Oct 18, 2018
Physical and cyber attacks against ATMs receive a lot of coverage, but they are not the only ways in which criminals can empty an ATM of cash. Transaction reversal fraud is one example of a manipulation of loopholes in transaction processing rules to steal cash, but it requires little to no tampering with the terminal. This episode will cover the latest process/communication manipulation fraud methods and news, as well as how to stop these attacks.
Managing ATM Security
Amy Lombardo: 00:00
Physical and cyber attacks against ATMs receive a lot of coverage, but they are not the only ways in which criminals can empty an ATM of cash. Transaction reversal fraud is one example of a manipulation of loopholes in transaction processing rules to steal cash, but it requires little to no tampering with the terminal. This episode will cover the latest process and communication manipulation fraud methods and news, as well as how to stop these attacks. I'm Amy Lombardo, and this is COMMERCE NOW.
Scott Harroff: 00:43
Hello, again. I am Scott Harroff, Chief Information Security Architect at Diebold Nixdorf and your host for this episode of COMMERCE NOW. Today, we are live from the TAG PIX event in Las Vegas. I'm joined today by a very special guest from First Data, Mr. John Campbell, Director of STAR ATM Acceptance.
Welcome, John. I hope your experience here at TAG PIX has been a good one so far?
John Campbell: 01:04
Yes, it's always a pleasure to be here at TAG's hut. This is actually my 13th year, and I look forward to it every year to get some great information from the vendors and the clients themselves.
Scott Harroff: 01:15
Yeah. I think I've been coming here, John, for about 15 years. I've probably bumped into you one of those first early sessions. Great seeing you here every year for all those years, year over year. Hey, before we dive into some questions on reducing ATM related fraud, tell us a little bit about your background, positions you've held. What are doing these days?
John Campbell: 01:36
I spent about 15 years working at Virginia Credit Union. I was a longtime TAG member. In a previous life, I was an accountant who actually settled the debit networks before jumping into ATM operations back in 2005. TAG attendee for 11 years. During those times, presenter and director on the TAG board from 2010 to 2015. Back in those days, I was responsible for the ATMs and debit processing for the credit union. These days, I work for First Data in Atlanta. I'm Director of STAR ATM acceptance for the STAR network and work closely with First Data processing ATM requiring side of the business, [ISOs 00:02:09] and [FIs 00:02:12]. I am currently a member of ATMIA, US Payments Forum ATM Work Group, and the National ATM Council.
Scott Harroff: 02:17
So what you're saying, John, is you've been around a little while and you've seen a few things when it comes to ATM fraud?
John Campbell: 02:22
Scott Harroff: 02:23
All right. Having been on both the FI side and now working for a transaction processor, how would you describe the state of ATM security today?
John Campbell: 02:32
Fluctuating, evolving, and sometimes growing. We are better at what we used to do, but so are the bad guys. When I started in ATMs in the early 2000s, the biggest scares we had were the occasional ram raid and the old webanese loop capturing cards at ATMs before DIP readers came into existence. The move from OS/2 to Windows started bringing all sorts of different degrees of cyber attacks and logical attacks on software that we had never seen. But they were still sporadic and slow. But now it seems that even after all the security enhancements we've done, EMV, encrypted hard drives, point-to-point encryption, the attacks seem almost constant and even renewed. I think some of that's also from the fact that criminals are not just attacking the ATMs logically, but they've gone back to the low-hanging fruit and ram raids and cash trapping. The cashouts that made a lot of news the last couple weeks in the FBI. A lot of it were from best practices just not being followed that had been out there for years. It's still a very fluid environment.
Scott Harroff: 03:40
Yeah. That's about the same thing I'm seeing. When you say EMVs out there, I just got done talking to customers where they were charged back several hundred thousand dollars, because they had made the decision, "Maybe I won't implement EMV. What's the worst that could happen if I don't spend all that money to do the upgrade to EMV?" I've had quite of few of them where they didn't spend the money, and now what's happening is larger financial institutions are coming back. They're saying, "Hey, we detected this fraud. The only thing in common is your ATM, so why are getting all these non-EMV transactions from our customers that have EMV cards off your ATMs?"
