Credit card fraudsters may have pocketed as much as $500,000 over the past month by pursuing a new type of attack that exploits a major blind spot in payment processors' defenses, an analyst said. The "flash attacks" recruit hundreds of money mules who go to ATMs throughout the US and almost simultaneously withdraw relatively …
And here's me thinking ....
that a simple check that flags up the same card being used at multiple locations within a short time might be a good idea - especially if the locations are scattered "all over the country".
Small Amounts May Be Handled Locally
Depending on the network and back-end; it wouldn't be unusual for a cash dispenser to have a negative file locally that it used for amounts under a particular threshhold. More and more ATMs are running over IP networks with limited reliability and capacity, switched through "web-enabled" front-ends that are bottlenecks. Keeping the cost per transaction down is critical in any retail operation. Further, the DDA switches are less sophisticated than the credit card switches. This because it is your money in your account, not the banks; whilst with credit it is the banks money at risk.
Which leads me to note that the title of the article is misleading; this is a problem with ATM fraud; on credit card switches velocity checking would catch them right out.
Anonymous because I need to keep getting work.
In America you can do credit card withdrawls at ATMs
In America you can do credit card withdrawals at ATMs.
So it could be credit cards and ATM cards.
But where I am, all ATM cards are now all chipped and have been for a couple of years, so presumably copying the magnetic strip won't work. I don't know if the ATM card chipping is nation wide yet or not.
Only some credit cards are chipped.
Detect multiple locations?
Perhaps I'm missing something , but surely if the card is used in multiple ATMs several miles apart within 10 minutes (such as both New York and San Francisco) this would be a good clue to the fraud system that this is impossible.
Some type of "impossible to have gotten from the last ATM since last transaction" check.
If an ATM card is being used in a city different from the one it was last used, a withdrawal transaction should require that the account in question be brought up to date. Of course, this can't be done at the level of individual ATM machines - checking them for pending transactions on the account - but if it's done at the level of individual cities, that should be fast enough, and not create an intolerable load on the system.
Assuming, of course, that every ATM transaction is immediately entered into a bank database for the city or state at the time of processing, and they're not stored in the ATM for forwarding hours later. But if that's not true, achieving it should also not create an intolerable burden.
Small amounts can be stored and forwarded.
Small amounts can be stored and forwarded.
Say what you like about the morality, but that's a clever attack.
What do we pay these Credit Card companies for?
Multi-Billion Pound finance companies with some of the highest expenditure on IT Security, yet they are perfectly happy to assume I can be in 100 places at once. No wonder the criminals get ahead so easily when they're competing against companies like this.
If POS/ATM could be linked in with Geographical Information it could seriously cut fraud.
You pay to be their bitch.
They pay the government to be allowed to take your money. If the credit company does fuck up, they just get the government to sort it out.
Fun, isn't it?
But that would require some sort of Google API or geo-locate license which would cut a chunk out of their billions per year in profit. A 0.0000000001% chunk is simply intolerable doncha know.
Not that many they couldn't look them up in a table
Not that many they couldn't look them up in a table. These are ATMs stuck in the walls of buildings, not mobile phones.
If it is cheaper to tolerate the fraud than prevent it, they'll tolerate the fraud.
If it is cheaper to tolerate the fraud than prevent it, they'll tolerate the fraud.
I'm not current on bank security, but as an example from 15 years ago, look at the cheques issued by banks processing payrolls for clients. Fraud on payroll cheques occurs, but at such a low rate it is not worth using more costly high security cheques. So the business people decided to continue just using regular coloured paper run through special printers.
But in the case of credit card swiping, they are switching to chipped credit cards, so they must have figured the level of fraud made it cost effective to use more expensive cards and processing.
I suspect some banks are doing this. a few years ago in fact.
I believe thats how HSBC managed to determine that someone had skimmed my debit card.
They rang me to query the fact i was simultaniously at a cash machine in halifax after having just bought something from a motoring shop in Essex a few minutes earlier. Unfortunately, the little b*ggers managed to get 500 quid from my account before it got stopped, but at least it was before they maxed out my overdraft.
I even got all of the cash back, although it took 6 weeks.
But was the Halifax branch in Essex too?
The odd thing is that bank/card company fraud detection systems already pick up on foreign use of cards - I'm sure almost everyone on here has heard the story of "I phoned my bank 4 times to tell them I was going abroad, and they still blocked my card" - so surely the same system should notice these cards being used all over the place?
