Best Practices for Preventing Skimming Published Version 09

7/27/2019 Best Practices for Preventing Skimming Published Version 09

1/48

Best Practicesfor Preventing

ATM SkimmingInternational minimum security guidelinesand best practices

Produced by the ATM Industry Association

Contributors Include:


2/48

FOR ATMIA MEMBERS USE ONLY Best Practices for Preventing ATM Skimming

Copyright 2009 ATMIA FOR USE BY ATMIA MEMBERS ONLY | All Rights Reserved | www.atmia.com

Page 2 of 48

Copyright Information

Copyright 2009 ATMIA, All Rights Reserved.

Should you wish to oin ATMIA's Anti Skimming portal on www.atmia.com,e-mail Mike Lee, ATMIA's CEO, at [email protected]

Disclaimer

The ATM Industry Association (ATMIA) publishes this best practice manual in furtherance of its non-profit andtax-exempt purposes to enhance protection of the ATM against skimming. ATMIA has taken reasonablemeasures to provide objective information and recommendations to the industry but cannot guarantee theaccuracy, completeness, efficacy, timeliness or other aspects of this publication. ATMIA cannot ensurecompliance with the laws or regulations of any country and does not represent that the information in thispublication is consistent with any particular principles, standards, or guidance of any country or entity. Thereis no effort or intention to create standards for any business activities. These best practices are intended to beread as recommendations only and the responsibility rests with those wishing to implement them to ensurethey do so after their own independent relevant risk assessments and in accordance with their own regulatoryframeworks. Further, neither ATMIA nor its officers, directors, members, employees or agents shall be liablefor any loss, damage or claim with respect to any activity or practice arising from any reading of this manual;all such liabilities, including direct, special, indirect or inconsequential damages, are expressly disclaimed.Information provided in this publication is "as is" without warranty of any kind, either express or implied,including but not limited to the implied warranties of merchantability, fitness for a particular purpose, orfreedom from infringement. The name and marks ATM Industry Association, ATMIA and related trademarks arethe property of ATMIA.

Please note this manual contains security best practices and should not be left lyingaround or freely copied without due care for its distribution and safekeeping.

ATM INDUSTRY ASSOCIATION GLOBAL SPONSORS 2009

UNITED STATES INTER-CONTINENTAL AND REGIONAL SPONSORS SEPTEMBER 2009


3/48

Copyright 2009 ATMIA | All Rights Reserved | www.atmia.com

Page 3 of 48

Table of ContentsTABLE OF FIGURES .......................................................................................................................................4

FOREWORD ....................................................................................................................................................5

EXECUTIVE SUMMARY...................................................................................................................................6

ACKNOWLEDGEMENTS................................................................................................................................10

CHAPTER 1. INTRODUCTION .....................................................................................................................11

1.1. A BRIEF HISTORY OF SKIMMING ............................................................................................................... 12

1.2. WHAT IS SKIMMING? ...............................................................................................................................12

1.3. IS CHIP AND PIN THE ANSWER?................................................................................................................ 13

1.4. THE NEED FOR GREATER PUBLIC COMMUNICATION ................................................................................... 14

1.5. A CALL TO ACTION.................................................................................................................................15

CHAPTER 2. CLASSIFICATION SYSTEM FOR ATM SKIMMING & PIN-COMPROMISE ...............................16

2.1. ATM SKIMMING & PIN COMPROMISE CLASSIFICATION ............................................................................... 16

2.1.1. ATM Skimming Classification (ASK-) .......................................................................................... 16

2.1.2. ATM PIN-Compromise Classification (APC-) ............................................................................. 21

2.2. CASE STUDIES: EXAMPLES OF ATM SKIMMING DEVICES .............................................................................. 26

2.3. CODES FOR ASK AND APC SYNTAX.......................................................................................................... 29

CHAPTER 3. PCI GUIDELINES ON PREVENTING SKIMMING .....................................................................33

3.1. WHAT/WHO IS PCI? ..............................................................................................................................33

3.2. THE PCI STANDARDS..............................................................................................................................33

3.3. HOW DO THE PCI STANDARDS ADDRESS SKIMMING? .................................................................................. 35

CHAPTER 4. BEST PRACTICES FOR PREVENTING CAPTURE OF MAGNETIC STRIPE DATA DURING

ATM TRANSACTIONS...................................................................................................................................38

4.1. PROTECTION OF THE MAGNETIC STRIPE DATA........................................................................................... 38

4.2. INTEGRATION WITH IT SYSTEMS............................................................................................................... 39

4.3. ROLE OF THE CONSUMER IN FRAUD PREVENTION....................................................................................... 40

4.4. SUMMARY .............................................................................................................................................. 40

CHAPTER 5. BEST PRACTICES FOR PREVENTING INTERCEPTION OF CUSTOMER PIN........................42

5.1. PIN SECURITY OVERVIEW........................................................................................................................425.2. EDUCATING THE CUSTOMER ....................................................................................................................42

5.3. MANUFACTURING CHANGES FOR THE EPP AND FASCIA .............................................................................. 43

5.4. ADVANCEMENT OF BIOMETRICS TO REPLACE PIN ...................................................................................... 43

5.5. SUMMARY OF BEST PRACTICES FOR PROTECTING PINS .............................................................................. 44

CHAPTER 6. FURTHER READING AND LINKS ...........................................................................................45

6.1. USEFUL READING ...................................................................................................................................45

6.2. STANDARDS DOCUMENTATION .................................................................................................................. 45

6.3. RELEVANT LINKS ....................................................................................................................................46

CHAPTER 7. CHECKLIST OF RECOMMENDATIONS FOR PREVENTING SKIMMING.................................47

7.1. SUMMARY OF RECOMMENDATIONS ............................................................................................................ 477.2. CHECKLIST OF RECOMMENDATIONS........................................................................................................... 48


4/48


Page 4 of 48

Table of Figures

Figure 1. Card Entry Area Skimming Device suggested classification syntax summary ......................17Figure 2. Internal skimming method summary .....................................................................................18Figure 3. Remote and secondary near-proximity skimming technique summary ................................19Figure 4. Attachment methods and common power source summary .................................................19Figure 5. Storage capability of ATM skimmers communication, download summary .........................20Figure 6. Activation and encryption summary .....................................................................................20Figure 7. Feature, capacity & endurance summary .............................................................................21

Figure 8. Common external PIN compromise method summary ..........................................................23Figure 9. Common internal PIN compromise method summary...........................................................23Figure 10. Remote and secondary PIN-compromise device summary..................................................23Figure 11. Attachment methods and common power source summary ...............................................24Figure 12. Storage, communications, and download summary ...........................................................24Figure 13. Activation and encryption summary ...................................................................................25Figure 14. Additional PIN-compromise device feature summary.........................................................25Figure 15. PCI standards overlap in payment transaction life cycle ...................................................37


5/48


Page 5 of 48

Foreword

Today, skimming is one of the most widespread and organised crimesdirected at the ATM, as well as at Point of Sale devices.

The Anti Skimming Forum of ATMIA believes this manual will help toreinforce the ATMs Trusted Environment as well as the reputation of the

ATM as a safe and convenient self-service banking device.

It sets out international minimum security guidelines and best practicesfor preventing skimming at ATMs.

To combat fraud, it is imperative that all ATM deployers in all regionsand countries take best practices very seriously, and implement allguidelines and best practices contained herein to the greatest extentpossible.

ATMIA Anti Skimming Forum

August, 2009


6/48


Page 6 of 48

Executive Summary

Please note that this Executive Summary cannot replace reading the

whole manual. The summary is merely a guide as to the content and main

principles of prevention of skimming at ATMs.

1. Recent indicators show sharp rises in incidents of skimming on anincreasingly global scale.

2. ATMs were first confirmed to be targeted by new styles anddesigns of skimming device in the late 1990s. Inspection of the

ATM uncovered scratches and marks on the fascia that indicated adevice of some type had probably been previously attached to themachine.

3. Today, the number of different designs and a multitude oftechnologies used to create ATM skimming devices necessitates thedevelopment of an ATM skimming-classification system. The bestdefense may vary according to the type of device used for theskimming attack.

