Fighting ATM Cash-Out SchemesFraud Expert Offers Mitigation Strategies
U.S. accounts are prime targets for these attacks because of outdated payment-card technology and ineffective transaction monitoring systems, Buzzard contends.
The U.S. "is a playground for these criminals," he says. Magnetic-stripe card technology, which remains the standard in the U.S., is just too easy to counterfeit, Buzzard says in an interview with Information Security Media Group [transcript below].
As other countries have adopted chip-and-PIN technology that conforms to the Europay, MasterCard, Visa or EMV standard, more card fraud has migrated to the U.S., he adds.
The card brands' target date for the United States' migration to EMV is 2015. Buzzard predicts international fraud rings will up their efforts over the next two to three years to exploit existing magnetic-stripe weaknesses before EMV moves in.
Between now and then, banking institutions and payments processors should focus on stronger PIN security, real-time transaction monitoring and intrusion-detection systems, he stresses.
"It all comes down to having a solid, real-time fraud solution," Buzzard says. "And if you're not doing intrusion testing today, get on board with it."
During this interview, Buzzard discusses:
- Why more information sharing with law enforcement is essential for banks and credit unions;
- How collaboration among industry associations and banking institutions can improve efforts to predict and thwart cash-outs and other international fraud schemes;
- Why stronger controls are needed to thwart insider threats.
Buzzard is an expert on counterfeit card skimming and financial crime and is the creator of FICO's Fraud Forum website, which serves more than 11,000 financial-institution members. Buzzard also serves on the boards for the Mid-Atlantic chapter of the International Association of Financial Crime Investigators and the ATM Industry Association.
TRACY KITTEN: This most recent cyberheist hinged on hacking payments processors and then increasing the load limits on prepaid debit cards, which were later used to make ATM withdrawals for cash. Card numbers are being stolen in a number of ways today, either through skimming attacks, POS device tampering, and now these network attacks. Would you say that network attacks are just part of the natural evolution of card fraud?
JOHN BUZZARD: I think it's a question that begs to be answered. These astounding attacks are becoming more prevalent as international criminals become more daring and greedy to capture as much ill-gotten gain as they can. It's all about the cross-border fraud, obviously, for criminals coming into the U.S. or living outside of the U.S. and targeting our ATMs and our financial infrastructure. It's relatively common to literally read about some sort of information breach every week in a stride of industries, from healthcare and financial concerns to institutions of higher learning. It's quite something to behold.
KITTEN: You and I have talked about card technology and how some of the lingering technology that we have in the U.S. is oftentimes what makes us vulnerable. Would you say that EMV, or chip and PIN card technology, could address and/or mitigate some of these risks?
BUZZARD: Absolutely. It's a major problem and has been for many, many years. As other countries in the world have adopted or they're in the process of this migration, shall we say, to a smart card technology, we do have a roadmap in the U.S. to migrate to chip cards, and it's certainly the right direction for us to take to counteract card-present payment fraud. It's truly the gold standard. We just have to embrace those initiatives and really push to make sure that this chip card initiative happens sooner rather than later. Obviously, we have a roadmap from our associations, and we're looking towards 2015 for that. As we press toward full compliance as a nation, we'll see dramatic shifts in fraud, absolutely.
KITTEN: Do you think that EMV technology would have helped to mitigate some of the risk that was posed by this most recent cyberheist?
BUZZARD: The roadmap for the U.S. migration to chip cards is certainly the right direction to counteract card present payment card fraud. I mean, it's the gold standard, and we're certainly embracing this idea. I think everyone really wants to push the initiatives to get to that compliance level so that we can see the precipitous drops in card-present fraud that other countries that are now compliant have experienced. It's the ultimate goal and the ultimate antidote.
Large Amounts Lost
KITTEN: We've seen these types of cyberheists and ATM cash-out attacks before. ... In fact, the RBS WorldPay attack back in 2008 was a similar type of scheme. But is there anything about this most recent incident that stands out to you?
BUZZARD: The mere fact that this situation has occurred again in such a relatively short period of time, from the similar attack, referring back to 2008, that's surprising to me. But what made me stop and really take notice was literally the loss amount. ... I don't think that we can ignore the fact here that the victims allegedly are in areas of the world that are deemed as being a little deficient or backwards in their security practices. I think that's a very naÃ¯ve paradigm to be living in, regardless of where you are.
It reminds me of a problem that's not unlike what the U.S. issuers, in particular, have experienced since 2005 with phishing. ...When we started to have an enormous amount of phishing problems from 2005 onward, most financial institutions assumed that phishing was the plight of the goliath-like brand names that are out there, the very large financial institution brands. As a result of that perception, there were a lot of [smaller] financial institutions that ... really neglected to take simple measures to reduce their risk of that type of fraud.
I think that the same thing is happening in our industry today when companies make that fatal mistake of saying to themselves, "We're not in an area where there's a lot of fraud; we haven't had a problem; we really don't think this is ever going to happen to us." That thinking alone is a key to a future weakness in everyone's security. When you talk about a financial brand that's in another country, and we say, "Well, it's a little weak," the thing is it's sort of the idea here that if you live in a gated community, you don't have to lock your front door. In reality, you do. The same thing is said for security practices. Once you install a security system, it's not enough just to have it; you have to make sure that it's working. You have to go back, look at the systems and take a look at traffic reports. There are a multitude of things that people need to do to make sure that it's not just enough to have that security system in place. We have to test it to make sure that it's there and working properly.
How Attack Occurred
KITTEN: Looking at this particular scheme, how do you think that the attacks against the payments processors were actually waged and the network penetration was accomplished?
