Massive ATM fraud in the US - who is to blame?

EMV is not relevant to PIN security at the ATM, as the EMV enabled ATMs use "online PIN".

On the other hand, using the PIN for low value transactions unnecessarily exposes it to various scams.

There is a easy and simple solution to prevent this kind of theft. By using Biometrics ( Finger Print)! But I think in certain markets only complex and expensive solutions will be looked upon as a good solution! Already some Indian Banks have started using biometric ATMs.  

How about using RSA tokens as an immediate measure to tackle the situation ?

Jonathan, I know EMV doesn't have anything directly to do with PIN encryption - that's the job of the TripleDES standard I mentioned. But It does make it harder for criminals - even if they have obtained a PIN from should surfing or whatever other means - to make a cloned copy of the card and use it to withdraw cash.

I suspect that the underlying problem was with the methodology used by the banks and or ATM operators.

In any event we could have prevented it without new infrastructure, whether customers are using cards or without. An inside job should not even be possible, and cloning a customer's card, or whatever, should not enable fraud.

"It would be interesting to see how the PINs were obtained (I suspect an insider job), and also how they managed to access unencrypted PINs and account details. "

I don't know if you all know what 7-11 stores are but I suspect that skimmers and pin-pad touch recorders captured the mag-stripes and pin-codes. These ATM machines that you find in these convenience stores arent the robust ATM machines that one would usually find in banks. I was quite amazed as to how fragile-looking (and sometimes dirty !) they are.

----------------------------------------------------------

"But looking at the big picture I can't help feeling that the US banking industry as a whole (including Mastercard and Visa in the US) might be to blame for the situation. By not getting involved with the global EMV chip card standard and sticking with easily clonable magnetic stripe cards, the US makes itself an easy target for organised criminals."

EMV chip is not the answer. As APACS will tell you, UK card  (yes, EMV enabled) fraud migrated to cross-border fraud. There are also what are called "YES CARDs", these are cards programmed in a way that whatever pin-code is entered is valid.

Why not allow cardholders to block their own cards after they use them, and unblock them again before using them? This way, even if fraudsters copy the mag-stripes and the pin-codes, they will not be able to use the clones. For that matter, allowing the cardholder to control his own card account has a lot of other utility, such as giving a teenage child a card but being able to manage the teenager's spending, etc.  This would also solve card-not-present fraud! Therefore, the control check goes all the way down the process of approving a card's use (called authorization) - towards the issuing bank. Issuing Banks should allow their cardholders a 'say' in what issuing banks are approving on their behalf, a feature that would be very much appreciated with prepaid and debit cards, I think.

-----------------------------------------------------

"Countries that have adopted the EMV chip card standard, which among other things makes it much much harder to clone cards, have all seen a reduction in card present fraud."

Sorry, this is not true. What you probably meant is 'local card present fraud' since it did migrate cross-border.

Using biometrics -- especially fingerprints -- as an approach to solve ATM fraud could be disastrous.  These are so easy to steal, clone and otherwise work around that it's almost comical.  To avoid lengthy queues at an ATM, the false accept / false reject ratio in the detectors needs to be tuned towards lower false reject, and therefore higher false accept, making them even more vulnerable to attack. 

For details on the vulnerability of fingerprint detection, have a look at:

http://www.schneier.com/crypto-gram-0205.html#5  

http://en.wikipedia.org/wiki/MythBusters_(season_4)#Fingerprint_Lock 

http://www.heise.de/ct/english/02/11/114/

I've researched and summarised a range of other fundamental problems with biometrics at Babystep 3: Biometrics under the microscope.

Cheers,

Stephen Wilson.

The problem is that these biometric and card solutions require absolutely 100% deployment in order to provide any protection and everyone would need a reader.

It just isn't realistic. Peddling biometric solutions or fingerprint readers is even more unrealistic. At least the cards are a 'renewable' credential, fingers are not renewable and this presents untold risks to the consumer.

In any event no-one is protected until every single merchant is using them in every single country in the world. Shareholders in any company which holds such an unrealistic view of the marketplace should seriously reconsider their investment.

Spending any money on biometrics and chip and PIN is a foolhardy venture and by the time it's half rolled out it'll be knocked out and you'll be back spending more billions on the next half baked idea.

I predict it will be impossible to defeat fraud with the current approaches. The problem will just get worse.

Almost every consumer who fits into the profile of being a 'desirable banking customer' already has a mobile phone and so do a billion or so others, and most people who don't yet have a mobile, want one. The same cannot be said for a fingerprint reader or a dumb card reader. I mean really - have you looked at those card specs? They're dumber than a Commodore64 and you can't even protect your Duo core PC.