4. Card skimming is defined as the unauthorized capture of magneticstripe information by modifying the hardware or software of apayment device, or through the use of a separate card reader.Skimming is often accompanied with the covert capture ofcustomer PIN data. Armed with this information the fraudsterswill create dummy cards and raid the customers account.Increasingly, card details captured through skimming at an ATMin one country will be used to commit fraud in another country.

5. UK Payments published figures show that counterfeit card lossesin the UK fell by 68 percent in the four years to 2008 because theintroduction of chip and PIN makes it harder for criminals to use

fake cards in ATMs and shops in the UK. Now, UK cardinformation is being used to create counterfeit cards that are thenused in other countries.

6. Fraud committed abroad using UK card information increasedfrom 23.8 million in 2004 to 132.8 million in 2008. In particular,fraud committed in the US using data from UK issued cards hasincreased by 181 percent since 2005, totaling 31.7 million in 2008.

A recent UK Payments publication notes that As more and morecountries around the world progress their chip and PIN rollouts, itis expected that fraud will continue to shift towards countries suchas the USA, which as yet has no plans to implement chip and PIN.


7/48

Best Practices for Preventing ATM Skimming


Page 7 of 48

7. Solutions for preventing the copying of magnetic stripe data at theATM include devices (protruding illuminated hardware) aimed atpreventing the attachment of the skimming machine, solutionsthat involve a jitter (rapid stop-start motion) movement that willnullify attempts to record card information when a foreign device is

detected at or near the ATM card entry slot.8. As the most used retail banking channel, for many the ATM

represents the face of banking. Banks need to communicate thenature of the problem to the media and customers without creatingfear and uncertainty. It is important to communicate how chosensolutions to skimming work and any implications this will have foran ATMs appearance or performance.

9. Customers can lessen the potential impact of skimming byprotecting their PIN, the front door key of their bank accounts, bycovering the keypad with their free hand when entering the code.

10. Card skimming is an international problem and its preventionrequires a consistent global approach.

11. The new international classification system for skimming devicesincludes card entry skimming devices, targeting specific types ofcard-activation interface such as Motorized, Swipe, Dip andContactless, internal skimming devices (such as pre-head tapskimmers and malware capable of obtaining non-encrypted carddata within the ATM system), remote & secondary near-proximityskimming devices, for example, hand-held machines and tappingequipment, as well as ancillary or support technology likeattachment methods, power sources, card data storage methods

(such as integrated memory chips, local SD data cards and MP3recorders), integrated cameras (for PIN-compromise) and radioreceivers as well as activation methods like remote control.

12. ATM PIN- compromise devices in the classification system includeexternal PIN-compromise devices (such as spy cameras, keyboardoverlays and binoculars), internal PIN-compromise devices (suchas electronic tapping equipment or malicious software), remote &secondary PIN-compromise devices (such as lobby door falsekeyboards), as well as ancillary or support technology likeattachment and activation methods, power sources, storagecommunications & download capability (such as radio receivers).

13. Each of the current PCI standards, PCI PIN Transaction Security(PCI PTS), PCI Payment Application Data Security Standard (PCIPA DSS) and PCI Data Security Standard (PCI DSS), havematerial relevant to preventing skimming. The PCI PTS programis the program that addresses the issue of skimming most directly.Each of the standards that are designed for devices that accept thedirect input of payment card data have a requirement to secure thepath from the card reader to the security processor within thedevice. This requirement covers both the path from the IntegratedCircuit Card reader (ICCR), as well as the magnetic strip cardreader (MSR). For details of specific requirements, see Chapter 3.


8/48



Page 8 of 48

14. Moving away from the magstripe and using secure identitymanagement and credentialing to provide access to this channelhas proven to be the most effective way to minimize the losses dueto card skimming. However the complete removal of the magstripeis not anticipated to occur in the near future, so protecting this

sensitive data is crucial in mitigating the risks and lossesassociated with card skimming.

15. There are several methods to keep sensitive account informationcontained on the magstripe safe from fraudsters; the most effectivemethod is the use of chip-based cards that house the data onmicrochips instead of magnetic stripes, making data more difficultto steal and cards more difficult to reproduce. Contactless cardsprovide another alternative to the magstripe. If the magstripe isused, out-of-band authentication using a cell phone or a biometricreader can provide a second form of authentication that can beused as alternate methods for conducting secure transactions at

the ATM.16. Anti-skimming solutions can be deployed to help detect and

prevent the application and usage of card skimming devices. Cardreaders can be equipped with some type of foreign object detectiontechnology and can alert a financial institution or law enforcementin the event that a skimming device is installed to the fascia of an

ATM. Jitter technology is a process that controls and varies thespeed of movement of a card as it is inserted through a card reader,making it difficult to read card data. Other anti-skimmingtechnologies are effective in identifying, jamming or disturbingskimming devices when they are attached to the ATM. Video

surveillance and monitoring are additional security measures thatare effective methods for deterring or detecting placement of cardskimmers and other fraudulent devices such as PIN overlays andmini cameras.

17. Regular inspections of ATMs by cash machine owners for evidenceof tampering and unusual attachments should be conducted. Localstaff including ATM servicers must be trained to look forfraudulent devices and be educated on the appropriate action to betaken should they discover a skimming device on a machine.

18. A self-contained, secure environment including physical and logical

access control and enhanced identity management is essential insecuring an ATM. The use of intelligent fraud-detection systems tomonitor for unusual spending patterns and identify fraud before itis discovered by the cardholder.

19. The consumer must be educated to be vigilant and inspect theATM before using it. Consumers must also be educated on how toprotect their PIN. Shielding the entry of the PIN with their handand body is just one way a consumer can prevent someone fromviewing it.


9/48



Page 9 of 48

20. Information sharing of fraud related activity with industrystakeholders can help to identify current threats and trends andfacilitate deployment of the most effective fraud mitigation tactics.There is also an opportunity to influence regulatory requirementsto support fraud prevention tactics that will in turn help

demonstrate the return on investment for security spend.21. One of the weakest links in any ATM transaction is the entry of

the customer PIN. The PIN in its current form is static and alwaysfour (or, in some countries, six) numbers. Despite improvements inthe security of the transmitted PIN and account data via 3DES, nosignificant improvements or best practices have emerged to protectthe physical entry of the customer PIN at the ATM.

22. Investigation is encouraged of new technologies to create EPPsthat incorporate a scramble methodology to number placement ateach transaction.

23. Biometrics offers a difficult to duplicate replacement to a staticnumerical PIN. As each fingerprint or retinal scan is unique, it isclearly more robust than a four digit PIN. As it may be a costlyenterprise, deployment of biometrics as a means to move awayfrom the customer PIN may be several years away.

24. A multi-layered approach to preventing skimming is the bestmethodology, integrating customer education and vigilance aboutPINs, technological investigation, industry information-sharing,manufactured security solutions and compliance to securitystandards for protecting card data and PINs. Chip and PINtechnology has a proven record in reducing skimming and is highly

recommended worldwide by the ATM Industry Association.


10/48


Page 10 of 48

Acknowledgements

The ATMIA is indebted to the contribution of the following industryexperts in assembling these Anti Skimming Best Practices, in addition toall members of its Anti Skimming Forum:

Douglas Russell, Director, DFR Risk Management Ltd

Terrie Ipson, Marketing Manager, Diebold

Andrew Jamieson, Technical Manager, Witham Laboratories

Wynne Evans, Consultant, Wynne Evans Communications

Steve Weeks, Commercial Manager, ATM Parts Co

Jeffery Miller, Service Manager, Edge One Incorporated

George Athanasakis, Director, Australian TechnologyManagement Pty Ltd

Mike Urban, Sr Director, Fraud Solutions, FICO

Cyndi Spencer, formatting editor


11/48


Page 11 of 48

Chapter 1. Introduction

Skimming: A Current and Increasing Global Threat

Recent indicators show sharp rises in incidents of skimming on anincreasingly global scale.

In April, 2009, EAST (European ATM Security Team) reported a 129percent increase in card skimming incidents in 2008 over the previousyear. A total of 10,302 cases were reported. Yet Europe is not alone.

Skimming is occurring throughout the world, from Russia tothe USA, from Australia to the Middle East, from South

Africa to South America.

