Credit card 'flash attack' steals up to $500,000 a month Credit card fraudsters may have pocketed as much as $500,000 over the past month by pursuing a new type of attack that exploits a major blind spot in payment processors' defenses, an analyst said. The "flash attacks" recruit hundreds of money mules who go to ATMs throughout the US and almost simultaneously withdraw relatively …
Depending on the network and back-end; it wouldn't be unusual for a cash dispenser to have a negative file locally that it used for amounts under a particular threshhold. More and more ATMs are running over IP networks with limited reliability and capacity, switched through "web-enabled" front-ends that are bottlenecks. Keeping the cost per transaction down is critical in any retail operation. Further, the DDA switches are less sophisticated than the credit card switches. This because it is your money in your account, not the banks; whilst with credit it is the banks money at risk.
Which leads me to note that the title of the article is misleading; this is a problem with ATM fraud; on credit card switches velocity checking would catch them right out.
Anonymous because I need to keep getting work.
In America you can do credit card withdrawals at ATMs.
So it could be credit cards and ATM cards.
But where I am, all ATM cards are now all chipped and have been for a couple of years, so presumably copying the magnetic strip won't work. I don't know if the ATM card chipping is nation wide yet or not.
Only some credit cards are chipped.
Perhaps I'm missing something , but surely if the card is used in multiple ATMs several miles apart within 10 minutes (such as both New York and San Francisco) this would be a good clue to the fraud system that this is impossible.
Some type of "impossible to have gotten from the last ATM since last transaction" check.
If an ATM card is being used in a city different from the one it was last used, a withdrawal transaction should require that the account in question be brought up to date. Of course, this can't be done at the level of individual ATM machines - checking them for pending transactions on the account - but if it's done at the level of individual cities, that should be fast enough, and not create an intolerable load on the system.
Assuming, of course, that every ATM transaction is immediately entered into a bank database for the city or state at the time of processing, and they're not stored in the ATM for forwarding hours later. But if that's not true, achieving it should also not create an intolerable burden.
Multi-Billion Pound finance companies with some of the highest expenditure on IT Security, yet they are perfectly happy to assume I can be in 100 places at once. No wonder the criminals get ahead so easily when they're competing against companies like this.
If POS/ATM could be linked in with Geographical Information it could seriously cut fraud.
If it is cheaper to tolerate the fraud than prevent it, they'll tolerate the fraud.
I'm not current on bank security, but as an example from 15 years ago, look at the cheques issued by banks processing payrolls for clients. Fraud on payroll cheques occurs, but at such a low rate it is not worth using more costly high security cheques. So the business people decided to continue just using regular coloured paper run through special printers.
But in the case of credit card swiping, they are switching to chipped credit cards, so they must have figured the level of fraud made it cost effective to use more expensive cards and processing.
I suspect some banks are doing this. a few years ago in fact.
I believe thats how HSBC managed to determine that someone had skimmed my debit card.
They rang me to query the fact i was simultaniously at a cash machine in halifax after having just bought something from a motoring shop in Essex a few minutes earlier. Unfortunately, the little b*ggers managed to get 500 quid from my account before it got stopped, but at least it was before they maxed out my overdraft.
I even got all of the cash back, although it took 6 weeks.
The odd thing is that bank/card company fraud detection systems already pick up on foreign use of cards - I'm sure almost everyone on here has heard the story of "I phoned my bank 4 times to tell them I was going abroad, and they still blocked my card" - so surely the same system should notice these cards being used all over the place?
Or do said systems only care about use in different countries, and are somewhat less vigilant about multiple withdrawls within the same country (I assume the article discusses the USA)?
When's the last time you've used a chip&pin CASH MACHINE? When you push the card in and it "clunks" a few times, that's the machine moving the card over a magstripe reader.
That said, many years ago when I lived in Bridgwater, my bank phoned me to say it had declined a large payment in Blackpool based upon my using the card in Bridgwater around the same time, and could I pop into the branch tomorrow at my convenience to confirm it wasn't me. When I got there, they took (and destroyed my card), told me if I needed cash, I could write a cheque to "CASH" and the usual fee (about £3 if I remember) would be waived, and my replacement card would arrive by post within the week. That's how this sort of story is supposed to go.
The only type that don't do it are the dodgy ones you find in shops that ask you to insert and remove your card. The inner workings of Bank ATMs have used chip for ages.
Most likely is that there's a hybrid reader inside, in case someone without a chip or with a broken chip tries to use the machine. This is the major weakness in the system, though should be getting phased out over time.