Or do said systems only care about use in different countries, and are somewhat less vigilant about multiple withdrawls within the same country (I assume the article discusses the USA)?
Probably within the system not requiring an inter-bank connection.
I'm not sure about how many networks you have in Europe, but I'm guessing the store and forward processing of small transactions is probably only for cards from that institution's card network.
UK (and EU, as far as I know) based banks would detect that. Then again, the also don't use magstripe which is trivially copied.
The USA needs chip and pin.
When's the last time you've used a chip&pin CASH MACHINE? When you push the card in and it "clunks" a few times, that's the machine moving the card over a magstripe reader.
That said, many years ago when I lived in Bridgwater, my bank phoned me to say it had declined a large payment in Blackpool based upon my using the card in Bridgwater around the same time, and could I pop into the branch tomorrow at my convenience to confirm it wasn't me. When I got there, they took (and destroyed my card), told me if I needed cash, I could write a cheque to "CASH" and the usual fee (about £3 if I remember) would be waived, and my replacement card would arrive by post within the week. That's how this sort of story is supposed to go.
cash machines have had chip and pin for years
The only type that don't do it are the dodgy ones you find in shops that ask you to insert and remove your card. The inner workings of Bank ATMs have used chip for ages.
Most likely is that there's a hybrid reader inside, in case someone without a chip or with a broken chip tries to use the machine. This is the major weakness in the system, though should be getting phased out over time.
Chip & pin cash machines
All of the cash machines I use are chip & pin. I know this because my mag strip is damaged! There is one machine locally that I'd like to use but can't because it's mag based, but it's not a big enough problem to request a new card.
The clunking that you hear is the card being loaded into the chip reader. The card isn't moved back and forward over the magstripe reader, in fact even when ATMs just used magstripe, it usually didn't need to pass over the reader more than once. The only time that a magstripe is used is if there is no chip on the card, or if the chip has failed. Even in the case of a failed chip, there are only specific situations in which the card will be used, most ATMs won't use a chip and pin card with a failed chip, due to the probability that it has been cloned.
This is the main reason that when cards get skimmed in the UK, they are always used in a non chip and pin area.
If an ATM card is being used in a city different from the one it was last used, a withdrawal transaction should require that the account in question be brought .
Um since people don't always live and work in the same city that might be a nussiance .It's not uncommon for me to travel 50 miles from home for pleasure . Now what I have seen happen is if you travel out of state (in the US) your ATM/card the card might work for one transaction but then is shut down. A much better solution is if the card is used more than once at different ATMs in under 30 minutes .
Seems a bit excessive
Sending a hundred folk out to raid my checking account? Each card that they created would return a couple dollars. Hardly seems worth the effort.
$50 from 200 accounts by each of 10 people = $100,000
Maybe the interim solution is to program ATMs to start checking centrally after 10 to 20 successive requests below the level at which central checks are normally required.
With so many mules, I wonder how hard it would be to find out who hired them after you get a couple of them...
re. Another Thing
Like a lot of "low-level" crime, this sort of thing is organised by people who know how to prevent being ratted out. the mules will be recruited by local "agents" on the street, they won't be working out of an office. Each mule is only committing a relatively minor offence, so the police can't really apply much pressure, whereas the criminals further up the food chain are happy to apply pressure with a car crusher so that informants are rare and vanish quickly.
Chip & Pin?
Years ago I had an idea of cloning a card and getting an accomplice to withdraw a large sum of money from a cash machine while I was withdrawing a small sum, at about the same time but many miles away.
I would then complain to the bank and claim they'd made an error and ask for my money to be restored. I never tried it because I'm such an honest and law-abiding citizen but it seemed like a hole in the hole-in-the-wall system.
The US needs to move to Chip and Pin or geocode their ATMs and add some Pythagorus to their transaction process.
Telcos know location, ATM systems don't
This type of fraud with cloned phones has been known by telcos for a very long time and is routinely spotted, though not necessarily within several hours of a clone's first use, since call details, which include the cells where the call was made and received, are not sent to the billing system immediately. This is known as 'velocity fraud' because the travel speed between successive calls is calculated to decide whether a fraud is likely.
By contrast ATM transactions are generally authorised in real time because the bank needs to check the card holders account balance and withdrawal limit before the withdrawal is authorised. Although a bank or ATM network needs to know where its machines are so they can be serviced and have more cash stuffed into them, this information isn't generally known by the system that authorises the withdrawal, so velocity checks are not possible.
re: Telcos know location, ATM systems don't
Sounds like a lack of interest by the ATM networks. Add a GPS to the ATMs and include that data with the transaction. A quick query to google maps to calculate travel time and you're sorted.
