EMV-enabling ATMs is vital, but additional security measures are needed to prevent fraud. Robin Arnfield interviews security experts about counter-measures for physical threats such as skimming and logical (software-based) attacks such as malware.

The European ATM industry migrated to EMV chip-and-PIN in the 2000s, resulting in a growth in logical fraud, as criminals could no longer use cloned European mag-stripe cards in European ATMs.

According to EAST (European Association for Secure Transactions), in the first half of 2016, 28 logical ATM attacks were recorded in the European countries EAST monitors, up from five during the same period in 2015.

The US ATM industry is migrating its estimated 475,000-500,000 ATMs to EMV. Due to a lack of EMV card readers in the US, criminals have been able to use cloned mag-stripe cards generated from card data skimmed from European EMV cards. Unfortunately, mag-stripe data can still be skimmed at EMV-compliant ATMs in Europe.

Fallback

“The only way to prevent skimming would be if European issuers turned off fallback to mag-stripe for their cards when used in US non-EMV ATMs,” says Martin Warwick, Fraud Consultant for Europe at fraud analytics firm FICO.

“European issuers have turned off mag-stripe fall-back for European ATMs, but, with US ATMs still not EMV-compliant, Europeans visiting the US need access to local ATMs.”

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“Fallback transactions are causing high fraud losses in the US,” says Aite Group Senior Analyst Shirley Inscoe. “Fraudsters know that, when a card’s chip can’t be read, customers are directed to swipe their card. So the fraudsters use counterfeit chip-less cards as though they contained a chip; when the ‘chip’ can’t be read, they swipe the card to commit fraud.  Many issuers are declining higher rates of card transactions due to fallback fraud.”

Deadline

The US liability shift deadline for ATM transactions made with Mastercard-branded cards was 1 October 2016, while Visa’s deadline is 1 October 2017.

Mansour-Aaron Karimzadeh, CEO of EMV consultancy SCIL, says US financial institution-owned ATMs are fairly advanced in their EMV migration. “The independent ATM operators are less advanced,” he says. “FI ATMs are 60-70% migrated and independents 40-50%.”

The number of FI-owned ATMs in the US has remained stable at around 125,000 ATMs, with the remainder being owned by non-FIs.

According to US debit/ATM network operator Pulse’s ‘2017 Debit Issuer Study’, following the US payments industry’s October 2015 fraud liability shift for POS debit, an estimated 80% of US debit cards have migrated to chip cards.

Skimming

“Skimming will remain a threat while cards have mag-stripes,” says Ben Knieff, a financial fraud consultant at New York-based Outside Look. “It’s relatively cheap and easy to get into and low-risk for criminals, as the cost of skimmers has fallen while the functionality to do things like transmitting card/PIN data via SMS or Bluetooth has increased.”

In the run-up to US EMV migration, criminals are targeting non-EMV-compliant ATMs and POS terminals with skimmers to capture mag-stripe data, says FICO’s Warwick.

In 2016, the number of cards compromised at US ATMs and POS devices monitored by FICO rose by 70%, while the number of hacked card readers at US ATMs, restaurants and merchants rose 30%. As in 2015, about 60% of compromises occurred at non-bank ATMs last year, such as in convenience stores, with the rest occurring at bank ATMs or POS devices, FICO says.

“The way forward is for FIs, ATM suppliers and industry groups to share information on attack patterns, modus operandi and geographical spread,” says Bernd Redecker, director, corporate security and fraud management at Diebold Nixdorf. “Fraudsters are clearly sharing information. As long as the industry continues to work in siloes on this topic, fraudsters will always be able to develop new attacks.”

Physical attacks

“Traditionally in Europe, we’ve seen fraud at ATMs occurring as physical attacks, e.g. ram raids, removal by excavator, or gas attacks,” says Andrew Martin, CEO of Retail Bank Consulting Group.

“Unfortunately, physical attacks remain one of the highest issues,” says Diebold Nixdorf’s Redecker. “Despite the evolution of logical attacks, physical attacks are about 50% of the incidents we see in the US.”

Skimming constitutes a physical ATM security attack.

“Security devices can work to protect against physical attacks, and numerous deterrent devices are available,” says Martin. One example is Diebold Nixdorf’s ActiveEdge anti-skimming device.

“While physical attacks have fallen in Europe, we see a continued trend to gas attacks,” says Martin. “In most cases the attackers mishandle the gas and destroy the banknotes. More recently, attackers have gone down the technology route and we see a dramatic increase in black box or malware attacks – these attacks are focused on the PC core itself and not on the physical ATM.

“Going forward, ATM deployers will need to not only protect the PC Core itself at the ATM but the network, as attackers will view ATMs as a network of devices and look for the weakest link into that network.”

PCI

The Payment Card Industry Security Standards Council (PCI SSC) doesn’t have ATM-specific security standards, whereas it has specific standards for POS devices.

“ATMs are an area where PCI standards can be complicated,” says Andrew Jamieson, Technical Manager, Consumer Security Group at UL (Underwriters Laboratory). “There’s currently no over-arching security standard for ATMs issued by PCI. The PCI SSC issued ‘ATM Security Guidelines’ in 2013 which provides best practice but isn’t a formal standard.”

“ATMs are required to have a PCI-approved Encrypting PIN Pad (EPP), which protects and encrypts customers’ PINs, and some ATM manufacturers choose to have their software approved under the PCI Payment Application Data Security Standard (PA DSS).