I just can't see the entire world embracing an expensive obsolete and flawed system and I think it is just too much of a fantasy to hope that everyone will - certainly not before it is displaced by something better.

How on earth did the adopters of this rubbish justify doing it - knowing that it would not protect anyone until every man woman and child on earth adopted it and all the hackers all gave up hacking?

Dean Procter wrote:

"have you looked at those card specs? They're dumber than a Commodore64 and you can't even protect your Duo core PC".

You're comparing apples and oranges Dean.  The reason we cannot protect a duo core PC is that the security target for a general purpose personal computer is far too complex, and the operating system in particular was not designed with security top of mind.  But with smartcards, starting from scratch, we have the luxury of making security a priority. Furthermore, we have a very very restricted computing model, making testing vastly easier, and security weaknesses vastly rarer.  

And so, for example, the MULTOS smartcard operating system achieves Common Criteria certification at the very top level, almost unheard of outside of defence departments.

The dumbness of smartcards relative to full blown PCs acts in favour of security, not against it.

Cheers,

Stephen Wilson

The Lockstep Group.

Dean Procter wrote : "How on earth did the adopters of this rubbish justify doing it - knowing that it would not protect anyone until every man woman and child on earth adopted it and all the hackers all gave up hacking? "

That's the result of BIG BUSINESSES' elaborate way to push something although it does not totally work because they think that the sheer quasi-monopoly they have on the market enables them to force it onto the market. And this is true - they can force it in most countries except the U.S. and perhaps China.

I think the rationale for EMV / smartcards is they wanted to present secured cards to consumers by just requiring the 'pin-code' entry thereby making the change in security somewhat transparent to the consumers. Initially and currently, card issuers believe that the entry of a valid pin-code ensures the non-repudiation of a card transaction. We all know that the entry of a valid pin-code does not necessarily mean that whoever entered that pin-code is the cardholder.

The french smartcard was the model for EMV. It is true that with smartcards, local card present fraud decreases. But these card companies were certainly completely aware that with chip and pin, fraud migrates elsewhere. Therefore, its no surprise that they have set deadlines and penalties to both card acceptors and issuers to implement EMV, or else... 

There has been a lot of developments in biometric field ( particurarly) finger prints. FAR & FRR has improved a lot.If biometric data can be stolen so are other things like smart cards, tokens etc. I think we must look at an  unbiased view and not color our views based on a few incidents. 

Cardtronics have made a statement, reiterating the compliance of their ATMs in 7-11s with all the relevant security standards. They also claim that their processing centre and networks comply with PIN security standards, and have been independently reviewed.

So either the 7-11 stores were targeted in a widespread installation of fake ATM fronts, possibly combined with video surveillance of customers entering PINs, or - as seems to be suggested by some of the court procedings - there was compromise of back-end processing servers.

If it's the former, then perhaps 7-11 can be held responsible for lax in-store security. If it is the latter, then it's probably either Cardtronics or Fiserv at fault. And if they were indeed both up to standard in terms of security, it begs the question - do standards need to be improved?

The PIN / password should never be stored.  A hash value of it only should be stored.  When a customer inputs PIN then the hash value of it is generated on the PAD (may be padding it with additional digits - salting) and then this is transmitted to the bank for verification with the hash value stored.  So in this case, either there is a bug in the verification system or PINs are transmitted for hash generation at the backend.  An insider then could get the relevant PIN before the hash is generated and pass to a 3rd party, who could use cloned cards to withdraw funds. 

Alternatively, the fraudsters would have kept a camera to observe the PIN being input by unknowing customers, with a card scanner inserted in the ATM.  This being 7-11 ATM's an analysis of their locations where fraud occured would through lot of light.

Someone asked me how is it possible to use cloned cards without the chip for ATM withdrawals.

My response to this person : "Most of the ATM/DAB machines still read the magnetic stripes, not the chip.
 
By the time the entire world changes all the machines to read only the chip, the fraudsters/skimmers would then also be able to copy the chips...   OR    hackers/skimmers will most likely implant devices which will fry/microwave the chip so that the 'fallback' method is triggered. The 'fallback' method forces the machine to read the magnetic stripe because the chip is faulty...."

Each time something like this happens, everyone but the card issuing bank gets blamed. Card Issuing Banks seem to have good P.R. and they always come across as doing everything they possibly can to minimize these incidents. But are they really doing everything they possibly can?

The best system for now, which also does not require a massive infrastructure change, is a system that enables the cardholder to set his own user limits, basically a system that enables a cardholder to turn on and off his own card account. This system truly deflects the increase of card fraud while ensuring the best quality of service to cardholders (customers). Its actually quite a logical and ideal solution.