Ok a bank may not do it that way, but you get the idea.
EMV chip deadlines: none for USA, but coming soon for Canada
GPS not needed, the ATMs on this side of the Atlantic are anchored in walls. The installer could program in the location.
I was in google to get some up-to-date info, and it seems that the US credit card industry has not yet found it cost effective to move to EMV chips, although some very big businesses (like Walmart) are pushing for it. International business travellers based in the USA are also pushing for EMV chipped cards.
On the other hand, Canada has an EMV chip deadline.
* October 2010 - Visa Canada and MasterCard shift liability to merchants who do not accept EMV transactions.
* December 31, 2012 - Magnetic stripe debit cards no longer accepted at ABM’s.
* December 31, 2015 - Magnetic stripe debit cards no longer accepted at Point Of Sale.
I heard a rumour that the "E" in EMV stands for Europe, that is probably the reason for the delay. (Similar to the "E" in metric.)
E stands for Europay, who used to operate the mastercard scheme in europe, if my memory serves me correctly. They were merged into mastercard a few years ago, but the three companies that gave the scheme their initials are the three that founded it in the 90s, IIRC.
EMV - Europay, Mastercard and Visa.
and magnetic strips, so American, one wonders.
mag strips vs chip and pin
you mock the US's use of mag stripes. in the US, when your card has fraudulent activity, the card issuer is required to prove the authorized user initiated the transaction by either signature or an ATM photo. from what I understand, under "chip and pin", merely the use of the pen proves that the transaction was authorized and the user must find a way to prove that it was not.
note that this attack takes place at the payment processor level, not the bank. i would not be surprised in the least to find out that these payment processors are holding the withdrawals at the regional level to save money by processing in a batch file. especially as i have seen it with my own account (make a withdrawal/purchase at 10 am on the weekend and it not go through until monday, even as an authorization).
Chip and pin was introduced to protect the banks interests not the customers. Another example of the modern corporate attitude that all customers are judged guilty and have to prove themselves innocent when something goes wrong. Which we in the UK have, with characteristic apathy, accepted as the norm.
"you mock the US's use of mag stripes. in the US, when your card has fraudulent activity, the card issuer is required to prove the authorized user initiated the transaction by either signature or an ATM photo. from what I understand, under "chip and pin", merely the use of the pen proves that the transaction was authorized and the user must find a way to prove that it was not."
Not true. The credit laws in the UK (dunno about europe as a whole) have the same provision. Any dispute requires an immediate refund by the credit card issuer, who then undertake to investigate the fraud.
If Chip & Pin was not used then the retailer assumes liability and refunds the money to the bank and must investigate the fraud themselves. Or just write off the cost.
If Chip & Pin was used then the bank assumes the blame and investigation costs/procedure.
But here's the rub - EMV is pretty secure. I'm sure there are exploitable holes in there somewhere, but it's pretty secure, so it becomes more suspicious and the banks will look into it very closely.
I don't believe that there have yet been any successful Chip&Pin card clones. The current fraud vectors are magnetic strip and customer-not-present (i.e. internet stuff). The strip is the major hole because it is clone-able and retailers have the option to accept it, at their own risk. I'll be glad when it's gone.
Debit cards operate under different legal frameworks but the fact that, as yet, no clone fraud has occurred makes your situation pretty unlikely.
This is a common urban myth, indeed in the UK it was written into law (a couple of years ago) that the bank must prove that their customer is being fraudulent, not the customer prove that they aren't.
@ David Hicks
I had posted the epic URL (bloody Google), but it was a mess, so here's the TinyURL version. It's the QuickView of a PDF from Cambs uni.
http://tinyurl.com/39hpde4 [check: http://preview.tinyurl.com/39hpde4]
It is (currently) true that the chip cannot be cloned. This does not mean the system is secure and fraud no longer happens. See also: http://en.wikipedia.org/wiki/EMV#Vulnerabilities
Still works for me after all these centuries...
At a guess, that'd be why people are fraudulently taking it from cash machines? Unless you are suggesting that people take money out over the counter in amounts that are required to cover the weekend. Or maybe they should keep all their money under the bed?
