud takes place. In the UK, for example publishedfigures for ATM fraud (where cash has been fraudulently withdrawn froman ATM) will normally involve stolen cards (and PIN details), ID theftwhere a legitimate card is used on a fraudulent account or in someinstances cases where a card has been captured at the ATM by a criminalusing a Lebanese loop style device.
In the case of card skimming, though card details may be captured at anATM in the UK, the dummy (counterfeit) card created using thisinformation could well be used in another country. Indeed, recentdevelopments mean this is more likely. From a consumer perspectiveanother feature of this counterfeit fraud is that they will frequently beunaware of the fraud until they receive a statement or a transaction isrefused at a store or ATM due to insufficient funds.
1.3.Is Chip and PIN the answer?UK Payments (formerly APACS) published figures show that counterfeitcard losses in the UK fell by 68 percent in the four years to 2008 becausethe introduction of chip and PIN makes it harder for criminals to use fakecards in ATMs and shops in the UK. However such cards can be used atstores that havent been upgraded to chip and PIN or at an overseas cashmachine that hasnt been upgraded.
What the UK has witnessed has been a classic migration ofcard fraud, whereby UK card information is being used tocreate counterfeit cards that are then used in other
countries.
Fraud committed abroad using UK card information increased from 23.8million in 2004 to 132.8 million in 2008. It is interesting to note thecountries where this fraud is occurring. Despite the geographic proximityof France, there has been a very significant reduction in suchcompromises since they have rolled out the global chip and PIN system. Incontrast, fraud on UK issued cards (and card details) in the United Stateshas increased by 181 percent since 2005, totaling 31.7 million in 2008.
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
14/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 14 of 48
A recent UK Payments publication notes that As more and morecountries around the world progress their chip and PIN rollouts, it isexpected that fraud will continue to shift towards countries such as theUSA, which as yet has no plans to implement chip and PIN.
ATM manufacturers have introduced a number of solutions aimed at
preventing or nullifying attempts to copy magnetic stripe information atthe ATM. These have included devices (protruding illuminated hardware)aimed at preventing the attachment of the skimming machine, solutionsthat involve a jitter (rapid stop-start motion) movement that will nullifyattempts to record card information by making it impossible to get areading and detectors that send alerts, either direct to the branch or to an
ATM monitoring system, when a foreign device is detected at or near theATM card entry slot.
A leading South African retail bank recently announced that it was usingpepper spray technology - if cameras observe that someone is tamperingwith the ATM another machine will eject pepper spray in order to disablethe criminals until an armed response team arrives. The technology iscurrently being deployed at 11 high-risk sites.
1.4.The Need for Greater Public CommunicationAs the most used retail banking channel, for many the ATM representsthe face of banking. Any attacks on a banks ATM have the potential toundermine confidence in its network and brand. Indeed, so high profile isthe ATM that adverse media comment regarding such attacks may alsoimpact upon institutions not directly involved. This recognition that you
are only as strong as the weakest link has forced banks in a number ofcountries to recognize that this is not a competitive issue and that theimplications of card skimming go beyond immediate financial losses.
The presence of and potential for card skimming activities presents thebanks with a number of communication challenges. The first is the needto communicate the nature of the problem to the media and customerswithout creating fear and uncertainty. You want to let people know thereis a problem, you want them to look out for fraudulent devices but at thesame time you dont want to scare them off using the ATM.
You also want them to understand that the situation is being addressed
by the use of best in practice technology and this too is something thatrequires clear communication.
It is important to communicate how the solution operatesand any implications this will have for an ATMs appearanceor performance.
If a fraud prevention device is introduced it will need to be easilyidentifiable as such in order to increase confidence that the network isprotected. There will be a need to educate customers and the media as toits appearance, otherwise there is a danger that people will believe that
the fraud prevention device is itself something that has been attached by
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
15/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 15 of 48
fraudsters. People will need to know how the prevention device will affectthe appearance and operation of the ATM, as indeed will the police.
Similarly, people will want to know whether a fraud prevention devicewill have implications for the speed of operation. ATM manufacturershave worked closely with deployers so that ATM performance is not
impaired by the introduction of jitter solutions and on customer education- in particular on the use of screen layouts to verify the appearance ofdevices that act as a deterrence protrusion.
It is important to encourage positive action. One thing people can do tolessen the potential impact of skimming is to do everything in their powerto protect the PIN, including covering the keypad with their free handwhen entering the code.
Card skimming at the ATM has become an internationalproblem, with professional criminals operating globally.Wherever you are based, the threat is there and yourcustomers accounts are at risk.
The introduction of chip and PIN does not necessarily change the point ofcompromise since the lack of a globally introduced solution means allcards continue to carry magnetic stripe data for use in non chip-compliantcountries. What has happened is that the location of the actual fraudspend may change. Card account details captured in the UK can be usedto withdraw funds in countries with weaker controls.
1.5.A Call to ActionThe purpose of this guide is to address best practice in the area of ATMcard skimming prevention. It will identify skimming types, considerguidelines on preventing skimming and the capture of magnetic stripedata during ATM transactions and address issues such as cardholderidentification and standards.
For a criminal, possession of the card details is only part of their objective,they also want the means of identifying the cardholder, the PIN. It istherefore important that we consider how customers might best protectthis information but also to consider alternative means of customeridentification that are not so easily stolen or replicated. Biometricsolutions are already applied in a small number of countries and can bringa new dimension to card security.
A 2009 Harris Interactive Research Study reported that 67 percent of USATM users would be likely to switch bank after an instance of ATM fraudor data breach. But the problem is that your clients details can becompromised anywhere in the world where they are able to use the card.Card skimming is an international problem and its prevention requires aconsistent global approach.
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
16/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 16 of 48
Chapter 2. Classification System forATM Skimming & PIN-Compromise
The syntax used to classify ATM skimming and PIN-Compromise devicesand techniques covered in this chapter utilizes a string of alpha numericdesignators.
