ATMs under attack

Stealing data to rob ATM cardholders is getting to be more sophisticated. The latest news involves fraudsters installing an improved malicious software or malware program on automated teller machines that run on Microsoft’s Windows XP operating system.

Date security provider Trustwave which is headquartered in Chicago, USA, released an alert about two months ago about a malware that can record data stored in the ATM cards’ magnetic stripes as well access the PIN or Personal Identification Number.

The malware has been found on ATMs in Eastern European countries, but while withdrawals have been confined to three currencies – US dollar, Russian rouble and the Ukrainian hryvnia – there is no guarantee that new malware versions will be able to stalk more currencies.

According to the Trustwave’s lab analysis, the stolen card data can be printed out by the ATM’s receipt printer, and such harvested information is used to make card copies.

The cybercriminals are able to control ATMs by inserting a “trigger card” into the machine. A menu appears on the ATM screen that gives its controller 10 seconds to pick one of 10 command options using the ATM’s keypad.

The commands are quite extensive ranging from a request to view the machine’s statistics (number of transactions, cards) to printing card data. The “trigger card” can even erase the log memory, reboot the machine and uninstall the malware.

Trustwave has advised banks, mostly based or operating in East European countries where the cybercriminals have been monitored, to scan their ATMs to see if they’re infected.

Who’s to blame?

This type of ATM crime by far presents the biggest threat to the banking industry and its cardholders, and is definitely more superior than the current more popular schemes used by ATM hackers such as hidden cameras that capture the victims’ PIN, or cloning devices that are temporarily glued on an ATM, or glue traps that will “eat” an ATM card.

Currently, when ATM cardholders lose money after their cards are “captured” by fraudsters employing glue traps, banks are quick to distance themselves from any liability. Glue traps, however, are becoming a thing of the past especially with the extensive information campaign warning cardholders of such risks – a reason why fraudsters are desperate looking for new ways to skim card data.

However, when it is the actual operating system of an ATM that is attacked, leading to a cardholder losing his savings, will the bank admit culpability and cover the money that the victimized client lost?

This new wave of attacks on ATMs should make banks thing hard on how they can be a step ahead of cybercriminals. This includes such steps as installing smarter softwares that can detect and bar malwares from entering the system and compromising data security.

Warning from BAP

Recently, the Bankers’ Association of the Philippines issued a warning to the public on ATM theft that is believed to have been triggered by a most recent case that was exposed in the United Arab Emirates.

A special scanner was used to capture card information and transfer it to a duplicate ATM card. This allowed the criminals to withdraw from the bank, leaving the cardholder with no money in his account.

With this kind of device, and others similar to it, the lines of culpability are somewhat blurred, and while the bank will likely stand pat in its position that it is not liable for the theft, the question of consumer protection in an age when cash dispensing machines could be monitored by remote cameras comes to mind.

In fact, BAP’s recent bulletin has warned members to regularly inspect their ATMS for any unusual and non-bank installed devices including hidden cameras that attempt to video capture a cardholder’s PIN input. Even bank security guards are being reminded to be extra vigilant of suspicious looking people around ATM booths.

Vigilance

In the face of all these elaborate and increasing attacks on money vending machines, cardholders are being enjoined to do their share - for whatever it may be worth.

Here is some advice that is worth paying attention to:

• Never divulge your PIN to other people. Change your PIN if you think it is compromised.

• Cover the ATM keypad with your free hand when entering your PIN. This is an effective precautionary measure to the possibility of hidden cameras.

• Pay close attention to everything you do at an ATM. Look for “red flags,” i.e., anything that seems out of place. If your card sticks, look for odd-looking configurations on the ATM, wires, or two-sided tapes.

• Use a strong PIN for both ATM and telephone banking: uppercase-lower case, alpha and numeric online.

• Don’t reply to phishing or phexting emails. Just hit delete.

• Don’t just use “any” ATM. Choose ATMs at locations that are “more secure” than in the middle of nowhere.

On the part of the banks, a lot of grief could be avoided by doing some simple pro-active measures.

• Install surveillance cameras that monitor ATM booths, especially if there is no security guard assigned to patrol the area.

• Keep the area around and inside ATM booth well lit. Post easy-to-understand safety and security reminders inside the booths.

• Lastly, fight cybercrime with new technology. Consider migrating current magnetic stripe cards to the more secure electronic chip and PIN cards or Verve Cards.

Philippine Collegiate Championship update

Congratulations to Atty. Baldomero Estenzo and Commissioner Felix Tiukinhoy, top honchos of CESAFI, the major collegiate league in Cebu City, for the successful opening of the 2009 season last Saturday. CESAFI is one of more than 20 collegiate leagues nationwide that is part of the annual search of the Philippine Collegiate Champion being conducted by Philippine Collegiate Champions League (PCCL).

The champion from CESAFI is automatically seeded to the “Sweet 16” finals, while the second, third and fourth placers will pass through the VisMin-Metro Manila zonal qualifying games to earn slots in the elite “Sweet 16.”

Visit www.CollegiateChampionsLeague.net for more details about the 2009 Philippine Collegiate Championship games.

Should you wish to share any insights, write me at Link Edge, 25th Floor, 139 Corporate Center, Valero Street, Salcedo Village, 1227 Makati City. Or e-mail me at [email protected]. For a compilation of previous articles, visit www.BizlinksPhilippines.net.