The clunking that you hear is the card being loaded into the chip reader. The card isn't moved back and forward over the magstripe reader, in fact even when ATMs just used magstripe, it usually didn't need to pass over the reader more than once. The only time that a magstripe is used is if there is no chip on the card, or if the chip has failed. Even in the case of a failed chip, there are only specific situations in which the card will be used, most ATMs won't use a chip and pin card with a failed chip, due to the probability that it has been cloned.
This is the main reason that when cards get skimmed in the UK, they are always used in a non chip and pin area.
If an ATM card is being used in a city different from the one it was last used, a withdrawal transaction should require that the account in question be brought .
Um since people don't always live and work in the same city that might be a nussiance .It's not uncommon for me to travel 50 miles from home for pleasure . Now what I have seen happen is if you travel out of state (in the US) your ATM/card the card might work for one transaction but then is shut down. A much better solution is if the card is used more than once at different ATMs in under 30 minutes .
Like a lot of "low-level" crime, this sort of thing is organised by people who know how to prevent being ratted out. the mules will be recruited by local "agents" on the street, they won't be working out of an office. Each mule is only committing a relatively minor offence, so the police can't really apply much pressure, whereas the criminals further up the food chain are happy to apply pressure with a car crusher so that informants are rare and vanish quickly.
Years ago I had an idea of cloning a card and getting an accomplice to withdraw a large sum of money from a cash machine while I was withdrawing a small sum, at about the same time but many miles away.
I would then complain to the bank and claim they'd made an error and ask for my money to be restored. I never tried it because I'm such an honest and law-abiding citizen but it seemed like a hole in the hole-in-the-wall system.
The US needs to move to Chip and Pin or geocode their ATMs and add some Pythagorus to their transaction process.
This type of fraud with cloned phones has been known by telcos for a very long time and is routinely spotted, though not necessarily within several hours of a clone's first use, since call details, which include the cells where the call was made and received, are not sent to the billing system immediately. This is known as 'velocity fraud' because the travel speed between successive calls is calculated to decide whether a fraud is likely.
By contrast ATM transactions are generally authorised in real time because the bank needs to check the card holders account balance and withdrawal limit before the withdrawal is authorised. Although a bank or ATM network needs to know where its machines are so they can be serviced and have more cash stuffed into them, this information isn't generally known by the system that authorises the withdrawal, so velocity checks are not possible.
GPS not needed, the ATMs on this side of the Atlantic are anchored in walls. The installer could program in the location.
I was in google to get some up-to-date info, and it seems that the US credit card industry has not yet found it cost effective to move to EMV chips, although some very big businesses (like Walmart) are pushing for it. International business travellers based in the USA are also pushing for EMV chipped cards.
source: http://www.bankinfosecurity.com/articles.php?art_id=2593
On the other hand, Canada has an EMV chip deadline.
* October 2010 - Visa Canada and MasterCard shift liability to merchants who do not accept EMV transactions.
* December 31, 2012 - Magnetic stripe debit cards no longer accepted at ABM’s.
* December 31, 2015 - Magnetic stripe debit cards no longer accepted at Point Of Sale.
source: http://www.ajbsoftware.com/solutions/fipay/emv.aspx
I heard a rumour that the "E" in EMV stands for Europe, that is probably the reason for the delay. (Similar to the "E" in metric.)
E stands for Europay, who used to operate the mastercard scheme in europe, if my memory serves me correctly. They were merged into mastercard a few years ago, but the three companies that gave the scheme their initials are the three that founded it in the 90s, IIRC.
EMV - Europay, Mastercard and Visa.
you mock the US's use of mag stripes. in the US, when your card has fraudulent activity, the card issuer is required to prove the authorized user initiated the transaction by either signature or an ATM photo. from what I understand, under "chip and pin", merely the use of the pen proves that the transaction was authorized and the user must find a way to prove that it was not.
note that this attack takes place at the payment processor level, not the bank. i would not be surprised in the least to find out that these payment processors are holding the withdrawals at the regional level to save money by processing in a batch file. especially as i have seen it with my own account (make a withdrawal/purchase at 10 am on the weekend and it not go through until monday, even as an authorization).
"you mock the US's use of mag stripes. in the US, when your card has fraudulent activity, the card issuer is required to prove the authorized user initiated the transaction by either signature or an ATM photo. from what I understand, under "chip and pin", merely the use of the pen proves that the transaction was authorized and the user must find a way to prove that it was not."
Not true. The credit laws in the UK (dunno about europe as a whole) have the same provision. Any dispute requires an immediate refund by the credit card issuer, who then undertake to investigate the fraud.