For example, a glance through the financial media for just one month,July 2009, reveals the growing nature of the international threat of cardskimming at the ATM. In Las Vegas it was reported that there were 75skimming attacks over a three month period compared to previous rates of2-3 incidents a year. In Sydney Australia, the New South Wales FraudSquad reported 60 skimming attacks in the first four months of 2009, witha spokesman stating that the devices used are becoming smaller, moresophisticated and capable of storing more data. In April it was reportedthat nine Romanian nationals had been arrested in relation to skimmingattacks on Australian ATMs.

In California it was also reported that skimmers and card duplicatorscould be bought from overseas sellers via the internet for a few thousanddollars. It would appear that there is a global epidemic.

Yet card skimming is not new. Early forms of skimming device and indeed

dummy ATMs installed in empty shop fronts were used to capture cardinformation in the nineties. What has changed is the scale andgeographical spread of such attacks.

What do we mean by card skimming at the ATM?


12/48



Page 12 of 48

1.1.A Brief History of Skimming

Skimming started to gain momentum as a method ofundermining plastic card-based systems in the mid to late

1980s.

At that time, the most common modus operandi was for criminals tooperate in retail premises: typically, the food and beverage industry andat fuel (gas) stations. The devices used to copy the magnetic stripe, whilelarge by todays standards, were often just small enough to be concealed inthe perpetrators clothing or hidden out of sight below the cash desk.

ATMs were first confirmed to be targeted by new styles and designs ofskimming device in the late 1990s. Prior to the first ATM skimmingdevice being recovered, there had been various incidents globally,

including one, in which the logical and physical evidence pointed towardsskimming as the most likely method of card-compromise.

Analysis of the historical usage of cards (that were subsequently identifiedas being compromised) eventually narrowed down the likely CPC(common point of compromise) or CPP (common point of purchase) to aparticular ATM. Inspection of the ATM uncovered scratches and marks onthe fascia that indicated a device of some type had probably beenpreviously attached to the machine.

Today, the volume of skimming incidents is considerable, as discussed inthe previous section. There is also a considerable number of differentdesigns and a multitude of technologies used to create skimming devices.

So significant is the number, that it has become increasingly important tocreate an ATM skimming-classification system.

The purpose of the classification system is to ease communication withinthe industry and, with law-enforcement, to globally standardize recordingof skimming crimes, as follows:

Enables measurement of trends

Provides country comparisons

Highlights patterns and the migration of particular devices

Aids the industry in deciding which anti-skimming initiatives andsolutions are best-suited as a defense against particular types of

ATM skimming device

1.2.What is Skimming?Card skimming is defined as the unauthorized capture of magnetic stripeinformation by modifying the hardware or software of a payment device,or through the use of a separate card reader. Skimming is oftenaccompanied with the covert capture of customer PIN data. Armed withthis information, the fraudsters create dummy cards and raid the

customers account.


13/48



Page 13 of 48

This raises a number of issues:

What are the implications of the introduction of chip and PINtechnology in some countries?

What percentage of card skimming takes place at ATMs rather

than at POS devices? What are the best ways to prevent this happening and what are

the implications for consumer behavior / confidence in the ATMnetwork and indeed the banks?

When we talk of ATM Fraud it is important to distinguish between thepoint of compromise (where the data is captured) and the location atwhich the actual fraud takes place. In the UK, for example publishedfigures for ATM fraud (where cash has been fraudulently withdrawn froman ATM) will normally involve stolen cards (and PIN details), ID theftwhere a legitimate card is used on a fraudulent account or in someinstances cases where a card has been captured at the ATM by a criminalusing a Lebanese loop style device.

In the case of card skimming, though card details may be captured at anATM in the UK, the dummy (counterfeit) card created using thisinformation could well be used in another country. Indeed, recentdevelopments mean this is more likely. From a consumer perspectiveanother feature of this counterfeit fraud is that they will frequently beunaware of the fraud until they receive a statement or a transaction isrefused at a store or ATM due to insufficient funds.

1.3.Is Chip and PIN the answer?UK Payments (formerly APACS) published figures show that counterfeitcard losses in the UK fell by 68 percent in the four years to 2008 becausethe introduction of chip and PIN makes it harder for criminals to use fakecards in ATMs and shops in the UK. However such cards can be used atstores that havent been upgraded to chip and PIN or at an overseas cashmachine that hasnt been upgraded.

What the UK has witnessed has been a classic migration ofcard fraud, whereby UK card information is being used tocreate counterfeit cards that are then used in other

countries.

Fraud committed abroad using UK card information increased from 23.8million in 2004 to 132.8 million in 2008. It is interesting to note thecountries where this fraud is occurring. Despite the geographic proximityof France, there has been a very significant reduction in suchcompromises since they have rolled out the global chip and PIN system. Incontrast, fraud on UK issued cards (and card details) in the United Stateshas increased by 181 percent since 2005, totaling 31.7 million in 2008.


14/48



Page 14 of 48

A recent UK Payments publication notes that As more and morecountries around the world progress their chip and PIN rollouts, it isexpected that fraud will continue to shift towards countries such as theUSA, which as yet has no plans to implement chip and PIN.

ATM manufacturers have introduced a number of solutions aimed at

preventing or nullifying attempts to copy magnetic stripe information atthe ATM. These have included devices (protruding illuminated hardware)aimed at preventing the attachment of the skimming machine, solutionsthat involve a jitter (rapid stop-start motion) movement that will nullifyattempts to record card information by making it impossible to get areading and detectors that send alerts, either direct to the branch or to an

ATM monitoring system, when a foreign device is detected at or near theATM card entry slot.

A leading South African retail bank recently announced that it was usingpepper spray technology - if cameras observe that someone is tamperingwith the ATM another machine will eject pepper spray in order to disablethe criminals until an armed response team arrives. The technology iscurrently being deployed at 11 high-risk sites.

1.4.The Need for Greater Public CommunicationAs the most used retail banking channel, for many the ATM representsthe face of banking. Any attacks on a banks ATM have the potential toundermine confidence in its network and brand. Indeed, so high profile isthe ATM that adverse media comment regarding such attacks may alsoimpact upon institutions not directly involved. This recognition that you

are only as strong as the weakest link has forced banks in a number ofcountries to recognize that this is not a competitive issue and that theimplications of card skimming go beyond immediate financial losses.

The presence of and potential for card skimming activities presents thebanks with a number of communication challenges. The first is the needto communicate the nature of the problem to the media and customerswithout creating fear and uncertainty. You want to let people know thereis a problem, you want them to look out for fraudulent devices but at thesame time you dont want to scare them off using the ATM.

You also want them to understand that the situation is being addressed

by the use of best in practice technology and this too is something thatrequires clear communication.

It is important to communicate how the solution operatesand any implications this will have for an ATMs appearanceor performance.

If a fraud prevention device is introduced it will need to be easilyidentifiable as such in order to increase confidence that the network isprotected. There will be a need to educate customers and the media as toits appearance, otherwise there is a danger that people will believe that

the fraud prevention device is itself something that has been attached by


15/48



Page 15 of 48

fraudsters. People will need to know how the prevention device will affectthe appearance and operation of the ATM, as indeed will the police.

Similarly, people will want to know whether a fraud prevention devicewill have implications for the speed of operation. ATM manufacturershave worked closely with deployers so that ATM performance is not

impaired by the introduction of jitter solutions and on customer education- in particular on the use of screen layouts to verify the appearance ofdevices that act as a deterrence protrusion.

It is important to encourage positive action. One thing people can do tolessen the potential impact of skimming is to do everything in their powerto protect the PIN, including covering the keypad with their free handwhen entering the code.

Card skimming at the ATM has become an internationalproblem, with professional criminals operating globally.Wherever you are based, the threat is there and yourcustomers accounts are at risk.

The introduction of chip and PIN does not necessarily change the point ofcompromise since the lack of a globally introduced solution means allcards continue to carry magnetic stripe data for use in non chip-compliantcountries. What has happened is that the location of the actual fraudspend may change. Card account details captured in the UK can be usedto withdraw funds in countries with weaker controls.