2.1.ATM Skimming & PIN Compromise ClassificationThe highest level designator for ATM skimming is ASK and for PIN-compromise, APC. The second level includes characteristics such as thegeneral type of device, methods used to attach devices and the technicalspecification of the device. For example, an ATM skimming deviceoverlaying a Swipe reader and attached with double-sided adhesive tapeis designated with the following syntax:
ASK-S1-AM1In cases where further details are known about the device, such as itspower source, data storage method, communications capability, andactivation and encryption methods, the designation string is expanded.For example, if it is known that skimming device ASK-S1-AM1 hasintegrated rechargeable batteries, stores data on an SD data card,supports Bluetooth, is activated by a switch and encodes the datacaptured using the Advanced Encryption Standard, the syntax stringwould be:
ASK-S1-AM1-PS2-ST3-CD4-AC1-EC2
2.1.1. ATM Skimming Classification (ASK-)The structure of this section is as follows:
Card Entry Area Skimming Devices (M,S,D, C)
Internal Skimming Devices (IT, IS)
Remote & Secondary Near-Proximity Skimming Devices(RS,RD,RH, RE)
Attachment Methods (AM)
Power Sources (PS)
Storage, Communication & Download Capability (ST, CD)
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
17/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 17 of 48
Activation Methods (AC)
Encryption Methods (EC)
Additional Features (FX)
Capacity & Endurance (actual values used)
Card Entry Area Skimming Devices
ATM skimming devices are specifically designed to target specific types ofcard-activation interfaces. The four most common card readers used are:
Motorized card readers are probably the most common type ofreader used globally. Although, in the Americas and elsewhere,Swipe and Dip readers are common.
Skimming devices suitable for targeting motorized readers havevarious characteristics. They are often designed to be attached
directly to the card-entry slot, molded around the entry area orintegrated within a false front covering a large area of the fascia.
Additional designs include a modified anti-fraud device inhibitor,an overlay or sheath for an anti-fraud inhibitor and a miniatureattachment to an anti-fraud inhibitor.
Swipe reader skimming devices commonly cover the entire genuineswipe reader, mounted above or below (or on the right or left ifhorizontally mounted) the swipe reader. They are also known to beintegrated within a large false fascia front.
Dip readers targeted by skimming devices are directly attached tothe entry slot, molded into an overlay covering the whole Dipreader and integrated within a false front.
Contactless readers, when targeted with skimming devices,include covers over the contact area.
Figure 1 below summarizes the types of Card Entry Area SkimmingDevices and suggests appropriate classification syntax:
Motorized Readers DIP Readers
Directly to card-entry slot M1 Directly to card-entry slot D1
Molded around entry area M2 Molded overlay covering DIP reader D2
False f ront covering larger area M3 False front covering larger area D3
Modified anti-fraud device inhibitor M4
Overlay of anti-fraud inhibitor M5
Attachment to anti-fraud inhibitor M6
Other M0 Other D0
Swipe Readers Contactless Readers
Overlay covering swipe reader S1 Overlay covering contactless reader C1
Mounted below or left of swipe reader S2
Mounted above or right of swipe reader S3
False f ront covering larger area S4
Other S0 Other C0
Source: DFR Risk Management Ltd.
Figure 1. Card Entry Area Skimming Device suggested classification syntax summary
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
18/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 18 of 48
Internal Skimming Devices
A more sophisticated method of ATM skimming involves internalcompromise of the ATM card reader module or the internal ATM system.Most motorized card readers have a magnetic flux detector known as thepre-head, which is located externally to the card reader shutter and isintended to activate the shutter only when a magnetic card is presented tothe card reader entry slot. The pre-head is, in most cases, an actualmagnetic stripe read head.
Pre-head tap skimmers connect to the pre-head contact terminals and useit to obtain the magnetic stripe data during card-entry and card-eject.
With access to the actual card reader module, criminals are able to attacha read head tap skimmer directly to the terminals of the genuine magneticstripe read head. Printed circuit board (PCB) parasites and internal dataline taps added to the card readers electronics skim the magnetic stripedata.
Additional internal skimming attacks include compromise of the internalcommunication system which carries card data from the card readermodule to the ATMs processor. Malicious software (Malware / Trojan) iscapable of obtaining non-encrypted card data within the ATM system.
Figure 2 below summarizes internal skimming methods.
Internal Compromise of Card Reader Internal Compromise of ATM System
Pre-head tap IT1 Internal communications tap IS1
Read head tap IT2 Software / Malware / Trojan IS2
Card reader PCB parasite IT3
Card reader data line tap IT4
Other IT0 Other IS0
Source: DFR Risk Management Ltd.
Figure 2. Internal skimming method summary
Remote & Secondary Near-Proximity Skimming Devices
This category covers ATM skimming devices in close proximity to thetargeted ATM.
Secondary Swipe and Dip readers are used to skim card data prior to the
consumer using their card to commence a transaction. Typical methodsinclude Swipe or Dip readers attached to the access door to the ATMlocation (door-access skimmers), apparent card-cleaning devices, as wellas devices purported to validate or activate cards prior to being used at an
ATM. Variants include devices attached to the ATM surround and stand-alone terminals close beside the ATM.
Hand-held skimming devices are used by criminals to copy consumerscards while the criminal obtains temporary access to the card. Modusoperandi includes distraction methods and pick- pocketing.
Tapping external modems, telephone-line connectors and local
communication hubs are additional methods used to obtain card data inclose proximity to an ATM.
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
19/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 19 of 48
Figure 3 summarizes remote and secondary near-proximity skimmingtechniques.
