EMV (or “Chip and PIN” as it’s known in the UK) is changing the fraud landscape, no doubt about it. Counterfeit card fraud at POS is down, card theft is down, card-not-present is up, phishing is up, ATM fraud is up. Fraud migrates, we get the picture. But as EMV reaches maximal deployment in the next five years or so, the banks and other investors in this technology are hoping that the flood will abate to a trickle, and that some holes can be totally plugged.
I’ve been thinking about whether or not EMV is capable of sorting out the ATM fraud problem (also known as “phantom withdrawals”) once and for all. Well as I wandered around town this afternoon, I snapped some pics at WH Smiths this afternoon of an ATM in distress, and it reminded me how horribly vulnerable our ATM infrastructure is.
It’s not just the “look of vulnerability” exuded by them… like these cheap wafer-locks on the housing of the aforementioned ATM (I’m sure there must be a better lock before the cash safe itself), it’s that all the security is based around keeping the money and the secrets safe, and very little attention is focussed on keeping the machine alive and operating.
Read on to find out my master plan…
Now, up until the deployment of EMV, why disable an ATM? Why damage it if you know that you can’t get the money out? Disabling an ATM would just be mindless vandalism. But now put yourself in the mind of a organised financial crime gang, looking on while your steady income of nice clean money from ATMs peters out as the bank slowly upgrades all the ATMs in your area to be EMV-capable. Are you going to be angry? Yes! Whose in charge of this neighbourhood, the west-side posse, or the west-clyde bank? We are!
So you fall back to a good-old fashioned crime — racketeering, with the aim of forcing the banks to continue to fall back (to magnetic stripe) themselves. It’s quite simple: any ATM which denies a magstripe fallback transaction gets worked over. You can put in a card with high voltage contacts to zap the chip reader, or with nasty goo on to stop the contacts from working, but leave the magstripe functionality intact. That’s a kind warning to the west-clyde bank (fictional name taken from “the parole officer”) to continue to support fallback. If you want to be firmer, then squirt glue in, smash up the screen. Maybe if you know the right place to drill, you can trigger the dye pack and destroy all the cash within!
ATMs are vulnerable because many of them are in isolated locations, fixed there 24/7. Those in safer locations are still vulnerable to surreptitous damage — so even under observation it should be impossible to tell the crook who is sabotaging the ATM from a legitimate user. Should the ATM sound an alarm when detecting sabotage, the crooks need only migrate to a different strategy where the damage is done more slowly, for instance by squirting in a chemical which will degrade the ATM innards progressively over a week.
Now a criminal gang would be foolish to think they can take on the whole world with this trick, abort the move to EMV, and reign in glorious anarchy. But maybe they can hope to secure their cut. If the crooks are smart, they’ll target a particular ATM brand or particular acquirer at a time, and furthermore only used magstripe cards ripped off from the same bank (where the acquirer is also the issuer). Keep it nice and small, keep it individualised, and maybe a special deal can be struck. From here we can move on into a more stable fraud scenario: the protection racket.
The gang hits ATMs on magstripe fallback for up to a certain amount each month (say 50K per month per suburb), but they don’t get too greedy. In return, the gang offers that acquirer protection, they have the men on the ground to ensure that no other gang goes around physically damaging the ATMs or getting too greedy, and tacitly funding the gang is much cheaper than funding the police to try and lock up all the crooks. The gang might even knock out ATMs from rival acquirers, and so much the better if the only ATMs still standing happen to be fee charging!
So there’s my dystopian vision of the “ATM protection racket”, and we can see that there are limits to what technology like chip cards and PINs can achieve, especially in protecting a bank’s real front line presence: its cash machine network. The questions that spring to mind are:
- Is this a war that the banks can win?
- How much of bank anti-fraud policy is really driven by economics, and how much by honour?
- Should security architects be designing security protocols and systems that try and write the crook totally out of the equation, or should we leave them a small (acceptable) window, lest they fight us on a battleground which is more costly? Think here of the problems suffered in South Africa by improving anti-theft security on cars; live hijackings and the like soared upwards
- What technologies can help us armour ATMs against denial of service?
My starter for 10 is that if contactless EMV makes it in, then it could negate the need for one of the holes in an ATM in the long term. This just leaves the hole that the cash comes out of. But they must watch that the contactless antennae are resistant to attack by homemade EMP weapons (a la camera flash and coil). Any further thoughts?