1.5.A Call to ActionThe purpose of this guide is to address best practice in the area of ATMcard skimming prevention. It will identify skimming types, considerguidelines on preventing skimming and the capture of magnetic stripedata during ATM transactions and address issues such as cardholderidentification and standards.

For a criminal, possession of the card details is only part of their objective,they also want the means of identifying the cardholder, the PIN. It istherefore important that we consider how customers might best protectthis information but also to consider alternative means of customeridentification that are not so easily stolen or replicated. Biometricsolutions are already applied in a small number of countries and can bringa new dimension to card security.

A 2009 Harris Interactive Research Study reported that 67 percent of USATM users would be likely to switch bank after an instance of ATM fraudor data breach. But the problem is that your clients details can becompromised anywhere in the world where they are able to use the card.Card skimming is an international problem and its prevention requires aconsistent global approach.


16/48



Page 16 of 48

Chapter 2. Classification System forATM Skimming & PIN-Compromise

The syntax used to classify ATM skimming and PIN-Compromise devicesand techniques covered in this chapter utilizes a string of alpha numericdesignators.

2.1.ATM Skimming & PIN Compromise ClassificationThe highest level designator for ATM skimming is ASK and for PIN-compromise, APC. The second level includes characteristics such as thegeneral type of device, methods used to attach devices and the technicalspecification of the device. For example, an ATM skimming deviceoverlaying a Swipe reader and attached with double-sided adhesive tapeis designated with the following syntax:

ASK-S1-AM1In cases where further details are known about the device, such as itspower source, data storage method, communications capability, andactivation and encryption methods, the designation string is expanded.For example, if it is known that skimming device ASK-S1-AM1 hasintegrated rechargeable batteries, stores data on an SD data card,supports Bluetooth, is activated by a switch and encodes the datacaptured using the Advanced Encryption Standard, the syntax stringwould be:

ASK-S1-AM1-PS2-ST3-CD4-AC1-EC2

2.1.1. ATM Skimming Classification (ASK-)The structure of this section is as follows:

Card Entry Area Skimming Devices (M,S,D, C)

Internal Skimming Devices (IT, IS)

Remote & Secondary Near-Proximity Skimming Devices(RS,RD,RH, RE)

Attachment Methods (AM)

Power Sources (PS)

Storage, Communication & Download Capability (ST, CD)


17/48



Page 17 of 48

Activation Methods (AC)

Encryption Methods (EC)

Additional Features (FX)

Capacity & Endurance (actual values used)

Card Entry Area Skimming Devices

ATM skimming devices are specifically designed to target specific types ofcard-activation interfaces. The four most common card readers used are:

Motorized card readers are probably the most common type ofreader used globally. Although, in the Americas and elsewhere,Swipe and Dip readers are common.

Skimming devices suitable for targeting motorized readers havevarious characteristics. They are often designed to be attached

directly to the card-entry slot, molded around the entry area orintegrated within a false front covering a large area of the fascia.

Additional designs include a modified anti-fraud device inhibitor,an overlay or sheath for an anti-fraud inhibitor and a miniatureattachment to an anti-fraud inhibitor.

Swipe reader skimming devices commonly cover the entire genuineswipe reader, mounted above or below (or on the right or left ifhorizontally mounted) the swipe reader. They are also known to beintegrated within a large false fascia front.

Dip readers targeted by skimming devices are directly attached tothe entry slot, molded into an overlay covering the whole Dipreader and integrated within a false front.

Contactless readers, when targeted with skimming devices,include covers over the contact area.

Figure 1 below summarizes the types of Card Entry Area SkimmingDevices and suggests appropriate classification syntax:

Motorized Readers DIP Readers

Directly to card-entry slot M1 Directly to card-entry slot D1

Molded around entry area M2 Molded overlay covering DIP reader D2

False f ront covering larger area M3 False front covering larger area D3

Modified anti-fraud device inhibitor M4

Overlay of anti-fraud inhibitor M5

Attachment to anti-fraud inhibitor M6

Other M0 Other D0

Swipe Readers Contactless Readers

Overlay covering swipe reader S1 Overlay covering contactless reader C1

Mounted below or left of swipe reader S2

Mounted above or right of swipe reader S3

False f ront covering larger area S4

Other S0 Other C0

Source: DFR Risk Management Ltd.

Figure 1. Card Entry Area Skimming Device suggested classification syntax summary


18/48



Page 18 of 48

Internal Skimming Devices

A more sophisticated method of ATM skimming involves internalcompromise of the ATM card reader module or the internal ATM system.Most motorized card readers have a magnetic flux detector known as thepre-head, which is located externally to the card reader shutter and isintended to activate the shutter only when a magnetic card is presented tothe card reader entry slot. The pre-head is, in most cases, an actualmagnetic stripe read head.

Pre-head tap skimmers connect to the pre-head contact terminals and useit to obtain the magnetic stripe data during card-entry and card-eject.

With access to the actual card reader module, criminals are able to attacha read head tap skimmer directly to the terminals of the genuine magneticstripe read head. Printed circuit board (PCB) parasites and internal dataline taps added to the card readers electronics skim the magnetic stripedata.

Additional internal skimming attacks include compromise of the internalcommunication system which carries card data from the card readermodule to the ATMs processor. Malicious software (Malware / Trojan) iscapable of obtaining non-encrypted card data within the ATM system.

Figure 2 below summarizes internal skimming methods.

Internal Compromise of Card Reader Internal Compromise of ATM System

Pre-head tap IT1 Internal communications tap IS1

Read head tap IT2 Software / Malware / Trojan IS2

Card reader PCB parasite IT3

Card reader data line tap IT4

Other IT0 Other IS0


Figure 2. Internal skimming method summary

Remote & Secondary Near-Proximity Skimming Devices

This category covers ATM skimming devices in close proximity to thetargeted ATM.

Secondary Swipe and Dip readers are used to skim card data prior to the

consumer using their card to commence a transaction. Typical methodsinclude Swipe or Dip readers attached to the access door to the ATMlocation (door-access skimmers), apparent card-cleaning devices, as wellas devices purported to validate or activate cards prior to being used at an

ATM. Variants include devices attached to the ATM surround and stand-alone terminals close beside the ATM.

Hand-held skimming devices are used by criminals to copy consumerscards while the criminal obtains temporary access to the card. Modusoperandi includes distraction methods and pick- pocketing.

Tapping external modems, telephone-line connectors and local

communication hubs are additional methods used to obtain card data inclose proximity to an ATM.


19/48



Page 19 of 48

Figure 3 summarizes remote and secondary near-proximity skimmingtechniques.

Secondary Swipe Devices Hand-held Skimming Device

Door-access skimmer RS1 Pocket-sized skimmer RH1

Card-cleaning device RS2

Card activation / validation device RS3

Stand-alone terminal RS4

Other RS0 Other RH0

Secondary DIP Devices External Modem / Communications Hub

Door-access skimmer RD1 Modem tap RE1

Card-cleaning device RD2 Telephone-exchange tap RE2

Card activation / validation device RD3 Communication-hub tap RE3

Stand-alone terminal RD4 Wi-Fi intercept RE4

Other RD0 Other RE0


Figure 3. Remote and secondary near-proximity skimming technique summary

Attachment Methods and Power Sources

Double-sided adhesive tape is a common method of attaching manyexternal ATM skimming devices, as is glue or liquid adhesive. Physicallyattaching skimming devices is also achieved by screwing, bolting andwelding (fusing) devices to the ATM fascia. Molded overlay skimmersoften rely on friction to remain attached to the ATM card reader.

ATM skimming devices are powered by various means, includingintegrated rechargeable and non-rechargeable batteries, separate batterypacks, power taps from the ATM itself, as well as other continuous powersources.

Figure 4 summarizes attachment methods and common power sources.

Attachment Method Power Source

Adhesive tape AM1 Integrated non-rechargeable batteries PS1

Glue AM2 Integrated rechargeable batteries PS2

Screw / bolt AM3 Separate battery pack PS3

Friction fit AM4 From ATM power PS4

Weld / fuse AM5 From other constant power source PS5


Figure 4. Attachment methods and common power source summary

Storage, Communication and Download Capabilities

ATM skimming devices utilize a number of card data storage methodsfrom integrated memory chips to local SD data cards and MP3 recorders.Some, however, have no local storage capability.

