Fraudsters aim at ATM and Eftpos transactions

By Stephen Ballantyne

Friday 12th September 2003

Do you think your ATM and Eftpos transactions are safe? Well, they probably are for now, but according to Sean McCarthy, NCR's manager for standards and security compliance, this could easily change. From his base at NCR's European headquarters in Dundee, Mr McCarthy has a worldwide overview of the latest frauds and scams directed against the international money network.

Most of them haven't got here yet physical distance from the main world centres of both commerce and criminal inventiveness has its advantages.

"I'm in New Zealand mainly to explain the issues associated with fraud and with migrating to new encrypting Pin pads, about which there is a lot of confusion in the marketplace," Mr McCarthy says.

Judging from the time it takes for them to complete transactions, many users have difficulty negotiating the ATM user interface, but like it or not, that is unlikely to change. The changes coming to ATM and Eftpos will take place mostly behind the scenes.

But we may need new cards: smart cards, incorporating chips and substantial memories compared with the limited amount of data that can be stored on the magnetic stripe cards in use since ATMs began appearing over 20 years ago, are still the preferred solution for many security problems but the banks remain reluctant.

"The business case for a move to a chip-based solution still has to be absorbed by the banks until they can see that the fraud issues are serious enough to justify the cost of implementing this kind of infrastructure. It's not just the ATMs you have to deploy the chip-based cards, and get the back-end structures in place.

"It's a considerable infrastructure cost, and so far Australia and New Zealand banks haven't felt as compelled by fraud as the northern hemisphere banks.

"It also helps that signatures aren't used as much in this part of the world for identification as Pin numbers, which are more secure.

"However, we would also like the banks to apply stronger encryption to the Pin numbers transmitted over the network. Currently it's done with single DES [data encryption standard], which has been around since the 1970s and has stood us in good stead, because people haven't made much attempt to tap into communications lines to decode this stuff.

"But the increase in computing power means that it's more possible that fraudsters will make the attempt. In the 1970s the computing power that was available would take years to crack a DES code; recent studies have found ways to do it in 12 hours with modern computers."

With Moore's Law constantly bumping up the power of computers, that means it's possible to see a time when DES will be crackable in minutes or seconds. Hence the need for triple DES, which multiply re-encodes the datastream going from the ATM to the central bank, thereby wrapping a thicker protective layer of processing overhead around the data in transit.

"Triple DES is not enough on its own, though," Mr McCarthy says. "You need to physically protect the keyboard as well as provide logical security to the data.

"It's something that has been left unaddressed for a long time; a buzz-word like 'triple-DES compliant' is no substitute for protecting the ATM itself. There are some devices on the market where it's possible to insert a tap between the keyboard and the encryption unit; that's inherently insecure."

The security weaknesses of magnetic stripe cash cards also offer another inducement to move to smart cards.

"It's easier to skim magnetic cards there are plenty of card readers legitimately available in the market place that can copy the information from a magnetic card. The EMV (European MasterCard and Visa) standard assures a level of security for hardware and software that greatly reduces the risk of fraud, and it requires smart card systems to operate."

For now, while magnetic cards persist, more or less simple card frauds remain possible. Recent attacks on ATM machines in Europe and North America have tended to suggest the preferred methods of defrauding the system are much less sophisticated than advanced decryption algorithms running on very fast computers.

The "Lebanese loop" was a piece of plastic stuck into the slot of an ATM that would trap a card for retrieval later by a thief; machines have since been modified to thwart the device. Other fraudsters have gone as far as to clamp their own disguised card readers over the slots of ATMs; victims' cards would be returned but the captured data would be used to make a duplicate card.

Recent NCR ATMs thwart such devices by drawing the card into the slot with a jittery motion.

All of which increases manufacturing complexity, but until smart cards become ubiquitous, "there's no option we have to continue to go down that road. We've deployed these devices heavily in Europe and more and more in the US.

"You're lucky they're not here yet card fraud is running at £428 million a year in Britain and it's mainly through devices like these."

Comments from our readers

No comments yet