Add the increasing sophistication of the technology used by fraudsters, including Bluetooth and other wireless communications for the transmission of stolen cardholder data, and it's clear banking institutions, merchants and the card networks have an uphill battle ahead of them.
That's not to say the battle can't be won, Litan says. It just means the fight will require new techniques and different perspectives. "There is more discussion now than ever about stronger cardholder authentication, which means even if the data is skimmed at a point of sale or at a gas pump, it can't be used without the physical card in the person's hand," she say. "It used to be, on debit, that the bank had enough authentication with just the PIN. Now, all of that is being broken by the latest trend of attacks, so banks are getting much smarter in the way they are approaching fraud detection and the systems are getting more sophisticated."
During this interview, Litan discusses:
- The need for stronger cardholder authentication;
- Why banks and credit unions must quickly identify points of card compromise;
- The detection investment challenges institutions will face in 2011.
Litan has more than 30 years of experience in the IT industry and is a Gartner Research vice president and distinguished analyst. Her areas of expertise include financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications, as well as other areas of information security and risk. She also covers the security related to payment systems and PCI compliance.
Skimming: An Evolving Card FraudTRACY KITTEN: Card skimming at the ATM and POS is not a new problem, but skimming fraud is posing increasing challenges for banks, as the crime rings that perpetrate skimming attacks have become globally connected and more sophisticated. What will banking institutions do to combat these trends in 2011 and beyond? Today we hear from Avivah Litan, vice president at Gartner Research and a distinguished analyst.
Avivah, you've been tracking card skimming trends for a number of years. Looking back at 2010 and forward into 2011, what trends are you seeing that highlight or point to evolution in card skimming fraud?
AVIVAH LITAN: Skimming pays off, so it's become one of the No. 1 priorities for banks and other financial institutions, in terms of an attack vector that they have to fight off.
Flash Attacks and Stronger AuthenticationKITTEN: So-called "flash attacks," which rely on coordinated efforts, often international, to simultaneously withdraw funds from multiple ATMs using cards created from the copied card details, are an emerging card-fraud trend. Relative to other types of skimming attacks and/or card-based fraud, where do see flash attacks falling, regarding their level of threat, and what should banking institutions be doing to fight back?
LITAN: The flash attacks are all under the threshold, so they are very small amounts taken out against multiple accounts all at the same time in about 10 or 15 minutes. The banks that are successful at mitigating these attacks and stopping them before they do too much damage are the ones that are able to find the point of compromise very quickly. So, when they start seeing some of these transactions come through, they notice that there are these waves of attacks. One banker described it as a tsunami. Then, they take the cards and they have to rapidly find out where the point of compromise is. Once they know that, then they have to figure out what other cards got used at that restaurant, for instance, within the same time-frame. Then, they basically build this big black list and put a big watch-list together that flags those cards every time they are used at an ATM.
Essentially, the bank has to be able to figure out where the point of compromise was, so they've got to handle this delicately. But, they can stop it, if they figure out where the point of compromise was. In the United States, that is difficult for a lot of banks to do, because they don't have access to that acquiring data. A processor will have it, and banks that do acquiring and issuing will have that data; but not all banks have access to that. So that becomes kind of a problem. They can also roll out stronger cardholder authentication. As we know, outside the United States, almost every country is moving or has moved to chip cards using the EMV, standard. The U.S. is still reluctant to do that because of the cost, and no one has figured out who should pay for this yet. But, there are other methods that the banks are considering, such as using smart phones more or even regular cell phones that aren't so smart. There is more discussion now than ever about stronger cardholder authentication, which means even if the data is skimmed at a point of sale or at a gas pump, it can't be used without the physical card in the person's hand.
Flash Attacks and Stronger AuthenticationKITTEN: Building on what you just said about POS systems and then, of course, talking about pay at the pump, I wanted to ask you about trends you are seeing in card skimming at unattended payment terminals. Beyond ATM skimming, we saw 2010 take a turn toward pay at the pump EMV, gas terminals, which have proven to be vulnerable for a number of reasons. As more unattended self-service terminals accept card payments, is card skimming expected to increase?