Also, the entity managing and installing cryptographic keys in ATMs must comply with the PCI PIN audit requirements. But, as to what ATM manufacturers must comply with, it’s really only the EPP requirements. I’d recommend them to go beyond this. However, it isn’t mandatory for ATM manufacturers to have their ATM security assessed prior to release.”

Software security best practice

Jamieson recommends that ATM vendors use the ATMIA’s (ATM Industry Association) ATM software security best practices as a guide when developing their ATM software. “There’s often a lot of software in an ATM – from the computer that controls the screen and other peripherals, to the peripherals themselves like the card reader and cash dispenser,” he says. “Each one of these is open to potential exploit if access can be obtained.”

Jamieson says software security best practice across all industries is trending towards on-going maintenance and risk management, and it’s worth considering how this may apply to ATMs. “If your base operating system needs patching, how is that applied to your ATM?

If you’re an ATM distributor, do you have agreements with your vendors about how they will maintain their ATM software’s security over time? Who is responsible for any software vulnerability that is exploited?  Are you testing the security of the system, and, if so, is that a one-time thing or an on-going process?

“It’s increasingly common to hear of ‘black box’ attacks on ATMs, where a bug is placed onto an accessible cable and malware is installed using this channel. It’s important to consider such attacks when designing an ATM’s physical and logical aspects. How accessible are the cables?

Do you limit or otherwise lock-down connections on the USB interfaces? Are the communications between your controlling computer and peripherals encrypted? Is the BIOS of your controller locked, and do you use Trusted Boot options that may be available?”

Jamieson stresses the importance of understanding the threats to an ATM network.  “We have clients who have different levels of security for their ATMs depending on the environment or even the country into which the ATM will be deployed,” he says.”

“Originally, criminals mainly focused on onsite attacks directly targeting single ATMs,” says Diebold Nixdorf’s Redecker, who stresses the importance of ‘locking down’ an ATM software stack and network connections so they can’t be controlled by hackers. “In recent years, this has significantly broadened from single-ATM attacks.

Fraudsters have started to attack banking networks, with malicious access to ATMs as a side effect. In all variants, we see enhanced technology and organizational level on the attackers’ side. In addition, comparable threats are spreading the globe much faster than previously. An attack in Asia can no longer be considered irrelevant for a US bank: it might arrive there tomorrow.”

Outdated OS

Outside Look’s Knieff says many ATMs are still running Windows XP. Microsoft stopped supporting XP in April 2014 and told users to migrate to Windows 7 and above.

“There are a surprisingly large number of ATMs still running XP, despite the lack of support from Microsoft and the October 2013 FFIEC (Federal Financial Institutions Examination Council) guidance (on the risks of using XP). One reason is that, in many cases, a hardware upgrade is required to support a newer operating system and many ATMs run on basic hardware that may not support newer operating systems. Also, their ATM software may not support newer operating systems’ 64-bit architecture.”

Biometrics

“Biometrics is an interesting way of improving ATM security, making the data acquired from skimming less valuable, and improving customer experience,” says Knieff. “There are two challenges – the cost of enabling ATMs for many types of biometrics (e.g. fingerprint, palm-vein) or upgrades for biometrics such as facial or iris recognition.

The other major challenge is getting users enrolled in biometric schemes. But if ATM deployers offer cardless ATM withdrawals, the biometric is already on the smartphone hardware (e.g. Touch ID) and the user is already enrolled. So cardless ATM transactions solve some of the above challenges in hardware and user experience.”

“Biometrics are used at ATMs in several countries, probably most heavily in Japan, where over 80,000 biometric ATMs are currently in use,” says Inscoe. “Many use fingerprint technology, palm or finger-vein technology, or facial recognition.

In Poland, ATMs using finger-vein biometrics are being introduced, which is an extra safeguard to prevent impersonation.  For example, while a fingerprint might be able to be ‘lifted’ from a surface where it has been captured, and used on an ATM, the veins are underneath the skin, so the biometric pattern can’t be reproduced.”

Readers will have heard about photos of people being used to overcome facial recognition technologies. “There are three primary risks related to using any form of biometric,” says Inscoe.

“The most critical relates to enrollment.  It’s imperative to ensure that the person’s biometric being captured is who they claim to be. We saw tremendous losses when Apple Pay was introduced. None were due to Apple Pay not working securely, but related to fraudsters enrolling credit cards using data stolen from data breaches.”

“The second most risky element with biometrics is not including some type of liveness test.  Whether this is a temperature check or requiring eye movement, it’s essential that the biometric ensures a live human is presenting it. Fortunately, many new devices are being equipped with upgrades that will help measure these types of things and ensure that someone isn’t presenting a picture or using a lifted fingerprint.”

“The final risk is more for consumers than the companies relying on biometrics – that there will be a data breach of these elements, and they may be stolen.  While an individual can change their telephone number, they can’t change their finger, face or eye.”

Diebold Nixdorf’s Redecker says moving biometric authentication to smartphones has numerous advantages. “It helps address issues banks face in securely storing clients’ biometric credentials, as the biometric template (in the case of TouchID) is stored locally on customers’ phones.

“It could address the off-us problem with biometrics. With biometric readers installed on ATMs, only customers of issuing banks would be able to utilise the biometric to access their funds, as only they would have their biometric template enrolled in the system – unlike with authentication on phones.”