If Chip & Pin was not used then the retailer assumes liability and refunds the money to the bank and must investigate the fraud themselves. Or just write off the cost.
If Chip & Pin was used then the bank assumes the blame and investigation costs/procedure.
But here's the rub - EMV is pretty secure. I'm sure there are exploitable holes in there somewhere, but it's pretty secure, so it becomes more suspicious and the banks will look into it very closely.
I don't believe that there have yet been any successful Chip&Pin card clones. The current fraud vectors are magnetic strip and customer-not-present (i.e. internet stuff). The strip is the major hole because it is clone-able and retailers have the option to accept it, at their own risk. I'll be glad when it's gone.
Debit cards operate under different legal frameworks but the fact that, as yet, no clone fraud has occurred makes your situation pretty unlikely.
I had posted the epic URL (bloody Google), but it was a mess, so here's the TinyURL version. It's the QuickView of a PDF from Cambs uni.
http://tinyurl.com/39hpde4 [check: http://preview.tinyurl.com/39hpde4]
It is (currently) true that the chip cannot be cloned. This does not mean the system is secure and fraud no longer happens. See also: http://en.wikipedia.org/wiki/EMV#Vulnerabilities
Chip and pin was introduced to protect the banks interests not the customers. Another example of the modern corporate attitude that all customers are judged guilty and have to prove themselves innocent when something goes wrong. Which we in the UK have, with characteristic apathy, accepted as the norm.
and Curtis sums up why. If my antiquated mag stripe card is cloned and used fraudulently, my bank will refund the money, no sweat. Despite the chip being shown to be cloneable (and why, if someone installed hardware to clone a mag stripe, wouldn't they clone the chip too since it is in fact cloneable?) banks in the UK at least have this fantasy that it is not, and hold the cardholder responsible for fraud (since fraud with this card is according to them impossible.) I am afraid that US banks would try to follow this same fantasy. Of course, if the US banks don't follow this fantasy then I really don't care what they do.
"(and why, if someone installed hardware to clone a mag stripe, wouldn't they clone the chip too since it is in fact cloneable?)"
'cos it's not possible at present.
It's possible to intercept comms between the card and the terminal, maybe find out the PIN by a bit of decoding, and create mag-stripe data from the info you've gathered. This does not allow you to create a cloned chip card.
In fact, IIRC, the only current cloning method involves using an electron microscope to try to read the key off the in-chip storage.
"banks in the UK at least have this fantasy that it is not, and hold the cardholder responsible for fraud"
That's actually illegal if we're talking about credit cards, they are obliged to refund the money immediately you tell them a transaction is fraudulent.
I would be genuinely interested to read about cloning techniques if you know some concrete details though, I used to work on EMV systems (retailer, issuer and acquiring bank systems).
The most I can find is that some cambridge researchers have figure out it's possible to clone an SDA card (the cheap type which we ought to move away from) and then use it only for offline (very low value) transactions. Not much of a threat there compared to mag strip eh?
There have been no clones of Chips ever, even Ross Anderson hasn't managed to do that and you know he'd shout about it, if he had.
The banks won't hold you responsible, well in the EU at least.
The money fraudulently removed from your account is paid for by the rest of the customers of the bank.
A. Assuming we are dealing with standard credit/ debit cards every cash withdrawal transaction travels over one or more networks to the issuing bank's card/ account management systems for real-time authorisation of the debit.
B. Every such authorisation request also carries an identification code for the ATM machine that originated the request.
So one exceedingly simple-minded rule could be "Withdrawal from > x different ATMs in < y minutes"...
The whole point of this is that the small transactions are batch processed so there are no x number of transactions recorded by the processor. The weak link is the store and forward, not the number of transactions. Although your mileage will vary greatly. I once made the mistake of purchasing gas at the pump for one car before I stopped in the shop to pay the repair bill for another. Got sent straight to "talk to the customer service rep" because they flagged that as a sign for fraudulent activity. (A few minutes on the phone straightened it out and I never made that mistake again.) This implies my less than $20 purchase was immediately recorded by the card holder, even though it was a magnetic card swipe at a retail location.
To be honest, the more chip-cloning fraud the better, so long as I don't get hit. The banks and networks pulled a fast one pushing the burden of proof onto the cardholder by basically not telling anyone, and it's still not widely known.
The more people get screwed on this, the greater the likelihood that some consumer protection law will be used to make the practice illegal and push the burden of proof back on the banks.
So remember to write outraged letters to the media and your elected representative if you or anyone you know is screwed by a bank on chip&PIN, Verified by Visa or MasterCard Securecode
With Chip and Pin the card issuer will have a cryptogram that proves the transaction came from the card, a mag stripe card is trivial to clone and easily achieved with the help of maplins or ebay.