LITAN: Yes, definitely. The unattended terminals are the favorite attack vectors for the criminal, especially the ones that don't have video cameras near them. So, gas-pump skimming has been popular for many years, and it's just getting more popular.
KITTEN: What steps can be taken by merchants and card issuers to make those terminals more secure? How can they combat those trends?
LITAN: Card issuers can't do anything to make the terminals more secure, because they don't control those merchant terminals directly. What they can do is put more pressure on the card brands, Visa and MasterCard, for example, to pressure the acquiring banks to pressure their merchants to secure the terminals; and that is really what PCI is all about. In fact, there has been a lot of attention paid by the card brand to enforcing security inside those gas pumps and other unattended terminals. The problem with that is that they need a lot of physical time to go around to every gas pump and update it. A lot of these are old gas pumps that have embedded point-of-sale technology, so it's not so easy just to upgrade those terminals. Oftentimes, you've got to spend $10,000 to $15,000 to put in a new point-of-sale system that requires the gas pump manufacturer to also provide the upgrade. Companies have told me that even if they started a year ago on the upgrade, just visiting thousands and thousands of these gas pumps that belong to their franchises and their own stations would take three years. So, they couldn't possibly meet the deadline, even if they had the money.
So, yeah, PCI is important; standards are important. But we also have to be realistic about the fact that it's difficult to just get all of this into place. This is going to be a very long process. So what the banks need to do what they can do, which is stronger cardholder authentication and better fraud detection. In the end, there are not a lot of simple answers.
LITAN: You are right, Tracy. The problem is that the banks are not able to break down fraud by attack vector. So, we're not really able to say skimming causes X percentage of fraud and it's gone up this amount in the last two years. But, what we do know is that fraud that uses a PIN and mag-stripe data has definitely gone up a lot, especially at point-of-sale systems. I think that if we were able to further break down the cause of that -- the cause of POS PIN and ATM PIN fraud rising -- especially the point of sale, my guess is that we would see most is because of skimming. That would be my guess, but it is just an educated guess. You know, we don't have the data; and if we did have the data, it would help us prepare the right solution. But I think that the solutions that the banks have taken, the way they are attacking it, is the right way. They just have to try to get the merchants to secure the terminals through PCI and PA-DSS compliance and start looking at methods for stronger cardholder authentications, while at the same time improving the fraud-detection systems and the point-of-compromise analysis systems. So, even if the data is stolen, it can't be used. I think the banks are doing as much as they can. Maybe they can move faster. But it is very hard for them to break down the source of the fraud, whether it's skimming or breaches and sniffing or anything else. They just have to assume that the data is going to get compromised, and then respond accordingly.
POS Skimming to IncreaseKITTEN: I was going to ask a question to gauge you opinion on whether or not card skimming was expected to continue to be a problem in 2011, and I'm not going to ask that question; obviously it is. But can you talk a little bit about some of the new types of technologies you see fraudsters using when it comes to skimming?
LITAN: I definitely would like to talk about that, and I also want to mention that I think that fraud at point-of-sale systems is what is going to be increasing, as opposed to skimming at ATMs, because the banks can control the ATMs. They are putting in stronger technology. They can't get out there to every point-of-sale device and upgrade it.
To answer your question on the new types of technology the fraudsters are using, they are basically using some non-technology solutions like social engineering, where they go in and distract the cashier or they find some unattended terminals in a big supermarket in the middle of the late hours of the night, when people aren't around, and just swap out these devices with new ones that have skimmers in them. They study what kind of devices a certain supermarket or other chain has. They do their homework. And they go out and get a bunch of other devices with the skimming already put in and then swap. They are also using better wireless technologies, so that when the skimmer is at work, when they are capturing the data, they are able to transmit it immediately to a node that they control through wireless technology. So, it is a combination of being able to swap out the devices, using good old-fashioned social engineering or devious tactics that don't require technology skills.
Biometrics, Chips and ContactlessKITTEN: What types of technologies are banks and retailers looking at, when we talk about some of these unattended self-service terminals, specifically? What do you think about biometrics playing a role in helping to combat some of these skimming incidents?