Data is downloaded from skimming devices using integrated sockets (suchas USB), analogue radio transmitters and digital communicationsprotocols such as Bluetooth, Wi-Fi, SMS, among others.


20/48



Page 20 of 48

Figure 5 summarizes the storage capability of ATM skimmers and thevarious communication and download technologies.

Storage Communication & Download

None ST1 None CD1

Local integrated chip ST2 Socket / USB CD2

Local data / SD card ST3 Analogue RF CD3

MP3 / MP4 (or equivalent) recorder ST4 Bluetooth CD4

Cell phone storage ST5 Wi-Fi (802.11) CD5

SMS / MMS / Text CD6

GSM / Data CD7

Digital RF (non-specific) CD8

Other ST0 Other CD0


Figure 5. Storage capability of ATM skimmers communication, download summary

Activation and Encryption

ATM skimming devices are limited to how long they can remainunserviced, based upon various parameters including whether they arepowered continuously or only activated when required. Activationmethods include proximity-detection, remote control and card-initiated.

The ability to interrogate a skimmer, once recovered, might be inhibitedby the use of encryption. One of the most popular designs of skimmingdevice supports Advanced Encryption Standard (AES) protection whichmakes analysis of card data actually compromised by the skimmer verydifficult.

Figure 6 summarizes activation and encryption.

Activation Encryption

Always on (switched) AC1 None EC1

Proximity detector AC2 AES EC2

Remote control AC3

Card activated AC4

Other AC0 Other EC0


Figure 6. Activation and encryption summary

Additional Features, Capacity and Endurance

Some ATM skimmers have additional features such as integrated cameras(for PIN-compromise), a radio receiver to receive PIN data from a PIN-compromise device and motorized transports to provide a smoothconsumer-interface. Electromagnetic screening is used to attempt todefeat anti-skimming devices that disrupt the skimmers ability to recordcard data.


21/48



Page 21 of 48

The maximum endurance from the power source, and the maximumnumber of cards whose data can be captured, are importantcharacteristics of ATM skimming devices.

Figure 7 provides a reminder of some additional features of ATMskimming devices and the important statistics of endurance and capacity.

Features Capacity & Endurance

Integrated camera FX1 Maximum endurance from power supply

Receiver for PIN-compromise device FX2 Maximum number of cards datastored

Screened for anti-skimming interference FX3

Motorized card transport FX4

Other FX0 Other


Figure 7. Feature, capacity & endurance summary

2.1.2. ATM PIN-Compromise Classification (APC-)

The structure of this section is as follows:

External PIN-Compromise Devices (SC,TC,KB,SV)

Internal PIN-Compromise Devices (IP,IS)

Remote & Secondary PIN-Compromise Devices (RC,RK)

Attachment Methods (AM)

Power Sources (PS)

Storage, Communications & Download Capability (ST,CD)

Activation (AC)

Encryption (EC)

Additional Features (FP)

Capacity and Endurance (actual values used)

External PIN-Compromise Devices

There are three primary methods of obtaining the PIN at, but external to,an ATM.

The first method involves the use of different types of cameras.Spy cameras have the specific and limited purpose of covertfilming. Cell phone cameras are often adapted and disguised forcovert filming, as are compact digital and analogue video cameras.

The positioning of the camera is restricted in that line-of-sight withthe ATM keyboard is required to ensure the accurate observationof the PIN being entered. Some locations are more favored than

others, as interference from objects, including the victims person,has an impact on the percentage of PINs successfully compromised.


22/48



Page 22 of 48

One of the most favored locations for many models of ATM is thelight panel or light diffuser which is often directly above the ATMkeyboard. False panels are also used to disguise cameras and maybe positioned above, left or right of the ATM keyboard.

In environments where it is common to have advertising leaflet

boxes in close proximity to the ATM, they are modified to concealone or more cameras. Other additions to the ATM which areutilized to disguise cameras include safety or rear-view mirrors.

Where ATMs are installed with a canopy to provide shelter fromsunlight and rain, cameras are often hidden in the canopy.

Some ATM skimming devices are packaged with an integratedcamera.

The secondmethod of PIN-compromise is fake keyboards andkeyboard overlays.Often these devices still allow the genuine keyboard to be activatedwhen the PIN is entered on the PIN-compromise device. Sizes ofdevice vary from almost an exact size-match with the genuinekeyboard through a full fake-keyboard shelf to a false-frontcovering a large area of the ATM fascia.

The third method involves a less technical approach and can becharacterized as personal or human surveillance.Covert shoulder-surfing, which involves the perpetrator lookingover the shoulder of the victim as they enter their PIN, is one ofthe most popular personal surveillance techniques. Shoulder-surfing may also be more overt and includes the perpetratorpretending to be helpful to the victim (the helpful strangerapproach).

Long- range lenses, including telescopes and binoculars, are alsoused to observe PIN entry. As are the attachment of strategicallypositioned mirrors or the exploit of particular angles which allowthe reflection of the keyboard to be observed. Even differentlycolored dust is used to compromise PINs.

Figure 8 summarizes common external PIN-compromise methods.

Camera Location & Packaging Ke yboard

In light diffuser / light panel SC1 Exact-size keyboard overlay KB1In leaflet box SC2 Shelf / full-panel keyboard overlay KB2

In false panel above PIN pad SC3 False-front covering larger area KB3

In false panel right of PIN pad SC4 Other KB0

In false panel left of PIN pad SC5

In safety mirror SC6

In sun / rain canopy SC7

Integrated with skimmer SC8

Other SC0


23/48



Page 23 of 48

Camera Type Surveillance

Spy camera TC1 Shoulder surfing - covert SV1

Cell phone camera TC2 Shoulder surfing assist victim SV2

Video camera TC3 Long -range lens / telescope SV3

Other TC0 Mirror SV4

Colored dust SV5

Advertising panel reflection SV6

Other SV0


Figure 8. Common external PIN compromise method summary

Internal PIN-Compromise Devices

Technically-expert PIN-compromise perpetrators, with access to the

internals of the targeted ATM, can add an electronic tap or parasite deviceto the interior of the ATM keyboard, tap (and, if required, reposition) theintegrated ATM security camera, compromise the internalcommunications of the ATM and introduce or modify software (Malware /Trojans).

Figure 9 summarizes methods of internal PIN-compromise.

Internal Compromise of Modules Internal Compromise of ATM System

ATM integrated security camera tap IP1 Internal communications tap IS1

Internal keyboard tap IP2 Software / Malware / Trojan IS2

Other IP0 Other IS0


Figure 9. Common internal PIN compromise method summary

Remote & Secondary PIN-Compromise Devices

Remotely positioned Spy Cameras are occasionally used to observe PINentry as well as genuine CCTV security cameras, which either have theirvideo feed intercepted or are exploited by someone with access to themonitoring station.

Keyboards positioned at the entry door to the ATM location and the

installation of fake PIN activation or validation terminals are furthermethods of obtaining the PIN.

Figure 10 summarizes remote and secondary PIN-compromise devices.

Remote Cameras Remote Keyboards

ATM location CCTV RC1 Door-entry keyboard RK1

ATM location spy camera RC2 PIN-activation / validation keyboard RK2

Stand-alone terminal

Other RC0 Other RK0


Figure 10. Remote and secondary PIN-compromise device summary


24/48



Page 24 of 48

Attachment Methods and Power Sources

In a similar way to ATM skimming devices, the attachment methods forPIN-compromise devices include double-sided adhesive tape, glue or liquidadhesive, screwing, bolting, welding (fusing) and friction.

ATM PIN-compromise devices are powered by various means, includingintegrated rechargeable and non-rechargeable batteries, separate batterybacks, power taps from the ATM itself, as well as other continuous powersources.

Figure 11 summarizes attachment methods and common power sources.

Attachment Method Power Source

Adhesive tape AM1 Integrated non-rechargeable batteries PS1

Glue AM2 Integrated rechargeable batteries PS2

Screw / bolt AM3 Separate battery pack PS3

Friction fit AM4 From ATM power PS4

Weld / fuse AM5 From other constant power source PS5

Other AM0 Other PS0


Figure 11. Attachment methods and common power source summary

Storage, Communication and Download Capabilities

ATM PIN-compromise devices utilize a number of card-data storagemethods from integrated memory chips to local SD data cards and MP3and MP4 recorders. Some, however, have no local storage capability.