An EMV card is not easy to clone (with DDA). Fraudsters always go for the easy option.
I am sure that at some stage the US will go chip and pin, then the fraudster will move to another form of attack and the card industry will respond (and repeat).
I am sure the reason for not going down the chip and pin route in the US is simply the cost and scale of change that would be required to support it.
If you've had 1000 nearly simultaneous withdrawals for £100, the bank can hardly claim that they must have been authorised transactions. So you'd hope that the account holder wouldn't have much trouble getting a refund.
Unless your account name is Ross Anderson, I guess. Cos that would be quite a good double-bluff attack.
Simple, when someone has put in their bank card and pin successfully into an ATM, the bank account is then locked and can only be used by that one ATM. Other ATMs will simply deny the PIN at the ATM. Sort of like locking a database record so that other users can't modify it while you're accessing it.
Chip and PIN has already been demonstrated to have exploitable weaknesses. Recall that not long ago, some researcher demonstrated how he could use a C&P card without actually entering a valid PIN. In addition, the card processing system recorded that a valid PIN **HAD** been entered.
OK, it's not a cloned card and requires possession of the actual card, but it did demonstrate that the system had flaws.
Now, people above point out that the onus of proof is on the card issuer. The trouble is, they have this *proof* that your card was used with the PIN - therefore either you, or someone you gave the PIN to, was responsible. Against that, it becomes the users task to prove that the banks evidence is wrong. Good luck with that unless you can prove you were someone else AND prove that you haven't given the PIN to anyone. The latter is not provable in general.
That particular attack was a man in the middle attack which required a ribbon cable to be soldered to the chip of the fake card inserted into a merchant's machine and a bunch of hardware hung between it and the target card.
The banks/payment handlers said something along the lines of: Yes, it could work but it will cost a lot and would get noticed.
Furthermore, I believe that it only works for auth from the card itself, rather than from the banks, so you'd be limited to small amounts of money. Also, the cryptogrphic hash wouldn't be that of the target card, so there would be somewhere to look as well.
(nb: This is all from memory, so I may be wrong in parts)
I got a call from my credit card company's fraud department when my credit card was used to attempt to withdraw cash from more than one ATM cash machine in the space of a few minutes in the town where I live.
They then went through all the recent transaction to ask me to confirm which ones were real and cancelled the card and sent me a new one.
I also got a call once when my card was used on a whole load of porn and gambling sites online in the space of a couple of hours all for small amounts and including a sign up to Ancestry.com in an attempt to get mother's maiden name one presumes. Different credit card company same routine of confirming which transactions were mine - which took a while going through the 20 odd porn sites before we found a petrol transaction.
They detect things based on behaviour patterns. If I'd regularly used porn or gambling sites in the past it might not have flagged.
Whilst I have encountered automated detection and response from at least three credit card houses, the same systems may not be in place at all organisations.
One simple solution is to offload your fraud detection to the end user: sms/email/pigeon/whatever alert for each transaction or when transaction amount/volumen exceeds a defined threshold (i.e. advise me when X amount has been spent within Y period or when Z amount has been surpassed in any single transaction).
Much like chip and pin, the banks could then push the responsibility of fraud notification onto the end user. WIN!
Kind of question the assertion that this is difficult to detect. A threshold (say, 3 transactions in 5 seconds) that no normal individual would come close to, or a detection of ATM use across more than N terminals at least 1 km apart (where N is the number of ATM cards or account holders) could trigger a fraud warning. I'm sure banks have this info already when you're making the transaction.
Wanted to remind some folks this exploit is for Credit Cards used at ATMs for a cash advance. The far lower transactional priority for a lower withdrawal/advance amount means that the de facto methodology is to auth based on successful PIN entry in combination with the credentials stored on the card. Even with an ATM card, offline machines (say during weekend or nightly maintenance, heavy holiday traffic, and so forth) are set to auth up to a ceiling without contacting the central system (then recording the transaction.) You don't know this happens, but it does and I am sure you are thankful it does with your mates ready to go to the next pub or bar.
My guess is this is due to the cost of purchasing and maintaining a system that can handle the number of database updates versus the comparitive historical financial risk of the lower amounts. Think of write cache in HDDs or onboard memory cache for processors. To auth all lower transactional amounts adds significant additional volume and load on the infrastructure. Bursting the transactions is all about lowering the TCO. A system capable of handling all this in real time? I can see the customer talking to the hardware software vendor(s) and the Systems Engineer saying, "Sure, it can be done...but it's gonna cost you."
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
