An ATM is an electronic apparatus that allows a bank’s customers to make cash withdrawals and provides other banking facilities at any time without the need for presence of a human teller. The ATM channel is still maintaining its central role as an essential banking touchpoint with consumers and has become an integral part of the banking Omni-channel experience, not only playing a key role in the broad context of modern banking but also being a major enabler of mission critical ‘access to funds’ functionality within financial inclusion initiatives of State Bank of Pakistan. The channel is taking an even more important role as branch network optimization eventually leading to reduction in number of branch counters by offering diversified banking service experience, while consumers still express a preference for banks with physical presence. The significance and importance of ATM network expansion can be assessed by the study published by one of the leading Payment processing firms in 2016.
From the historical perspective, in 1967, a Scottish inventor named John Shepherd-Barron was sitting in his bathtub when he had a flash of genius: If vending machines could dispense chocolate bars, why couldn’t they dispense cash? Barclays, a London bank, loved the idea, and Shepherd-Barron’s first ATM was installed in a branch on Enfield High Street not long afterwards. Unlike modern ATMs, Shepherd-Barron’s did not use plastic cards. Instead, it used paper vouchers printed with radioactive ink so that the machine could read them. The customer entered an identification code and took cash – a maximum of £10 at a time. Like any other traditional “Gizmo” the ATM had gone through the evolutionary phase to a highly advanced state automata machine capable of processing numerous complex routines and cipher operations in tamper-proof modules that securely process transactions in secure and elegant fashion as we see today.
Modern ATM physical security does actually concentrate on denying the use of the cash inside machine to a thief or a fraud using some high tech industry standard fraud detection techniques. Albeit, with all the promising features that an ATM bestows, in the present day world, fraud criminals are affecting industries, not only in terms of loss but also in terms of increased efforts from ATM operators with respect to investment of capital and resources aimed at preventing fraud. Conventionally, ATMs typically connect directly to their ATM transaction processors via dedicated secure VPN established by the bank that operates the ATM network in a “Star topology” fashion.
Typically, ATM machines runs on Microsoft Windows platform although there are customized variants that exist and are deployed on Linux operating system. Speaking of transaction security that kicks off from the ATM secure tamper-proof “PIN PAD” responsible for encrypting card PIN using industry proven symmetric cryptographic algorithms, ATM security uses a fortified cash dispenser and secure card readers.
Recommendations to Counter Logical Threats
TPS has recommendations as to how companies can secure themselves. Logical attacks are becoming a major growing attack-vector, one that has the potential to cause large losses and the bad news is that with time, hackers will only get better. Considering industry-wide best practices, TPS recommends the following logical security measures to be in place to compliment the overall security of the ATM transaction processing life cycle.
- Fraud poses a significant threat to industry and surging investment and efforts are required in order to address it. The need of the day is to implement world best fraud prevention system for preventing ATM based frauds. ATM acquirers that operate networks of ATMs have access to a massive number of so-called “Machine events”. A suitable fraud management and prevention solution should be deployed by banks that enables merging such non-financial transactions to historical profiles and combines them with financial transactions for records and prevention of ATM based fraudulent transactions on a real time basis.
- Shimming refers to an attack that captures data by tapping directly into an EMV chip. A small, flat device containing a microprocessor and a flash memory card inserted inside a card reader. The circuit is energized through engagement with the chip while it’s in the card reader and the device sniffs the data. Although, the data collected by shimmers cannot be used to fabricate a chip-based card, it can be used to clone a magnetic stripe card. While the data that is typically stored on the card’s magnetic stripe is replicated inside the chip on chip-enabled cards, the chip contains additional security components not found on a magnetic stripe. One of those components is an integrated circuit card verification value or “iCVV”or “dCVV” for short (also known as a “Dynamic CVV”) generated at the time of transaction. The iCVV differs from the card verification value (CVV) stored on the physical magnetic stripe, and protects against the copying of magnetic-stripe data from the chip and using that data to create counterfeit magnetic stripe cards. The one of ways for an attack to be successful is if a bank card issuer neglects checking the iCVV & POS Entry conditions sent with each transaction. These conditions provide the issuer with necessary information on how the merchant or the ATM acquired transaction data when authorizing the transaction.