Data is downloaded from PIN-compromise devices using integratedsockets (such as USB), analogue radio transmitters and digitalcommunications protocols such as Bluetooth, Wi-Fi, SMS, among others.

Figure 12 summarizes the storage capability of PIN-compromise devicesand the various communication and download capabilities.

Storage Communications & Download

None ST1 None CD1

Local integrated chip ST2 Socket / USB CD2

Local data / SD card ST3 Analogue RF CD3

MP3 / MP4 or equivalent recorder ST4 Bluetooth CD4

Cell phone camera storage ST5 Wi-Fi (802.11) CD5

SMS / MMS / Text CD6

GSM / Data CD7

Digital RF (non-specific) CD8

Other ST0 Other CD0


Figure 12. Storage, communications, and download summary


25/48



Page 25 of 48

Activation and Encryption

As with ATM skimming devices, PIN-compromise devices are limited tohow long they can remain unserviced, based upon various parametersincluding whether they are powered continuously or only activated whenrequired. Activation methods include proximity-detection, remote controland transaction-initiated.

The ability to interrogate a PIN-compromise device, once recovered, mightbe inhibited by the use of encryption. Standards supported include the

Advanced Encryption Standard (AES) protection which makes analysis ofPIN data very difficult.

Figure 13 summarizes activation and encryption.

Activation Encryption

Always on (switched) AC1 None EC1

Proximity detector AC2 AES EC2

Remote control AC3 DES EC3

Card / transaction activated AC4 3DES EC4

Other AC0 Other EC0


Figure 13. Activation and encryption summary

Additional Features, Capacity, and Endurance

Some PIN-compromise devices have additional features such asintegrated skimmers and a radio receiver to receive card data from a

skimming device.

The maximum endurance from the power source, and the maximumnumber of PIN data that can be captured, are important characteristics of

ATM PIN-compromise devices.

Figure 14 provides a reminder of some additional features of PIN-compromise devices and the important statistics of endurance andcapacity.

Features Capacity & Endurance

Integrated skimmer FP1 Maximum endurance from power supply

Receiver for skimming device FP2 Maximum number of PIN data stored

Other FP0 Other


Figure 14. Additional PIN-compromise device feature summary


26/48



Page 26 of 48

2.2.Case Studies: Examples of ATM Skimming Devices

Example 1: Sofia Skimmer

The Sofia skimmer is a sophisticated and miniaturized device whichoriginates from Bulgaria, and is the most common type of ATM skimmingdevice favored by Eastern European organized crime. Some models ofSofia skimmer store the card data locally in an encrypted format whichmakes analysis all but impossible for most forensic labs. Other modelsutilize a miniature analogue RF transmitter modeled on a bug orlistening device.

ASK-M1-AM1-PS1-ST2-CD2-AC1-EC0The above example of Sofia skimmer has the following identifiedcharacteristics:

Targeted at Motorized card readers and fitted directly to the cardentry slot (ASK-M1)

Attached with adhesive tape (AM1) Powered by integrated non-rechargeable batteries (PS1) Integrated chip used for local storage (ST2) Miniature sockets used to connect for download of data (CD2) Activated (switched on) using a switch (AC1) Non-standard encryption used to protect from interrogation (EC0)

Example 2: Skimmer Covering Receipt Slot

To facilitate the ability to disguise larger devices and separate powersupplies, it is common for the skimmer to not only cover the card entryslot, but also larger areas of the fascia. In this example, the skimmercovers the receipt slot.

ASK-M3-AM1-PS3-ST1-CD3-AC1-EC1The above example has the following known characteristics:

Targeted at Motorized card readers, packaged into a false frontcovering a larger area (ASK-M3)

Attached with adhesive tape (AM1) Powered by separate battery pack (PS3) No identified local storage (ST1) Transmits card data using analogue RF transmitter (CD3) Activated by a switch (AC1) No encryption (EC1)


27/48



Page 27 of 48

Example 3: False keyboard and shelf

This example of a false keyboard integrated into a false shelf allows spaceto conceal power and cell phone electronics.

APC-KB2-AM1-PS3-CD7The above example has the following known characteristics:

False keyboard integrated into full shelf (APC-KB2) Attached with adhesive tape (AM1) Separate battery pack (PS3)

GSM cell phone used to transmit PIN data (CD7)

Example 4: RF Pin-hole Spy Camera Above Keyboard

This is an example of an analogue RF spy camera attached above an ATMkeyboard:

APC-SC3-TC1-AM1-PS3-ST1-CD3-AC1The above example has the following known characteristics:

Camera in panel above keyboard (APC-SC3) Spy camera (TC1) Attached with adhesive tape (AM1) Separate battery pack (PS3) No local storage (ST1) Sends image of PIN entry via analogue RF transmitter (CD3) Activated by switch (AC1)


28/48



Page 28 of 48

Example 5: Skimmer Molded Around Card-entry Slot

This is an example of a skimmer that is molded to fit around the entryslot:

ASK-M2Details available about the above example are limited, thus short

designator string.

Example 6: Dip Skimmer Molded to Cover Genuine DIPReader

ASK-D2-AM1-ST2-PS3-CD2The above example has the following known characteristics:

Targeted at Dip readers and designed to cover the genuine reader(ASK-D2)

Attached with adhesive tape (AM1) Local storage of data on the board (ST2) Separate battery pack within skimmer case (PS3) Sockets for download of data (CD2)


29/48



Page 29 of 48

2.3.Codes for ASK and APC SyntaxThe following table lists the ASK and APC syntax codes.

Code Type MethodAC1 Activation Always on (switched)

AC2 Activation Proximity detector

AC3 Activation Remote control

AC4 Activation Card / transaction activated

AC0 Activation Other

AM1 Attachment Method Adhesive tape

AM2 Attachment Method Glue

AM3 Attachment Method Screw / Bolt

AM4 Attachment Method Friction fit

AM5 Attachment Method Weld / Fuse

AM0 Attachment Method Other

C1 Contactless Readers Overlay covering contactless reader

C0 Contactless Readers Other

CD1 Communications & Download None

CD2 Communications & Download Socket / USB

CD3 Communications & Download Analogue RF

CD4 Communications & Download Bluetooth

CD5 Communications & Download Wi-Fi (802.11)

CD6 Communications & Download SMS / MMS / Text

CD7 Communications & Download GSM / Data

CD8 Communications & Download Digital RF (non specific)

CD0 Communications & Download Other

D1 DIP Readers Directly to card entry slot

D2 DIP Readers Molded overlay covering DIP reader

D3 DIP Readers False front covering larger area

D0 DIP Readers Other

EC1 Encryption None

EC2 Encryption AES

EC3 Encryption DES

EC4 Encryption 3DES

EC0 Encryption Other

FP1 Features (APC) Integrated skimmer

FP2 Features (APC) Receiver for skimming device

FP0 Features (APC) Other

FX1 Features (ASK) Integrated camera

FX2 Features (ASK) Receiver for PIN compromise device


30/48



Page 30 of 48

Code Type Method

FX3 Features (ASK) Screened for anti-skimming interference

FX4 Features (ASK) Motorized card transport

FX0 Features (ASK) Other

IP1 Internal Compromise of Modules(APC)

ATM integrated security camera tap


Internal keyboard tap


Other

IS1 Internal Compromise of ATM System Internal communications tap

IS2 Internal Compromise of ATM System Software / Malware / Trojan

IS0 Internal Compromise of ATM System Other

IT1 Internal Compromise of Card Reader Pre-head tap

IT2 Internal Compromise of Card Reader Read head tap

IT3 Internal Compromise of Card Reader Card reader PCB parasite

IT4 Internal Compromise of Card Reader Card reader data line tap

IT0 Internal Compromise of Card Reader Other

KB1 Keyboard Exact-size keyboard overlay

KB2 Keyboard Shelf / full-panel keyboard overlay

KB3 Keyboard False-front covering larger area

KB0 Keyboard Other

M1 Motorized Readers Directly to card entry slot

M2 Motorized Readers Molded around entry areaM3 Motorized Readers False front covering larger area