BUZZARD: Honestly, if I had to go with a gut feeling, I would say that it wouldn't surprise me eventually to learn that there were some internal clues that may have involved either a current employee at these organizations or maybe a former employee. Today, I think one of the most common and dangerous elements to any type of a security operation, whether you're at a financial institution or [not], it's that employee sitting at their desk today, and for a variety of reasons. Maybe our employee is having a bad day and they have sloppy security practices and they leave us vulnerable for just enough time for somebody to sense that vulnerability. ... That's one of the ways. I'm thinking possibly that in this case it could have been an internal situation where somebody, on purpose perhaps, left a port vulnerable.
Again, you also have employees who really are contemplating career changes. They have their own axe to grind with the institution, and we've heard many times before - especially when you have someone who's in a position of ultimate power like a DBA administrator or someone who can issue these passwords - it's really a volatile, scary idea to have somebody who today can create a user ID and a password on your system that allows them to gain access through your VPN and sensitive information long after they've left the organization.
There's a lot of monitoring that has to happen, a lot of auditing. Whenever someone is leaving the company, it's a good idea to go back and take a look at what they've done over the last year and just see if there's anything that sticks out as an unusual vulnerability, because it could have played into this situation. If it didn't, then they obviously had some really unprotected areas of their organization that allowed somebody to do some simple intrusion testing to get in there and get to the critical systems in place.
KITTEN: Why was this intrusion not detected sooner?
BUZZARD: Honestly, I think that we'll know some more details as they emerge because the story is relatively new to everybody. It kind of goes back to this thing that if you're not monitoring incoming and outgoing traffic - ports that are opening and closing - and there's no real audit of day-to-day system access, it's highly possible that this is just one of those situations where it was a sloppy business practice that somebody didn't perform due diligence, just routine check-ups. If we had an employee sitting there that was helping to perpetrate the situation, then obviously we can help to circumvent and hide access and controls like that.
Detecting Cash-Out Schemes
KITTEN: In this particular incident, the profit from these attacks actually came in the form of cash, which was withdrawn from numerous ATMs over a short period of time. This type of scheme is known as a cash-out scheme. From what I understand, cash-out schemes are very difficult for banking institutions to detect because the fraudulent ATM transactions occur so closely together and they occur from multiple locations. But are there steps that banking institutions can take to help improve their chances of detecting or even predicting some of these schemes?
BUZZARD: It all really comes down to a solid real-time fraud solution ... whatever type of fraud solution is appropriate for your organization. It's not possible to be everywhere in every corner of the world at all times, but there's a lot of really great technology out there that would enable a card issuer to have some controls in place for out-of-band card activity. [It's] the same with processors, with activity through certain geographic regions and hot terminals and things like that. I really do think that the investment in time, thought and money should probably go toward real-time fraud solutions, no matter who's doing your fraud prevention, whether it's you or a third party. It's really all about that, and it's not enough to look back and say, "Wow, we just realized that three weeks ago we lost money. We need to know about it today and take some really measured quantitative steps to prevent the fraud in the authorization stream."
KITTEN: These so-called cash-out schemes are not anything that's new, but experts suggest that they're increasing. Why would you say that these types of attacks or schemes are on the rise?
BUZZARD: Honestly, in the United States I truly believe that it's tremendously involved with cross-border fraud. This is literally over the next three years or so as we're pushing toward our EMV compliance. This is truly a period of time of what I like to call the ... speeding of criminals against our payment guards. If this is truly the last area where you can perpetrate these types of schemes in the world where there's great vast wealth, there's no employment of chip technology or preventive measures, this is a playground for the criminal, isn't it? The United States is very attractive in that respect - very rich and very vulnerable. We're probably going to see more and more and more, and we have three years to go here, so who knows what's going to happen?
KITTEN: When we look at these cash-out schemes, how is information about possible or actual cash-out schemes being disseminated to banking institutions? I'm assuming this is going to play an even more important role as we move forward over the course of the next three years.
BUZZARD: I think it's all about the information that people have at their fingertips, as you say. ... You're only as good in this industry as the rolodex at your fingertips and the fraud intelligence that you have access to. Sometimes, you have to make that happen for yourself. It's not going to come looking for you. A lot of advisories, warnings and fraud intelligence come in from really great organizations that are in tune with fraud trends like cash-outs, whether that may be Visa, MasterCard, American Express, a lot of the other organizations, even the ATM Industry Association.
I have to say even with FICO we have something for financial institutions that just keeps growing and growing in popularity. It's our fraud alert network website and it's something that, since its inception in 2002, we have 11,000 financial institutions and law enforcement professionals participating, networking and gathering fraud intelligence in their secure environment. It's really important to stay in touch and in tune with what's happening out there, not just from a geographic perspective. I'm not just saying that it's important that we know that cash-outs are happening in California, for example, but we need to know more about it. What are the characteristics, the dollar amounts? Are there things that are missing in the authorization stream that we can use as a defense against the criminals' efforts? There's a lot to learn out there, but there are some wonderful ways to learn it if people take advantage. You need to familiarize yourself and make contacts with law enforcement if you're at a financial institution.
KITTEN: Before we close, are there any final thoughts that you'd like to share with our audience?
BUZZARD: One of the things that's really, really important is revisiting your current security practices. I think it's reasonable to say that if you're not doing intrusion testing today using a third-party intrusion firm, get on board with it because you don't want to find yourself in a position where you're in the news with a very embarrassing and business-affected case at your fingertips. My thought would be to find a good third-party vendor to investigate and try to penetrate your systems. It's worth it to really see how you stack up and see how quickly these people are able to breach your systems, if they are at all. Organizations that are vulnerable, have a lot to lose and have a lot of personal data for consumers truly need to consider having that intrusion system in place. There are a lot of hardware-driven ideas out there that are in the marketplace today that could be used. ... Just don't assume that you have best-in-class. You need to test it.