News from Prague, just weeks ahead of the Payment Card Industry (PCI) meetings there, reveals new levels of sophistication in ATM fraud. The Prague Monitor reports a foreign gang is thought to be behind the attacks.
The principle by which the gang withdraws money from the accounts resembles a mobile telephone – the gang is capable of producing a copy of the card within minutes after the user inserted it and entered his PIN.
They then can withdraw the money in other countries, for instance, in Bulgaria, Poland or Slovakia.
There are two key attributes to the attack. The first is that the attackers are following the same customer behavior as the banks. They are only attacking on Saturday nights at locations highly likely to see cash withdrawals because of security marketing.
“So far, they have selected exclusively ATMs placed near the banks – either inside of them or directly outside. These ATMs seem more reliable and safe to users because most of them are monitored by cameras,” [police officer Michal] Ihnat said.
They seem safe, but in fact they are lying in wait. An obvious countermeasure here is for customers to alter their behavior and remove cash during the daytime on a weekday. Alternatively the banks could shutdown ATMs at high-risk times. This goes to a simple common sense principle — the higher the convenience of an ATM the lower the ability to protect it.
The second attribute is a wireless and hit-and-run, allowing attackers to keep on the move. The attackers do not return to the ATM to collect data as their compromise is able to broadcast the cardholder information. A detective defense against this could be wireless monitoring to detect when an ATM is compromised, although picking out rogue signals has several problems. Downtown Prague is littered with frequently changing wireless signals and the attackers could easily encrypt and obfuscate their traffic. Another more practical solution would be to keep ATMs within a cage that blocked wireless communication. This cage is more complicated than it sounds, as signals can easily leak, but it would defeat the attack most directly. It also would be an expensive change to the open-air ATM systems.
This is an attack on authentication, which Bruce Schneier likes to discuss. Bruce’s theory of securing the transaction instead of the authentication brings forward another solution: send out-of-band confirmations for ATM withdrawals. A cell-phone call or text to confirm a the amount would defeat these attackers. Again, however, it would be complicated to implement and place a significant obstacle to convenience.