- ATM Network operators (acquirers) should opt for encrypting “Point to Point” communication channels with additional RSA based asymmetric cryptography using Transport Layer Security (TLS 1.3 standards) along with secure hashing aka MAC-ing. This approach can prevent data leaks from replay & host ghosting attacks.
- Remote rotation of ATM Master Key responsible for encrypting PIN, will ensure that symmetric keys, if in case, are compromised, become useless because the master keys are regularly substituted. This also helps in replacing the dual operator or split knowledge implementation of keys on each ATM since it securely automates the whole procedure without any human intervention.
- Along with EMV based transaction processing, secure biometric verification can be used as 2-factor authentication whereby ATM processor/controller invokes dynamic and randomized 1-10 fingerprint authentication flows.
Recommendation to counter Physical Threats
TPS strongly recommends that all ATM operators deploy anti-fraudulent systems as part of an overall layered approach to ATM security as the saying goes “Every Little Thing It Does Is Magic.” Consider the following:
- Anti-skimming detection sensors to detect card reader intrusions and stereo skimming attacks
- Anti-card trapping detection sensors with automated alarm broadcasting to ATM processor to make the ATM machine “Out Of Service” instantly.
- ATM fascia and cabinet alarms integrated online with ATM controllers for transaction monitoring data centers and disabling ATM on real time basis.
- PIN pad shields/guards to prevent PIN prying attempts via Pinhole cameras.
- CCTV coverage and not just relying on ATM image capturing solutions which may become incapacitated in case of “Ghost in the Machine” [Malware] scenario.
- Keep a close eye on your bank statements, and dispute any unauthorized charges or withdrawals immediately before the customer dispute soliciting window officially expires.
- Don’t believe in the hoaxes. Keying in your PIN backwards at an ATM will not call the police. These are simply scams to get you to divulge your PIN.
An Interesting Story
Five years ago, about a dozen credit cards equipped with chip-and-PIN technology were stolen in France. In May 2011, a banking group noticed that those stolen cards were being used in Belgium, something that should have been impossible without the card holders inputting their PINs. That’s when the police got involved. The police obtained the International Mobile Subscriber Identity (IMSI) numbers to track locations where the cards were being used and their times of usage, and then they correlated those IMSI numbers to SIM cards. 25 stolen cards, specialized equipment, and €5,000 (approximately $5,660) in cash was seized. The police ultimately said about €600,000 (or $680,000) was stolen as a result of the card fraud scheme, spanning 7,000 transactions using 40 cards.
The research explained that a typical EMV transaction involves three steps: card authentication, cardholder verification, and then transaction authorization. During a transaction using one of the altered cards, the original chip was allowed to respond with the card authentication as normal. Then, during card holder authentication, the POS system would ask for a user’s PIN, the thief would respond with any PIN, and the FUN card would step in and send POS, the code indicating that it is okay to proceed with the transaction because the PIN is checked out. During the final transaction authentication phase, the FUN card would relay the transaction data between the POS and the original chip, sending the issuing bank an authorization request cryptogram tells the POS system if the transaction has to be accepted or not.
Aftermath & Lessons Learned
The forensic report produced by the authors of this paper was sufficient for the court to condemn the perpetrators. During their testimony, they underlined to the court that this case shows “Organized crime is very attentively following advances in information security. We also noted that producing the forgery required patience, skill and craftsmanship. It is important to underline that, as we write these lines, the attack described in this paper is not applicable anymore thanks to the activation of a new authentication mode (CDA, Combined Data Authentication) and network level protections acting as a second line of defense. Until the deployment of CDA, this fraud was stopped using network-level counter-measures and POS & ATM software updates. We cannot detail the network-level countermeasures for confidentiality reasons”.
Nonetheless, this case illustrates that, as a rule of thumb, a nonmalleable cryptographic secure channel must always exist between cards and readers. Other (more expensive) solutions allowing to avoid man-in-the-middle devices consist in relying on physical attestation techniques such as (i) Parity Faults (ii) Abnormal application behavior, etc.
Banks! The mantra of any good security department is: ‘Security is a not a product, but a process.’ It’s more than designing strong cryptography into the system; it’s designing the entire system such that all security measures, including network, cryptography, processes, and applications work together.
ATM users! Don’t let one simple transaction like withdrawing money from an ATM become a way for thieves to get to you. To avoid scams like these, listen to the warning intuitions in your head and be careful when something feels amiss.