Secondary Swipe Devices Hand-held Skimming Device
Door-access skimmer RS1 Pocket-sized skimmer RH1
Card-cleaning device RS2
Card activation / validation device RS3
Stand-alone terminal RS4
Other RS0 Other RH0
Secondary DIP Devices External Modem / Communications Hub
Door-access skimmer RD1 Modem tap RE1
Card-cleaning device RD2 Telephone-exchange tap RE2
Card activation / validation device RD3 Communication-hub tap RE3
Stand-alone terminal RD4 Wi-Fi intercept RE4
Other RD0 Other RE0
Source: DFR Risk Management Ltd.
Figure 3. Remote and secondary near-proximity skimming technique summary
Attachment Methods and Power Sources
Double-sided adhesive tape is a common method of attaching manyexternal ATM skimming devices, as is glue or liquid adhesive. Physicallyattaching skimming devices is also achieved by screwing, bolting andwelding (fusing) devices to the ATM fascia. Molded overlay skimmersoften rely on friction to remain attached to the ATM card reader.
ATM skimming devices are powered by various means, includingintegrated rechargeable and non-rechargeable batteries, separate batterypacks, power taps from the ATM itself, as well as other continuous powersources.
Figure 4 summarizes attachment methods and common power sources.
Attachment Method Power Source
Adhesive tape AM1 Integrated non-rechargeable batteries PS1
Glue AM2 Integrated rechargeable batteries PS2
Screw / bolt AM3 Separate battery pack PS3
Friction fit AM4 From ATM power PS4
Weld / fuse AM5 From other constant power source PS5
Source: DFR Risk Management Ltd.
Figure 4. Attachment methods and common power source summary
Storage, Communication and Download Capabilities
ATM skimming devices utilize a number of card data storage methodsfrom integrated memory chips to local SD data cards and MP3 recorders.Some, however, have no local storage capability.
Data is downloaded from skimming devices using integrated sockets (suchas USB), analogue radio transmitters and digital communicationsprotocols such as Bluetooth, Wi-Fi, SMS, among others.
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
20/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 20 of 48
Figure 5 summarizes the storage capability of ATM skimmers and thevarious communication and download technologies.
Storage Communication & Download
None ST1 None CD1
Local integrated chip ST2 Socket / USB CD2
Local data / SD card ST3 Analogue RF CD3
MP3 / MP4 (or equivalent) recorder ST4 Bluetooth CD4
Cell phone storage ST5 Wi-Fi (802.11) CD5
SMS / MMS / Text CD6
GSM / Data CD7
Digital RF (non-specific) CD8
Other ST0 Other CD0
Source: DFR Risk Management Ltd.
Figure 5. Storage capability of ATM skimmers communication, download summary
Activation and Encryption
ATM skimming devices are limited to how long they can remainunserviced, based upon various parameters including whether they arepowered continuously or only activated when required. Activationmethods include proximity-detection, remote control and card-initiated.
The ability to interrogate a skimmer, once recovered, might be inhibitedby the use of encryption. One of the most popular designs of skimmingdevice supports Advanced Encryption Standard (AES) protection whichmakes analysis of card data actually compromised by the skimmer verydifficult.
Figure 6 summarizes activation and encryption.
Activation Encryption
Always on (switched) AC1 None EC1
Proximity detector AC2 AES EC2
Remote control AC3
Card activated AC4
Other AC0 Other EC0
Source: DFR Risk Management Ltd.
Figure 6. Activation and encryption summary
Additional Features, Capacity and Endurance
Some ATM skimmers have additional features such as integrated cameras(for PIN-compromise), a radio receiver to receive PIN data from a PIN-compromise device and motorized transports to provide a smoothconsumer-interface. Electromagnetic screening is used to attempt todefeat anti-skimming devices that disrupt the skimmers ability to recordcard data.
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
21/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 21 of 48
The maximum endurance from the power source, and the maximumnumber of cards whose data can be captured, are importantcharacteristics of ATM skimming devices.
Figure 7 provides a reminder of some additional features of ATMskimming devices and the important statistics of endurance and capacity.
Features Capacity & Endurance
Integrated camera FX1 Maximum endurance from power supply
Receiver for PIN-compromise device FX2 Maximum number of cards datastored
Screened for anti-skimming interference FX3
Motorized card transport FX4
Other FX0 Other
Source: DFR Risk Management Ltd.
Figure 7. Feature, capacity & endurance summary
2.1.2. ATM PIN-Compromise Classification (APC-)
The structure of this section is as follows:
External PIN-Compromise Devices (SC,TC,KB,SV)
Internal PIN-Compromise Devices (IP,IS)
Remote & Secondary PIN-Compromise Devices (RC,RK)
Attachment Methods (AM)
Power Sources (PS)
Storage, Communications & Download Capability (ST,CD)
Activation (AC)
Encryption (EC)
Additional Features (FP)
Capacity and Endurance (actual values used)
External PIN-Compromise Devices
There are three primary methods of obtaining the PIN at, but external to,an ATM.
The first method involves the use of different types of cameras.Spy cameras have the specific and limited purpose of covertfilming. Cell phone cameras are often adapted and disguised forcovert filming, as are compact digital and analogue video cameras.
The positioning of the camera is restricted in that line-of-sight withthe ATM keyboard is required to ensure the accurate observationof the PIN being entered. Some locations are more favored than
others, as interference from objects, including the victims person,has an impact on the percentage of PINs successfully compromised.
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
22/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 22 of 48
One of the most favored locations for many models of ATM is thelight panel or light diffuser which is often directly above the ATMkeyboard. False panels are also used to disguise cameras and maybe positioned above, left or right of the ATM keyboard.
In environments where it is common to have advertising leaflet
boxes in close proximity to the ATM, they are modified to concealone or more cameras. Other additions to the ATM which areutilized to disguise cameras include safety or rear-view mirrors.
Where ATMs are installed with a canopy to provide shelter fromsunlight and rain, cameras are often hidden in the canopy.
Some ATM skimming devices are packaged with an integratedcamera.