M4 Mot orized Readers Modified anti-f raud device inhibit or

M5 Motorized Readers Overlay of anti-fraud inhibitor

M6 Mot orized Readers Attachment t o anti-fraud inhibit or

M0 Motorized Readers Other

PS1 Power Source Integrated non-rechargeable batteries

PS2 Power Source Integrated rechargeable batteries

PS3 Power Source Separate battery pack

PS4 Power Source From ATM power

PS5 Power Source From other constant power source

PS0 Power Source Other

RC1 Remote Cameras ATM location CCTV

RC2 Remote Cameras ATM location spy camera

RC0 Remote Cameras Other

RD1 Secondary DIP devices Door-access skimmer

RD2 Secondary DIP devices Card cleaning device

RD3 Secondary DIP devices Card activation / validation device

RD4 Secondary DIP devices Stand alone terminal


31/48



Page 31 of 48

Code Type Method

RD0 Secondary DIP devices Other

RE1 External modem / communicationshub

Modem tap

RE2 External modem / communications

hub

Telephone exchange tap


Communication hub tap


Wi-Fi intercept


Other

RH1 Hand-held skimming device Pocket sized skimmer

RH0 Hand-held skimming device Other

RK1 Remote Keyboards Door-entry keyboard

RK2 Remot e Keyboards PIN-activation / validation keyboard

RK3 Remote Keyboards Stand-alone terminal

RK0 Remote Keyboards Other

RS1 Secondary swipe devices Door-access skimmer

RS2 Secondary swipe devices Card cleaning device

RS3 Secondary swipe devices Card activation / validation device

RS4 Secondary swipe devices Stand alone t erminal

RS0 Secondary swipe devices Other

S1 Swipe Readers Overlay covering swipe reader

S2Swipe Readers Mounted below or left of swipe reader

S3 Swipe Readers Mounted above or right of swipe reader

S4 Swipe Readers False front covering larger area

S0 Swipe Readers Other

ST1 Storage None

SC1 Camera Location & Packaging In light diffuser / light panel

SC2 Camera Location & Packaging In leaflet box

SC3 Camera Location & Packaging In false panel above PIN pad

SC4 Camera Location & Packaging In false panel right of PIN pad

SC5 Camera Location & Packaging In false panel left of PIN pad

SC6 Camera Location & Packaging In safety mirror

SC7 Camera Location & Packaging In sun / rain canopy

SC8 Camera Location & Packaging Integrated with skimmer

SC0 Camera Location & Packaging Other

ST5 Storage Cell phone storage

ST0 Storage Other

SV1 Surveillance Shoulder surfing - covert

SV2 Surveillance Shoulder surfing assist victim

SV3 Surveillance Long-range lens / telescope


32/48



Page 32 of 48

Code Type Method

SV4 Surveillance Mirror

SV5 Surveillance Colored dust

SV6 Surveillance Advertising panel reflection

SV0 Surveillance Other

TC1 Camera Type Spy camera

TC2 Camera Type Cell phone camera

TC3 Camera Type Video camera

TC0 Camera Type Other


33/48


Page 33 of 48

Chapter 3. PCI Guidelines onPreventing Skimming

3.1.What/Who is PCI?The Payment Card Industry Security Standards Council (PCI SSC) is a

independent standards body formed by five of the major card brands(Visa, MasterCard, JCB, American Express, and Discover). This councilwas formed to create, maintain, and manage various standards thatgovern the security of payment card transactions.

PCI SSC does not set mandates for the compliance to the standards that itmaintains; it only manages the process for issuing, maintaining, andupdating the standards. It is up to the individual card brands that formedthe PCI SSC to issue such mandates on how, when, and by whomcompliance to the PCI standards must be met.

3.2.The PCI StandardsAt the time of writing, PCI SSC manages three different standards:

PCI PIN Transaction Security (PCI PTS)

PCI Payment Application Data Security Standard (PCI PA DSS)

PCI Data Security Standard (PCI DSS)

In addition to these standards, a PCI PIN audit security program alsoexists, but this is currently maintained independently by Visa andMasterCard, not by PCI SSC (although this is expected to change within

the next few years).These different standards address different aspects of the paymentprocess.

PCI PTS

PCI PTS is actually a series of standards that address the security of thehardware and firmware into which customer PINs are entered andencrypted during a transaction.


34/48



Page 34 of 48

At the time of writing, the following standards exist under the PCI PTSprogram:

PCI POS PED addresses the security of PIN Entry Devices (PEDs)that are operated within an attended shop style environment.

PCI EPP covers the security of Encrypting PIN Pads (EPPs) thatare used to enter and encrypt PINs within larger, generallyunattended, devices such as ATMs, ticketing machines, fueldispensers, etc.

PCI UPT covers the overall security of such larger unattendeddevices such as those noted above; with the exception of ATMs.

PCI ATM covers the security of unattended devices that providefor the withdrawal or deposit of cash. At the time of writing, thisstandard is under development and has not yet been published.

PCI HSM addresses the security of Hardware Security Modules(HSMs) that are used to generate, re-encrypt (or translate), orverify customer PINs; or to manage the keys used in PIN EntryDevices which encrypt customer PINs directly.

PCI PA DSS

PCI PA DSS provides a set of security requirements for software that isinvolved in the authorization or settlement of payment transactions. Thisstandard was created to ensure that such software does not prevent anycompany implementing the software from being compliant to the PCI DSSrequirements. The scope of PA DSS can include the application software

used in payment devices such as ATMs and PIN Entry Devices.

PCI DSS

PCI DSS is an umbrella standard that essentially covers any areas whichare not directly covered by the other PCI standards. Any system thatstores, processes, or transmits payment card data is in scope of the PCIDSS requirements. This standard provides a set of best practiceguidelines for how any system and business that handles payment carddata should provide security to this data.

PCI PINFinally, the PCI PIN standard is an audit program that confirms the keymanagement practices for cryptographic keys that are used to encryptcustomer PIN data.


35/48



Page 35 of 48

3.3.How Do the PCI Standards Address Skimming?As the various PCI standards cover different aspects of paymenttransactions, they each assist in preventing skimming in different ways.

The PCI PTS program is the program that addresses the issue ofskimming most directly. Each of the standards that are designed fordevices that accept the direct input of payment card data have arequirement to secure the path from the card reader to the securityprocessor within the device. This requirement covers both the path fromthe Integrated Circuit Card reader (ICCR), as well as the magnetic stripcard reader (MSR).

Specifically, the PCI PTS requirements for Unattended PaymentTerminals (PCI UPT) has the following requirement:

DTR A11

It is not feasible to penetrate the UPT to make any additions, substitutions, ormodifications to the Magnetic-Stripe Reader or the UPTs hardware or software, inorder to determine (e.g., skimming attacks must be prevented) or modifymagnetic-stripe track data, without requiring an attack potential of at least 14 perUPT, for identification and initial exploitation, as defined in Appendix B.

Source: PCI UPT DTRs v1.0, April 2009, page 15

Similar requirements exist in the PCI POS PED and PCI ATM standards.The above requirement is further clarified with the following statements:

Countermeasures include, for instance, active detection of skimmers, activedisturbance of the skimming process, or notice to the cardholder on what thereader should look like. The protection of the reader may consist of resistance ofthe UPT cabinet/the reader enclosure against manipulation.

Skimming attacks to recover payment card data may occur via either theattachment of external devices or attacking other areas (hardware or software) ofthe UPT. Both must be considered for this requirement.

Access to the inside of the UPT for routine maintenance (e.g., replenishing paper)shall not allow access to clear-text account data, e.g., by making cabling whichtransmits the data physically inaccessible to routine maintenance personnel orencrypting the sensitive card data transmitted internally within the UPT betweencomponents.

Source: PCI UPT DTRs v1.0, April 2009, page 15

Therefore, the PCI PTS standards specifically make note that protectionsagainst skimming must go beyond merely securing the physical exterior ofthe payment device, as skimming may occur through the implanting ofinternal monitoring devices as well as external devices. To this end, thesecurity of any openings, access hatches, or service panels must beconsidered, if such openings allow for access to plaintext card data.