It's the same thing with TLS, John. I've watched TLS roll out. Your network was one of the early adopters of rolling out the TLS protocol. But at the same time, there was some really big FIs that are out there that still haven't turned it on. There's some big networks that haven't turned it on. It's interesting to me that some folks are really thought leaders in the industry and gets stuff done, and some others tend to be a little bit more of a laggard.
What security risk do you see as they pertain to FIs and processors, or even processes in communication protocols?
John Campbell: 04:53
Well, I think, first, as an industry, what's really been hampering us is the fact that we have no problem jumping on the barbarian at the gate, but then we go back to sleep behind the walls. We're seeing that over and over again with skimming and then EMV. We ramp up, a lot of the earlier adopters go, and then we seem to just get lulled back into sleep.
I take it back to Ploutus coming out with the malware when those were rearing its head in the 2013 timeframe. Diebold and other industry leaders came out and said, "Here's best practices. This is what you need to implement to protect yourself." And it got quiet. In early 2018, suddenly a variant, Ploutus-D, comes out. It hits some ATMs in the country, and everyone's panicking. Everybody's freaking out. "What do I need to do?" And you're sitting there thinking, "The best practices that would have protected you were put out there five years ago, and you just didn't do it." And some of them were physical, of top hat security, and some of them were logical, just default passwords. Somehow, here we are in 2018, and it's still a problem. That really blows my mind and that.
But one of the bigger steps I've seen that's actually moving the ATM industry in good spot is, as you were saying, that point-to-point encryption of the data between the ATM and the host to prevent man-in-the-middle attacks. Folks forget that, even in an EMV environment, there's still data that's visible out there. I mean, we're still in a US market that's routing by BIN tables, even though you have EMV protocol having it in the ATM. So whether it's an ISO ATM or a FI, you can still do man-in-the-middle attacks, still attack the data. So seeing MPLS communications at the routers and hosts was great, but now we need to protect those small spots where the criminals are still attacking. Because even with EMV, MFA, and tokenized PAN, there is no reason we should be sending any data in the clear anymore, and it's still happening. Those that have been, before, what you said, First Data and STAR, it's starting to pick up, but I'd like to see it pick up at a faster pace.
The ones that's bypassing all these security protocols is account takeover. It's still a real problem, and it truly does bypass that onsite security, whether it's logical or physical. I equate it to ... It's you can have all these gates and cameras and barbed wire, but if you still, through social engineering, allow someone to steal the proverbial guard's coat, they're still getting inside the fortress. They're still getting out. You don't have to beat the technology. You're beating the human element, and that's still a big problem for us.
Scott Harroff: 07:28
Yeah. Speaking of human elements and things that have been out there for a long time. With all the technology that everybody puts out there, I still get phone calls. I wouldn't say on a regular basis. But every month or so I get a phone call about some institution would have done a transaction reversal at the ATM. They'll be balancing their journal, and they'll be looking at their host logs. And, "Why am I out $300 of cash? It shouldn't have been gone." What do you see at the network as far as transaction reversal best practices? Because, John, in my mind, it's something that, between the ATM and the transaction processor, we should have been able to get rid of a long time ago. But I still get customers calling me on this.
John Campbell: 08:12
Well, we still have ... In the industry, it's always been cardholder customer-centric. How do I protect the cardholder? Reg E is built all around that. And of course, that's what the criminals are manipulating. The TRF is a very low-tech scam. The criminal manipulates the ATM into thinking there's a fault while simultaneously breaching the dispenser shutter to grab the cash. But the way that the networks and the ATMs are set up, all it knows is there is a fault. "I don't think I've actually dispensed cash or I can, and, therefor, I need to reverse the transaction." So the debit is reversed, the bad guy walks away with the cash, and then can continue on with this fraud that they're probably getting at ATM and ATM.