The secondmethod of PIN-compromise is fake keyboards andkeyboard overlays.Often these devices still allow the genuine keyboard to be activatedwhen the PIN is entered on the PIN-compromise device. Sizes ofdevice vary from almost an exact size-match with the genuinekeyboard through a full fake-keyboard shelf to a false-frontcovering a large area of the ATM fascia.
The third method involves a less technical approach and can becharacterized as personal or human surveillance.Covert shoulder-surfing, which involves the perpetrator lookingover the shoulder of the victim as they enter their PIN, is one ofthe most popular personal surveillance techniques. Shoulder-surfing may also be more overt and includes the perpetratorpretending to be helpful to the victim (the helpful strangerapproach).
Long- range lenses, including telescopes and binoculars, are alsoused to observe PIN entry. As are the attachment of strategicallypositioned mirrors or the exploit of particular angles which allowthe reflection of the keyboard to be observed. Even differentlycolored dust is used to compromise PINs.
Figure 8 summarizes common external PIN-compromise methods.
Camera Location & Packaging Ke yboard
In light diffuser / light panel SC1 Exact-size keyboard overlay KB1In leaflet box SC2 Shelf / full-panel keyboard overlay KB2
In false panel above PIN pad SC3 False-front covering larger area KB3
In false panel right of PIN pad SC4 Other KB0
In false panel left of PIN pad SC5
In safety mirror SC6
In sun / rain canopy SC7
Integrated with skimmer SC8
Other SC0
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
23/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 23 of 48
Camera Type Surveillance
Spy camera TC1 Shoulder surfing - covert SV1
Cell phone camera TC2 Shoulder surfing assist victim SV2
Video camera TC3 Long -range lens / telescope SV3
Other TC0 Mirror SV4
Colored dust SV5
Advertising panel reflection SV6
Other SV0
Source: DFR Risk Management Ltd.
Figure 8. Common external PIN compromise method summary
Internal PIN-Compromise Devices
Technically-expert PIN-compromise perpetrators, with access to the
internals of the targeted ATM, can add an electronic tap or parasite deviceto the interior of the ATM keyboard, tap (and, if required, reposition) theintegrated ATM security camera, compromise the internalcommunications of the ATM and introduce or modify software (Malware /Trojans).
Figure 9 summarizes methods of internal PIN-compromise.
Internal Compromise of Modules Internal Compromise of ATM System
ATM integrated security camera tap IP1 Internal communications tap IS1
Internal keyboard tap IP2 Software / Malware / Trojan IS2
Other IP0 Other IS0
Source: DFR Risk Management Ltd.
Figure 9. Common internal PIN compromise method summary
Remote & Secondary PIN-Compromise Devices
Remotely positioned Spy Cameras are occasionally used to observe PINentry as well as genuine CCTV security cameras, which either have theirvideo feed intercepted or are exploited by someone with access to themonitoring station.
Keyboards positioned at the entry door to the ATM location and the
installation of fake PIN activation or validation terminals are furthermethods of obtaining the PIN.
Figure 10 summarizes remote and secondary PIN-compromise devices.
Remote Cameras Remote Keyboards
ATM location CCTV RC1 Door-entry keyboard RK1
ATM location spy camera RC2 PIN-activation / validation keyboard RK2
Stand-alone terminal
Other RC0 Other RK0
Source: DFR Risk Management Ltd.
Figure 10. Remote and secondary PIN-compromise device summary
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
24/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 24 of 48
Attachment Methods and Power Sources
In a similar way to ATM skimming devices, the attachment methods forPIN-compromise devices include double-sided adhesive tape, glue or liquidadhesive, screwing, bolting, welding (fusing) and friction.
ATM PIN-compromise devices are powered by various means, includingintegrated rechargeable and non-rechargeable batteries, separate batterybacks, power taps from the ATM itself, as well as other continuous powersources.
Figure 11 summarizes attachment methods and common power sources.
Attachment Method Power Source
Adhesive tape AM1 Integrated non-rechargeable batteries PS1
Glue AM2 Integrated rechargeable batteries PS2
Screw / bolt AM3 Separate battery pack PS3
Friction fit AM4 From ATM power PS4
Weld / fuse AM5 From other constant power source PS5
Other AM0 Other PS0
Source: DFR Risk Management Ltd.
Figure 11. Attachment methods and common power source summary
Storage, Communication and Download Capabilities
ATM PIN-compromise devices utilize a number of card-data storagemethods from integrated memory chips to local SD data cards and MP3and MP4 recorders. Some, however, have no local storage capability.
Data is downloaded from PIN-compromise devices using integratedsockets (such as USB), analogue radio transmitters and digitalcommunications protocols such as Bluetooth, Wi-Fi, SMS, among others.
Figure 12 summarizes the storage capability of PIN-compromise devicesand the various communication and download capabilities.
Storage Communications & Download
None ST1 None CD1
Local integrated chip ST2 Socket / USB CD2
Local data / SD card ST3 Analogue RF CD3
MP3 / MP4 or equivalent recorder ST4 Bluetooth CD4
Cell phone camera storage ST5 Wi-Fi (802.11) CD5
SMS / MMS / Text CD6
GSM / Data CD7
Digital RF (non-specific) CD8
Other ST0 Other CD0
Source: DFR Risk Management Ltd.
Figure 12. Storage, communications, and download summary
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
25/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 25 of 48
Activation and Encryption
As with ATM skimming devices, PIN-compromise devices are limited tohow long they can remain unserviced, based upon various parametersincluding whether they are powered continuously or only activated whenrequired. Activation methods include proximity-detection, remote controland transaction-initiated.
The ability to interrogate a PIN-compromise device, once recovered, mightbe inhibited by the use of encryption. Standards supported include the
Advanced Encryption Standard (AES) protection which makes analysis ofPIN data very difficult.
Figure 13 summarizes activation and encryption.