Because of this, in many instances, it is considered best practice to protectcard data logically, using encryption, when routing it through exposedcabling and component within larger payment devices such as UPTs and

ATMs.


36/48



Page 36 of 48

This requirement should not be confused with a necessity for encryptingmagnetic strip read heads, as this is not mandated by the standard and isoften not necessary for smaller PIN Entry Devices that can more easilyprovide physical security to the path of the signals from the MSR to thesecurity processor.

It should also be noted from the PCI PTS requirements that althoughsome guidelines are provided in regards to protection against theplacement of a physical skimming device, these requirements are not theonly options that exist. The guidance provided within these requirementsdoes not intend to constrain or restrict the possible ways in whichskimming can be prevented. In fact, one reason for this is so that themarket can actively work on creating new and more advanced ways inwhich anti-skimming technology can be embodied and deployed.

When considering the security requirements within the PCI PTS programrequirements it is important to understand that these cover only thesecurity of the data from the card reader to the internal security processorof the payment device.

Once this data has reached the security processor it is up tothe payment application and overall payment system inwhich the device operates to secure the data.

This is where PCI PA DSS and PCI DSS add their assistance to thesecurity of card data. These programs protect such data in two ways: (1)by securing the applications themselves; and (2) by securing thetransmission of payment card data.

PCI DSS and PA DSS require that payment applications, and the systemson which they are installed and operated, are secured in line withindustry best practice.

This includes removing any unnecessary services from the devices,securing remote access, using network security devices such as firewalls,IDS/IPS, regularly testing the security of systems, and so forth. PCI DSShas many individual compliance requirements, and it is beyond the scopeof this document to cover them all.

It is strongly recommended that the full PCI DSSrequirements, as well as the ATMIA Software Security Best

Practice document, is considered when devising an anti-skimming strategy.

PCI DSS also mandates that the transmission of card data across open,wireless, and public networks must be encrypted using strongcryptography. In these standards, such cryptography essentially meansthe use of triple DES, AES, RSA, or Elliptical Curve Cryptography.


37/48



Page 37 of 48

Although this standard does not require the use of such encryption acrossall networks,

it is strongly recommended that encryption is usedwhenever transmitting card data,

as capture during transmission is a common skimming attack vector.

The diagram in Figure 15 shows a pictorial representation of how thedifferent PCI standards overlap to cover the life cycle of a paymenttransaction.

This diagram shows that:

The PCI PTS program covers the security of the data as it entersthe ATM or payment device.

The PA DSS program covers the security of the data as it is used

in commercial payment software. And, the PCI DSS program covers the security of payment data as

it is transmitted and processed within the broader paymentnetwork.

Figure 15. PCI standards overlap in payment transaction life cycle


38/48


Page 38 of 48

Chapter 4. Best Practices forPreventing Capture of Magnetic

Stripe Data During ATM Transactions

4.1.Protection of the Magnetic Stripe DataCard skimming is a global threat and it will continue to be an industryissue as long as the magnetic stripe containing the cardholders accountinformation remains on the card.

Moving away from the magstripe and using secure identitymanagement and credentialing to provide access to thischannel has proven to be the most effective way tominimize the losses due to card skimming.

However the complete removal of the magstripe is not anticipated to occurin the near future, so protecting this sensitive data is crucial in mitigatingthe risks and losses associated with card skimming.

There are several methods to keep sensitive account informationcontained on the magstripe safe from fraudsters; the most effectivemethod is the use of chip-based cards that house the data on microchipsinstead of magnetic stripes, making data more difficult to steal and cardsmore difficult to reproduce. Contactless cards provide another alternativeto the magstripe. If the magstripe is used, out-of-band authenticationusing a cell phone or a biometric reader can provide a second form ofauthentication that can be used as alternate methods for conducting

secure transactions at the ATM.

Anti-skimming solutions can be deployed to help detect andprevent the application and usage of card skimming devices.

Card readers can be equipped with some type of foreign object detectiontechnology and can alert a financial institution or law enforcement in theevent that a skimming device is installed to the fascia of an ATM.

Jitter technology is a process that controls and varies the speed ofmovement of a card as it is inserted through a card reader, making itdifficult to read card data.


39/48



Page 39 of 48

Card skimmers generally require a smooth intake of the card to get a goodread of the magstripe. The design of the card reader bezel also plays animportant role in the deterrence of the application of a skimmer. Thedesign of the entrance of the card reader should prevent the attachment ofskimming devices and /or make such devices obvious to the user.

Other anti-skimming technologies are effective in identifying, jamming ordisturbing skimming devices when they are attached to the ATM. Videosurveillance and monitoring are additional security measures that areeffective methods for deterring or detecting placement of card skimmersand other fraudulent devices such as PIN overlays and mini cameras.

Regular inspections of ATMs by cash machine owners forevidence of tampering and unusual attachments should beconducted.

Local staff including ATM servicers must be trained to look for fraudulent

devices and be educated on the appropriate action to be taken should theydiscover a skimming device on a machine.

4.2.Integration with IT Systems

A self-contained, secure environment including physical andlogical access control and enhanced identity management isessential in securing an ATM.

The use of intelligent fraud-detection systems to monitor for unusualspending patterns and identify fraud before it is discovered by thecardholder.

ATM network and multiple issuer-based consortiums are also importantfor detecting outbreaks of counterfeit card fraud and determining the sizeand scope of the cards the criminal still has in inventory. Cards that areat risk of counterfeit fraud can then be used during real-time transactionauthorizations to minimize financial losses.

Industry fraud solution vendors also continue to increase the effectivenessand sophistication of customer-profiling neural network systems that canidentify unusual spending patterns and potentially fraudulent

transactions.

These profiles have been implemented at the merchant and terminal levelin order to further enhance the decision to authorize or deny a transactionin real time based on known fraud or unusual terminal transactionbehavior.

If a transaction scores with a high risk of fraud, the issuer willthen contact the cardholder to check if the suspect transaction isgenuine

If not, an immediate block can be put on the card.


40/48



Page 40 of 48

4.3.Role of the Consumer in Fraud PreventionThe evolution needs to be in the mind of the consumer, where at one timethey worried over an armed person approaching them but now they needto also beware of good Samaritans who want to steal their information

while conducting a transaction.

The consumer should check the ATM before using it andprotect his/her PIN.

Shielding the entry of the PIN with their hand and body is just one way aconsumer can prevent someone from viewing it.

4.4.Summary

Some best practices for the mitigation of fraud due to card skimming: Building awareness among consumers, branch personnel, and

ATM service teams can result in the detection of devices added toan ATM fascia. Visual clues such as tape residue near or on a cardreader may indicate the former presence of a skimming device.Chip -based cards house data on microchips instead of magneticstripes, making data more difficult to steal and cards more difficultto reproduce.

Contactless cards, out-of-band authentication using cell phonesand biometric readers are all new authentication technologies thatcan be used as alternate methods for conducting secure ATM

transactions.

Alert systems monitor routine patterns of withdrawals and notifyoperators or financial institutions in the event of suspiciousactivity.

In addition to following these best practices, there are several anti-skimming solutions that financial institutions can implement to helpmitigate risk. A multi-layered approach to securing the card reader is thebest methodology.

Foreign object detectionATMs equipped with this type oftechnology can alert a financial institution or law enforcement inthe event that a skimming device is added on the fascia of an

ATM.

Jitter technologyis a process that controls and varies the speedof movement of a card as moves in and out of a card reader,making it difficult if not impossible to read card data. Cardskimmers generally require a smooth intake of the card to get agood read of the magstripe.

Card reader bezel designthe design of the entrance of the cardreader should prevent the attachment of skimming devices and /ormake such devices obvious to the user.


41/48



Page 41 of 48

Anti-skimming technologiesare effective in identifying, jammingor disturbing skimming devices when attached to the ATM.

Video surveillance and monitoringis an effective method fordeterring or detecting placement of card skimmers and otherfraudulent devices such as PIN overlays an

Best Practices for Preventing Skimming Published Version 09

Documents

Transcript of Best Practices for Preventing Skimming Published Version 09