Do not want chip and pin
and Curtis sums up why. If my antiquated mag stripe card is cloned and used fraudulently, my bank will refund the money, no sweat. Despite the chip being shown to be cloneable (and why, if someone installed hardware to clone a mag stripe, wouldn't they clone the chip too since it is in fact cloneable?) banks in the UK at least have this fantasy that it is not, and hold the cardholder responsible for fraud (since fraud with this card is according to them impossible.) I am afraid that US banks would try to follow this same fantasy. Of course, if the US banks don't follow this fantasy then I really don't care what they do.
because cloning ain't possible right now
"(and why, if someone installed hardware to clone a mag stripe, wouldn't they clone the chip too since it is in fact cloneable?)"
'cos it's not possible at present.
It's possible to intercept comms between the card and the terminal, maybe find out the PIN by a bit of decoding, and create mag-stripe data from the info you've gathered. This does not allow you to create a cloned chip card.
In fact, IIRC, the only current cloning method involves using an electron microscope to try to read the key off the in-chip storage.
"banks in the UK at least have this fantasy that it is not, and hold the cardholder responsible for fraud"
That's actually illegal if we're talking about credit cards, they are obliged to refund the money immediately you tell them a transaction is fraudulent.
I would be genuinely interested to read about cloning techniques if you know some concrete details though, I used to work on EMV systems (retailer, issuer and acquiring bank systems).
The most I can find is that some cambridge researchers have figure out it's possible to clone an SDA card (the cheap type which we ought to move away from) and then use it only for offline (very low value) transactions. Not much of a threat there compared to mag strip eh?
There have been no clones of Chips ever, even Ross Anderson hasn't managed to do that and you know he'd shout about it, if he had.
The banks won't hold you responsible, well in the EU at least.
The money fraudulently removed from your account is paid for by the rest of the customers of the bank.
A. Assuming we are dealing with standard credit/ debit cards every cash withdrawal transaction travels over one or more networks to the issuing bank's card/ account management systems for real-time authorisation of the debit.
B. Every such authorisation request also carries an identification code for the ATM machine that originated the request.
So one exceedingly simple-minded rule could be "Withdrawal from > x different ATMs in < y minutes"...
All you people who keep seeing post saying "check for x in y minutes" need to learn to read.
The whole point of this is that the small transactions are batch processed so there are no x number of transactions recorded by the processor. The weak link is the store and forward, not the number of transactions. Although your mileage will vary greatly. I once made the mistake of purchasing gas at the pump for one car before I stopped in the shop to pay the repair bill for another. Got sent straight to "talk to the customer service rep" because they flagged that as a sign for fraudulent activity. (A few minutes on the phone straightened it out and I never made that mistake again.) This implies my less than $20 purchase was immediately recorded by the card holder, even though it was a magnetic card swipe at a retail location.
"Small transactions are batch processed"
I THINK that only applies to POS transactions not ATM cash withdrawals (though I could be wrong)...
And the story was all about ATM cash withdrawals... The POS were only used for the card skimmers....
To be honest, the more chip-cloning fraud the better, so long as I don't get hit. The banks and networks pulled a fast one pushing the burden of proof onto the cardholder by basically not telling anyone, and it's still not widely known.
The more people get screwed on this, the greater the likelihood that some consumer protection law will be used to make the practice illegal and push the burden of proof back on the banks.
So remember to write outraged letters to the media and your elected representative if you or anyone you know is screwed by a bank on chip&PIN, Verified by Visa or MasterCard Securecode
With Chip and Pin the card issuer will have a cryptogram that proves the transaction came from the card, a mag stripe card is trivial to clone and easily achieved with the help of maplins or ebay.
An EMV card is not easy to clone (with DDA). Fraudsters always go for the easy option.
I am sure that at some stage the US will go chip and pin, then the fraudster will move to another form of attack and the card industry will respond (and repeat).
I am sure the reason for not going down the chip and pin route in the US is simply the cost and scale of change that would be required to support it.
Chip and PIN
@Henry Wertz: You still have to pay for the fraude, as the card issuers will claim this money back through transaction fees (either directly or trough increased prices in the shop)
If you've had 1000 nearly simultaneous withdrawals for £100, the bank can hardly claim that they must have been authorised transactions. So you'd hope that the account holder wouldn't have much trouble getting a refund.
Unless your account name is Ross Anderson, I guess. Cos that would be quite a good double-bluff attack.
Lock the account
Simple, when someone has put in their bank card and pin successfully into an ATM, the bank account is then locked and can only be used by that one ATM. Other ATMs will simply deny the PIN at the ATM. Sort of like locking a database record so that other users can't modify it while you're accessing it.