Activation Encryption
Always on (switched) AC1 None EC1
Proximity detector AC2 AES EC2
Remote control AC3 DES EC3
Card / transaction activated AC4 3DES EC4
Other AC0 Other EC0
Source: DFR Risk Management Ltd.
Figure 13. Activation and encryption summary
Additional Features, Capacity, and Endurance
Some PIN-compromise devices have additional features such asintegrated skimmers and a radio receiver to receive card data from a
skimming device.
The maximum endurance from the power source, and the maximumnumber of PIN data that can be captured, are important characteristics of
ATM PIN-compromise devices.
Figure 14 provides a reminder of some additional features of PIN-compromise devices and the important statistics of endurance andcapacity.
Features Capacity & Endurance
Integrated skimmer FP1 Maximum endurance from power supply
Receiver for skimming device FP2 Maximum number of PIN data stored
Other FP0 Other
Source: DFR Risk Management Ltd.
Figure 14. Additional PIN-compromise device feature summary
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
26/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 26 of 48
2.2.Case Studies: Examples of ATM Skimming Devices
Example 1: Sofia Skimmer
The Sofia skimmer is a sophisticated and miniaturized device whichoriginates from Bulgaria, and is the most common type of ATM skimmingdevice favored by Eastern European organized crime. Some models ofSofia skimmer store the card data locally in an encrypted format whichmakes analysis all but impossible for most forensic labs. Other modelsutilize a miniature analogue RF transmitter modeled on a bug orlistening device.
ASK-M1-AM1-PS1-ST2-CD2-AC1-EC0The above example of Sofia skimmer has the following identifiedcharacteristics:
Targeted at Motorized card readers and fitted directly to the cardentry slot (ASK-M1)
Attached with adhesive tape (AM1) Powered by integrated non-rechargeable batteries (PS1) Integrated chip used for local storage (ST2) Miniature sockets used to connect for download of data (CD2) Activated (switched on) using a switch (AC1) Non-standard encryption used to protect from interrogation (EC0)
Example 2: Skimmer Covering Receipt Slot
To facilitate the ability to disguise larger devices and separate powersupplies, it is common for the skimmer to not only cover the card entryslot, but also larger areas of the fascia. In this example, the skimmercovers the receipt slot.
ASK-M3-AM1-PS3-ST1-CD3-AC1-EC1The above example has the following known characteristics:
Targeted at Motorized card readers, packaged into a false frontcovering a larger area (ASK-M3)
Attached with adhesive tape (AM1) Powered by separate battery pack (PS3) No identified local storage (ST1) Transmits card data using analogue RF transmitter (CD3) Activated by a switch (AC1) No encryption (EC1)
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
27/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 27 of 48
Example 3: False keyboard and shelf
This example of a false keyboard integrated into a false shelf allows spaceto conceal power and cell phone electronics.
APC-KB2-AM1-PS3-CD7The above example has the following known characteristics:
False keyboard integrated into full shelf (APC-KB2) Attached with adhesive tape (AM1) Separate battery pack (PS3)
GSM cell phone used to transmit PIN data (CD7)
Example 4: RF Pin-hole Spy Camera Above Keyboard
This is an example of an analogue RF spy camera attached above an ATMkeyboard:
APC-SC3-TC1-AM1-PS3-ST1-CD3-AC1The above example has the following known characteristics:
Camera in panel above keyboard (APC-SC3) Spy camera (TC1) Attached with adhesive tape (AM1) Separate battery pack (PS3) No local storage (ST1) Sends image of PIN entry via analogue RF transmitter (CD3) Activated by switch (AC1)
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
28/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 28 of 48
Example 5: Skimmer Molded Around Card-entry Slot
This is an example of a skimmer that is molded to fit around the entryslot:
ASK-M2Details available about the above example are limited, thus short
designator string.
Example 6: Dip Skimmer Molded to Cover Genuine DIPReader
ASK-D2-AM1-ST2-PS3-CD2The above example has the following known characteristics:
Targeted at Dip readers and designed to cover the genuine reader(ASK-D2)
Attached with adhesive tape (AM1) Local storage of data on the board (ST2) Separate battery pack within skimmer case (PS3) Sockets for download of data (CD2)
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
29/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 29 of 48
2.3.Codes for ASK and APC SyntaxThe following table lists the ASK and APC syntax codes.