We've heard a lot about this from the European market more, especially in 2015, but it's creeping in again. Just like Ploutus and other sorts of attacks, they start other parts of the country, and the US continues to be the soft underbelly. So the current SOP for conducting this fraud is defined. Deployers who've gotten motorized ATMs, they are to set up for card before cash. And of course, the industry did this in response for EMV. I don't want the cardholder to leave their card, so I'm going to make sure the cardholder takes their card before I can give them their cash. I'll stage it behind the shutter. And then, as soon as they take it, I'll give them their cash. The bad guys know this. They test out ATMs. They can hear the dispenser cranking out. They can hear the money behind the shutter. Ant then, it doesn't take a whole lot for them to go manipulate the hardware and then obtain the cash. It's reversed again, as we were talking about before. And then, they run to the next ATM, or they just do the transaction multiple times.
Scott Harroff: 09:53
Yeah. I look at the problem pretty much the same way you do, John. We've released XFS updates that would minimize the impact to the customer. I know First Data and a lot of other networks that are out there can turn on things inside the configuration and say, "If this occurs, then let's hold this for 24 hours, so we can verify whether the cash has been withdrawn back in. If it's been withdrawn back in, did we get all of it? Or did we just get a receipt that came back and looking like a piece of cash?"
I know that we have a lot of technology. One of things I wonder about is, how can the industry as a whole, through events like TAG PIX, educate these customers on all the things about the deployers can do, as well as the networks. It would be interesting, I think, to get together a group of people that could really sit down and communicate this is a way that everybody understands the problem and everybody understands some solutions before something bad happens and they come back to us. I know what we can do as Diebold. What do you think processors might need to do differently to help prevent these kinds of attacks?
John Campbell: 10:57
Well, I know that a lot of ATM deployers have actively monitored transactions reversals and card jams. They've put in some logic. But I relate it to what we're seeing. And fallbacks, as well. There's no consistent idea of what's the best way to combat the fraud. You have some FIs on fallbacks who go and decide, "I'm declining them all." Some, "If it's under 100." So you see the same thing with these transactional reversals. There's no unified idea of what's the best way to combat it.
I think that these acquirers and issuers need to go back to what they were doing with skimming, which was regularly inspecting their shutters for damage, monitoring velocity of reversals. Issuers, education their issuers. Because the processors can help by, when they're implementing these ATMs, educate. I don't think they can just leave it up to the manufacturers. I don't they can leave it up to PCI. I think, we as processors, we as networks, need to be advocates. We can't just be rails that the transactions are running on. We need to actually be advocates for the issuers and acquirers to help them almost help themselves when it comes to these types of fraud.
Scott Harroff: 12:15
Yep, I agree with you, John, 100%. We talked about a lot of different kinds of fraud events that are out there. Are there any other kinds of fraud attacks that you're seeing recently? Any other kind of things that the folks out there listening, Commerce Now, should really be thinking about?
John Campbell: 12:31
A lot of what we're seeing now is the criminals trying to figure out, "How do I get around the security that's becoming more inherent at the ATM channels?" So they're going back to, "Let me attack lower security at certain financial institution's banking core. Let me go after mobile apps that were deployed years ago and haven't kept up with third-party authentication."
There was an article a little ago that talked about cardless transactions and fraud. The way it worded, you almost thought that the transaction, the ATM interaction, was the problem. When you read in depth, that's not the case. It really was social engineering. Again, the human element. These accounts getting taken over. They're importing a new phone number, a new email address, and then, they don't have to get around the security. They've taken over the entity. They've taken over the person. The cardless transaction now is just a funnel for them. They don't have to beat the ATM. They don't have to beat the networks. They don't have to beat the processor. They beat the human. By doing so, they're bypassing all this wonderful security we've put into place in EMV and firewalls. They don't. They've gone back to, truly, stealing an identity. They've just done it in a cyber fashion.