Code Type MethodAC1 Activation Always on (switched)
AC2 Activation Proximity detector
AC3 Activation Remote control
AC4 Activation Card / transaction activated
AC0 Activation Other
AM1 Attachment Method Adhesive tape
AM2 Attachment Method Glue
AM3 Attachment Method Screw / Bolt
AM4 Attachment Method Friction fit
AM5 Attachment Method Weld / Fuse
AM0 Attachment Method Other
C1 Contactless Readers Overlay covering contactless reader
C0 Contactless Readers Other
CD1 Communications & Download None
CD2 Communications & Download Socket / USB
CD3 Communications & Download Analogue RF
CD4 Communications & Download Bluetooth
CD5 Communications & Download Wi-Fi (802.11)
CD6 Communications & Download SMS / MMS / Text
CD7 Communications & Download GSM / Data
CD8 Communications & Download Digital RF (non specific)
CD0 Communications & Download Other
D1 DIP Readers Directly to card entry slot
D2 DIP Readers Molded overlay covering DIP reader
D3 DIP Readers False front covering larger area
D0 DIP Readers Other
EC1 Encryption None
EC2 Encryption AES
EC3 Encryption DES
EC4 Encryption 3DES
EC0 Encryption Other
FP1 Features (APC) Integrated skimmer
FP2 Features (APC) Receiver for skimming device
FP0 Features (APC) Other
FX1 Features (ASK) Integrated camera
FX2 Features (ASK) Receiver for PIN compromise device
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
30/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 30 of 48
Code Type Method
FX3 Features (ASK) Screened for anti-skimming interference
FX4 Features (ASK) Motorized card transport
FX0 Features (ASK) Other
IP1 Internal Compromise of Modules(APC)
ATM integrated security camera tap
IP2 Internal Compromise of Modules(APC)
Internal keyboard tap
IP0 Internal Compromise of Modules(APC)
Other
IS1 Internal Compromise of ATM System Internal communications tap
IS2 Internal Compromise of ATM System Software / Malware / Trojan
IS0 Internal Compromise of ATM System Other
IT1 Internal Compromise of Card Reader Pre-head tap
IT2 Internal Compromise of Card Reader Read head tap
IT3 Internal Compromise of Card Reader Card reader PCB parasite
IT4 Internal Compromise of Card Reader Card reader data line tap
IT0 Internal Compromise of Card Reader Other
KB1 Keyboard Exact-size keyboard overlay
KB2 Keyboard Shelf / full-panel keyboard overlay
KB3 Keyboard False-front covering larger area
KB0 Keyboard Other
M1 Motorized Readers Directly to card entry slot
M2 Motorized Readers Molded around entry areaM3 Motorized Readers False front covering larger area
M4 Mot orized Readers Modified anti-f raud device inhibit or
M5 Motorized Readers Overlay of anti-fraud inhibitor
M6 Mot orized Readers Attachment t o anti-fraud inhibit or
M0 Motorized Readers Other
PS1 Power Source Integrated non-rechargeable batteries
PS2 Power Source Integrated rechargeable batteries
PS3 Power Source Separate battery pack
PS4 Power Source From ATM power
PS5 Power Source From other constant power source
PS0 Power Source Other
RC1 Remote Cameras ATM location CCTV
RC2 Remote Cameras ATM location spy camera
RC0 Remote Cameras Other
RD1 Secondary DIP devices Door-access skimmer
RD2 Secondary DIP devices Card cleaning device
RD3 Secondary DIP devices Card activation / validation device
RD4 Secondary DIP devices Stand alone terminal
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
31/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 31 of 48
Code Type Method
RD0 Secondary DIP devices Other
RE1 External modem / communicationshub
Modem tap
RE2 External modem / communications
hub
Telephone exchange tap
RE3 External modem / communicationshub
Communication hub tap
RE4 External modem / communicationshub
Wi-Fi intercept
RE0 External modem / communicationshub
Other
RH1 Hand-held skimming device Pocket sized skimmer
RH0 Hand-held skimming device Other
RK1 Remote Keyboards Door-entry keyboard
RK2 Remot e Keyboards PIN-activation / validation keyboard
RK3 Remote Keyboards Stand-alone terminal
RK0 Remote Keyboards Other
RS1 Secondary swipe devices Door-access skimmer
RS2 Secondary swipe devices Card cleaning device
RS3 Secondary swipe devices Card activation / validation device
RS4 Secondary swipe devices Stand alone t erminal
RS0 Secondary swipe devices Other
S1 Swipe Readers Overlay covering swipe reader
S2Swipe Readers Mounted below or left of swipe reader
S3 Swipe Readers Mounted above or right of swipe reader
S4 Swipe Readers False front covering larger area
S0 Swipe Readers Other
ST1 Storage None
SC1 Camera Location & Packaging In light diffuser / light panel
SC2 Camera Location & Packaging In leaflet box
SC3 Camera Location & Packaging In false panel above PIN pad
SC4 Camera Location & Packaging In false panel right of PIN pad
SC5 Camera Location & Packaging In false panel left of PIN pad
SC6 Camera Location & Packaging In safety mirror
SC7 Camera Location & Packaging In sun / rain canopy
SC8 Camera Location & Packaging Integrated with skimmer
SC0 Camera Location & Packaging Other
ST5 Storage Cell phone storage
ST0 Storage Other
SV1 Surveillance Shoulder surfing - covert
SV2 Surveillance Shoulder surfing assist victim
SV3 Surveillance Long-range lens / telescope
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
32/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 32 of 48
Code Type Method
SV4 Surveillance Mirror
SV5 Surveillance Colored dust
SV6 Surveillance Advertising panel reflection
SV0 Surveillance Other
TC1 Camera Type Spy camera
TC2 Camera Type Cell phone camera
TC3 Camera Type Video camera
TC0 Camera Type Other
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
33/48
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 33 of 48
Chapter 3. PCI Guidelines onPreventing Skimming
3.1.What/Who is PCI?The Payment Card Industry Security Standards Council (PCI SSC) is a
independent standards body formed by five of the major card brands(Visa, MasterCard, JCB, American Express, and Discover). This councilwas formed to create, maintain, and manage various standards thatgovern the security of payment card transactions.
PCI SSC does not set mandates for the compliance to the standards that itmaintains; it only manages the process for issuing, maintaining, andupdating the standards. It is up to the individual card brands that formedthe PCI SSC to issue such mandates on how, when, and by whomcompliance to the PCI standards must be met.
3.2.The PCI StandardsAt the time of writing, PCI SSC manages three different standards:
PCI PIN Transaction Security (PCI PTS)
PCI Payment Application Data Security Standard (PCI PA DSS)
PCI Data Security Standard (PCI DSS)
In addition to these standards, a PCI PIN audit security program alsoexists, but this is currently maintained independently by Visa andMasterCard, not by PCI SSC (although this is expected to change within
the next few years).These different standards address different aspects of the paymentprocess.
PCI PTS
PCI PTS is actually a series of standards that address the security of thehardware and firmware into which customer PINs are entered andencrypted during a transaction.
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
34/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 34 of 48
At the time of writing, the following standards exist under the PCI PTSprogram:
PCI POS PED addresses the security of PIN Entry Devices (PEDs)that are operated within an attended shop style environment.
PCI EPP covers the security of Encrypting PIN Pads (EPPs) thatare used to enter and encrypt PINs within larger, generallyunattended, devices such as ATMs, ticketing machines, fueldispensers, etc.
PCI UPT covers the overall security of such larger unattendeddevices such as those noted above; with the exception of ATMs.
PCI ATM covers the security of unattended devices that providefor the withdrawal or deposit of cash. At the time of writing, thisstandard is under development and has not yet been published.
PCI HSM addresses the security of Hardware Security Modules(HSMs) that are used to generate, re-encrypt (or translate), orverify customer PINs; or to manage the keys used in PIN EntryDevices which encrypt customer PINs directly.
PCI PA DSS
PCI PA DSS provides a set of security requirements for software that isinvolved in the authorization or settlement of payment transactions. Thisstandard was created to ensure that such software does not prevent anycompany implementing the software from being compliant to the PCI DSSrequirements. The scope of PA DSS can include the application software
used in payment devices such as ATMs and PIN Entry Devices.
PCI DSS
PCI DSS is an umbrella standard that essentially covers any areas whichare not directly covered by the other PCI standards. Any system thatstores, processes, or transmits payment card data is in scope of the PCIDSS requirements. This standard provides a set of best practiceguidelines for how any system and business that handles payment carddata should provide security to this data.
PCI PINFinally, the PCI PIN standard is an audit program that confirms the keymanagement practices for cryptographic keys that are used to encryptcustomer PIN data.
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
35/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 35 of 48
3.3.How Do the PCI Standards Address Skimming?As the various PCI standards cover different aspects of paymenttransactions, they each assist in preventing skimming in different ways.
The PCI PTS program is the program that addresses the issue ofskimming most directly. Each of the standards that are designed fordevices that accept the direct input of payment card data have arequirement to secure the path from the card reader to the securityprocessor within the device. This requirement covers both the path fromthe Integrated Circuit Card reader (ICCR), as well as the magnetic stripcard reader (MSR).
Specifically, the PCI PTS requirements for Unattended PaymentTerminals (PCI UPT) has the following requirement:
DTR A11
It is not feasible to penetrate the UPT to make any additions, substitutions, ormodifications to the Magnetic-Stripe Reader or the UPTs hardware or software, inorder to determine (e.g., skimming attacks must be prevented) or modifymagnetic-stripe track data, without requiring an attack potential of at least 14 perUPT, for identification and initial exploitation, as defined in Appendix B.
Source: PCI UPT DTRs v1.0, April 2009, page 15
Similar requirements exist in the PCI POS PED and PCI ATM standards.The above requirement is further clarified with the following statements:
Countermeasures include, for instance, active detection of skimmers, activedisturbance of the skimming process, or notice to the cardholder on what thereader should look like. The protection of the reader may consist of resistance ofthe UPT cabinet/the reader enclosure against manipulation.
Skimming attacks to recover payment card data may occur via either theattachment of external devices or attacking other areas (hardware or software) ofthe UPT. Both must be considered for this requirement.
Access to the inside of the UPT for routine maintenance (e.g., replenishing paper)shall not allow access to clear-text account data, e.g., by making cabling whichtransmits the data physically inaccessible to routine maintenance personnel orencrypting the sensitive card data transmitted internally within the UPT betweencomponents.
Source: PCI UPT DTRs v1.0, April 2009, page 15
Therefore, the PCI PTS standards specifically make note that protectionsagainst skimming must go beyond merely securing the physical exterior ofthe payment device, as skimming may occur through the implanting ofinternal monitoring devices as well as external devices. To this end, thesecurity of any openings, access hatches, or service panels must beconsidered, if such openings allow for access to plaintext card data.
Because of this, in many instances, it is considered best practice to protectcard data logically, using encryption, when routing it through exposedcabling and component within larger payment devices such as UPTs and
ATMs.
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
36/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 36 of 48
This requirement should not be confused with a necessity for encryptingmagnetic strip read heads, as this is not mandated by the standard and isoften not necessary for smaller PIN Entry Devices that can more easilyprovide physical security to the path of the signals from the MSR to thesecurity processor.
It should also be noted from the PCI PTS requirements that althoughsome guidelines are provided in regards to protection against theplacement of a physical skimming device, these requirements are not theonly options that exist. The guidance provided within these requirementsdoes not intend to constrain or restrict the possible ways in whichskimming can be prevented. In fact, one reason for this is so that themarket can actively work on creating new and more advanced ways inwhich anti-skimming technology can be embodied and deployed.
When considering the security requirements within the PCI PTS programrequirements it is important to understand that these cover only thesecurity of the data from the card reader to the internal security processorof the payment device.
Once this data has reached the security processor it is up tothe payment application and overall payment system inwhich the device operates to secure the data.
This is where PCI PA DSS and PCI DSS add their assistance to thesecurity of card data. These programs protect such data in two ways: (1)by securing the applications themselves; and (2) by securing thetransmission of payment card data.
PCI DSS and PA DSS require that payment applications, and the systemson which they are installed and operated, are secured in line withindustry best practice.
This includes removing any unnecessary services from the devices,securing remote access, using network security devices such as firewalls,IDS/IPS, regularly testing the security of systems, and so forth. PCI DSShas many individual compliance requirements, and it is beyond the scopeof this document to cover them all.
It is strongly recommended that the full PCI DSSrequirements, as well as the ATMIA Software Security Best
Practice document, is considered when devising an anti-skimming strategy.
PCI DSS also mandates that the transmission of card data across open,wireless, and public networks must be encrypted using strongcryptography. In these standards, such cryptography essentially meansthe use of triple DES, AES, RSA, or Elliptical Curve Cryptography.
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
37/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 37 of 48
Although this standard does not require the use of such encryption acrossall networks,
it is strongly recommended that encryption is usedwhenever transmitting card data,
as capture during transmission is a common skimming attack vector.