Scott Harroff: 13:47
Yeah. We spent a little bit of time talking about technology. We've spent a little bit of time talking about processes. You just spent some time talking about social engineering defeating the human element. There's another area that everybody likes to hear about. What is happening with regulatory compliance or new standards that you think might actually reduce fraud at an ATM or on an ATM network?
John Campbell: 14:11
This industry is definitely closely watching the increasing move of state regulatory initiatives. Obviously, the constituents complain to their legislature about fraud hitting the local bank, the local credit union. They have taken it upon themselves to start introducing legislation. They feel, "Well, Federal Government's not doing enough." Or, "The industry's not doing enough. Fine. We'll put in some rules." Whether it's physical security, about cameras and vestibule locks.
One of the ones that we've seen recently was a skimming sticker being put on ATMs, which, as soon as I saw it, being a former deployer, I just cringed to think, "We've spent a decade trying to get surcharge stickers off of ATMs, and now a state wants to have one on every ATM, fine people for it." Any ATM deployer knows issuers are not reading stickers. You can put, "Don't insert coin," on a deposit automation ATM, and I had someone tape four quarters to a piece of paper one time.
So stickers aren't the issue or the solution. What you really want is, "Fine. You want to help us, states? Then help us do some education programs between the FIs themselves, the cardholders." We have PSAs out there. Let's educate them about fraud and skimming, but let's do it on things they're looking at, social media, out on TV. My gosh, we're a country that's glued to binging on Netflix. Let's put something on there and educate on the things to look for. Legislating it and punishing the acquirers is not the way to go. It's educating the public to be more diligent when they actually visit ATMs.
Scott Harroff: 15:50
Yeah, I agree with you. I get all kinds of questions from about 1,300 customers around the United States that are small to medium-sized and handfuls of large ones that come back and say, "What have you heard about this?" And, "What have you heard about that?" Often, the regulations or the standards or a bill that somebody has generated is the subject of that.
I remember a certain state where they decided to resurrect the old things of, "Well, if you're at an ATM and someone's about to hijack you, put your PIN in backwards, and that will summon law enforcement and save the day." John, have you ever seen any host actually responding to putting a PIN in backwards as an emergency signal?
John Campbell: 16:34
Yeah, that's one of my favorite. Whether it's Facebook, Instagram, an email, I'll see this. I've actually saved on my phone a picture with a big, red X through it that has this warning. And it's always someone who's trying to do good. They're trying to inform their friends. And then, I have to go repost on Facebook or some other media of, "This is an urban myth. You cannot do this." I'll even explain the history of it. "There was a programmer in '90s. He wrote this." And I also explain, "We also had panic alarms at ATMs in the '80s, and all of law enforcement was changing around ghosts and came back."
If you actually the 2010 Card Act, there's a line item. I think it's the last one where the government said, "We have to do a study on reverse PIN." It had gotten to the point where people believed it enough where it became a line item in a bill. They gave them 13 months. It came back. Like we all know, the industry, law enforcement, the processors, hardware, all went, "We can't do this. This doesn't make sense. You're going to hurt people." Most folks can't remember their PIN going forward if you asked them that. Much less, I have to remember in reverse when someone's pointing a gun at me. By the way, what do you do when the PIN is 1441? We have a problem there.
It's one of those. It's a great idea. But when you put into the context of human beings, multiprocessors, multi-nodal networks, and by the way, the police still have to respond to it. It's just not the way to go. But, yes, whenever I see that, I start laughing, because it's one of those, "Okay, let me update this same post I've done every six months for the last 10 years."
Scott Harroff: 18:06
Yeah. Thanks, John, for spending time with us here today. Thanks for all your valuable information, both as a customer and now as a ATM transaction processor. Thanks so much for being here today with us at TAG PIX.
And thank you to the listeners for tuning in to this episode of Commerce Now. To learn more about reducing ATM fraud and how financial institutions can better protect themselves against these attacks, log in to DieboldNixdorf.com. Until next time, keep checking back on iTunes or your podcast listening channel for new topics on COMMERCE NOW.