The diagram in Figure 15 shows a pictorial representation of how thedifferent PCI standards overlap to cover the life cycle of a paymenttransaction.
This diagram shows that:
The PCI PTS program covers the security of the data as it entersthe ATM or payment device.
The PA DSS program covers the security of the data as it is used
in commercial payment software. And, the PCI DSS program covers the security of payment data as
it is transmitted and processed within the broader paymentnetwork.
Figure 15. PCI standards overlap in payment transaction life cycle
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
38/48
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 38 of 48
Chapter 4. Best Practices forPreventing Capture of Magnetic
Stripe Data During ATM Transactions
4.1.Protection of the Magnetic Stripe DataCard skimming is a global threat and it will continue to be an industryissue as long as the magnetic stripe containing the cardholders accountinformation remains on the card.
Moving away from the magstripe and using secure identitymanagement and credentialing to provide access to thischannel has proven to be the most effective way tominimize the losses due to card skimming.
However the complete removal of the magstripe is not anticipated to occurin the near future, so protecting this sensitive data is crucial in mitigatingthe risks and losses associated with card skimming.
There are several methods to keep sensitive account informationcontained on the magstripe safe from fraudsters; the most effectivemethod is the use of chip-based cards that house the data on microchipsinstead of magnetic stripes, making data more difficult to steal and cardsmore difficult to reproduce. Contactless cards provide another alternativeto the magstripe. If the magstripe is used, out-of-band authenticationusing a cell phone or a biometric reader can provide a second form ofauthentication that can be used as alternate methods for conducting
secure transactions at the ATM.
Anti-skimming solutions can be deployed to help detect andprevent the application and usage of card skimming devices.
Card readers can be equipped with some type of foreign object detectiontechnology and can alert a financial institution or law enforcement in theevent that a skimming device is installed to the fascia of an ATM.
Jitter technology is a process that controls and varies the speed ofmovement of a card as it is inserted through a card reader, making itdifficult to read card data.
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
39/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 39 of 48
Card skimmers generally require a smooth intake of the card to get a goodread of the magstripe. The design of the card reader bezel also plays animportant role in the deterrence of the application of a skimmer. Thedesign of the entrance of the card reader should prevent the attachment ofskimming devices and /or make such devices obvious to the user.
Other anti-skimming technologies are effective in identifying, jamming ordisturbing skimming devices when they are attached to the ATM. Videosurveillance and monitoring are additional security measures that areeffective methods for deterring or detecting placement of card skimmersand other fraudulent devices such as PIN overlays and mini cameras.
Regular inspections of ATMs by cash machine owners forevidence of tampering and unusual attachments should beconducted.
Local staff including ATM servicers must be trained to look for fraudulent
devices and be educated on the appropriate action to be taken should theydiscover a skimming device on a machine.
4.2.Integration with IT Systems
A self-contained, secure environment including physical andlogical access control and enhanced identity management isessential in securing an ATM.
The use of intelligent fraud-detection systems to monitor for unusualspending patterns and identify fraud before it is discovered by thecardholder.
ATM network and multiple issuer-based consortiums are also importantfor detecting outbreaks of counterfeit card fraud and determining the sizeand scope of the cards the criminal still has in inventory. Cards that areat risk of counterfeit fraud can then be used during real-time transactionauthorizations to minimize financial losses.
Industry fraud solution vendors also continue to increase the effectivenessand sophistication of customer-profiling neural network systems that canidentify unusual spending patterns and potentially fraudulent
transactions.
These profiles have been implemented at the merchant and terminal levelin order to further enhance the decision to authorize or deny a transactionin real time based on known fraud or unusual terminal transactionbehavior.
If a transaction scores with a high risk of fraud, the issuer willthen contact the cardholder to check if the suspect transaction isgenuine
If not, an immediate block can be put on the card.
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
40/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 40 of 48
4.3.Role of the Consumer in Fraud PreventionThe evolution needs to be in the mind of the consumer, where at one timethey worried over an armed person approaching them but now they needto also beware of good Samaritans who want to steal their information
while conducting a transaction.
The consumer should check the ATM before using it andprotect his/her PIN.
Shielding the entry of the PIN with their hand and body is just one way aconsumer can prevent someone from viewing it.
4.4.Summary
Some best practices for the mitigation of fraud due to card skimming: Building awareness among consumers, branch personnel, and
ATM service teams can result in the detection of devices added toan ATM fascia. Visual clues such as tape residue near or on a cardreader may indicate the former presence of a skimming device.Chip -based cards house data on microchips instead of magneticstripes, making data more difficult to steal and cards more difficultto reproduce.
Contactless cards, out-of-band authentication using cell phonesand biometric readers are all new authentication technologies thatcan be used as alternate methods for conducting secure ATM
transactions.
Alert systems monitor routine patterns of withdrawals and notifyoperators or financial institutions in the event of suspiciousactivity.
In addition to following these best practices, there are several anti-skimming solutions that financial institutions can implement to helpmitigate risk. A multi-layered approach to securing the card reader is thebest methodology.
Foreign object detectionATMs equipped with this type oftechnology can alert a financial institution or law enforcement inthe event that a skimming device is added on the fascia of an
ATM.
Jitter technologyis a process that controls and varies the speedof movement of a card as moves in and out of a card reader,making it difficult if not impossible to read card data. Cardskimmers generally require a smooth intake of the card to get agood read of the magstripe.
Card reader bezel designthe design of the entrance of the cardreader should prevent the attachment of skimming devices and /ormake such devices obvious to the user.
-
7/27/2019 Best Practices for Preventing Skimming Published Version 09
41/48
Best Practices for Preventing ATM Skimming
Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com
Page 41 of 48
Anti-skimming technologiesare effective in identifying, jammingor disturbing skimming devices when attached to the ATM.
Video surveillance and monitoringis an effective method fordeterring or detecting placement of card skimmers and otherfraudulent devices such as PIN overlays an