LITAN: Biometrics is more a method for authentication. For example, in Japan, if you want to take money out of the ATM, you have to put your palm on the ATM. It reads your palm, and that's being used in different countries, not just in Japan. I don't see that having a role in preventing the skimming attacks. It is more of a role in how the data is used after it is skimmed. So, when you look at the types of the technologies that banks are investing in to fight back, it is not deployed at the point-of-sale. It's deployed at the card issuer's system and the card-acquiring systems. They have to stick to the back-end, in terms of detection, and eventually start rolling out stronger card security. In other words, what we already talked about, you know, one-time passwords or maybe chip technology. I don't see biometrics being used in the United States in the foreseeable future, because the banks are having enough trouble getting the retailers and gas stations to upgrade even just to Triple DES encryption. If they came out with a standard that said they now have to read fingerprints, I think they would lose a lot of card revenue.
We did see a couple of experiments in the United States with a couple of vendors that tried to roll out biometric payments, which was biometric authentication of a payment where you would put your finger right on the point-of-sale system and that is how you would authenticate. That technology didn't go anywhere. I think they pretty much went out of business, because you can't change the payment systems without massive bank participation.
KITTEN: What about contactless cards? We've talked about EMV, but there could be other types of contactless technology, whether using a mobile device or something else, that might be used in the U.S. How might that impact skimming trends, or could it create new portals for fraudsters, especially contactless technology that relies on RFID?
LITAN: You know, that's a great question, too. Actually, contactless cards have methods for stronger authentication. They are not going to do anything to stop the skimming. As you said, it could actually encourage skimming, because of our ID transmission, if that transmission is not encrypted. What you can get with contactless cards is a stronger authentication of the card. So, let me be more specific about it.
There is something called "dynamic CVV code," which the card brands, Visa, MasterCard, have built into these contactless cards. That means that when you use a contactless card, you have an algorithm that is attached to your card. Let's just keep it simple. Let's say on the first transaction it is 1. So, the security code is 1 and the algorithm is to add 3 to the last security code. Now, when the next transaction comes in, that 1 becomes 4. Well, the criminal doesn't know the algorithm, so they won't be able to come up with the right security code. You could actually get stronger security on contactless cards through stronger cardholder authentication. I don't think it will do anything about skimming, but even if it is skimmed, it can't be used in another contactless situation.
The problem with the contactless security that I just discussed, though, is not indicative; so that algorithm is only good for contactless cards, and the data can still be skimmed and used on a regular mag-stripe card that doesn't have that algorithm. Now, I will also add that there are vendors that have come up this for mag-stripe cards, as well as other innovative technology, like fingerprinting the magnetic-stripe -- knowing only that magnetic-stripe belongs to that card. If a criminal tries to counterfeit the card, they'll get a different mag-stripe fingerprint and you can check the print. You can check the likelihood it's the same print. It's not going to be 100 percent, but you could create a system that says if it is 98 percent similar, let's accept it; and if it's 95 percent or below, let's reject it. So, there are technologies like that out there, aside from the contactless dynamic CVV that can work in mag-stripe situations. But it is a matter of the options. We're not low on technology solutions. We're low on agreement and mandates to move forward to make stronger cardholder authentication a requirement. It's more of a business practice issue than it is a technology issue.
KITTEN: In closing, Avivah, could you share with our audience any final thoughts about skimming trends and anti-skimming technologies they should be watching in 2011 and beyond?
LITAN: I think we've discussed a lot of the new trends, but I think what we can expect in 2011 is that all of this is going to continue. The skimming attacks are not going to abate. They are going to increase, because the criminals have discovered how these work. They have discovered how to use skimmed data to avoid fraud-detection systems, and so we can just expect more. Just like when phishing attacks started many years ago, the common thinking was, "Oh, they'll die down after a few years or a couple of years. It's just noise." But it's not noise, because they get away with it, so it keeps increasing. We've had more phishing attacks this year then we had last year. It is the same with skimming attacks. So, the solutions that we talked about that the banks are looking at, I think we can expect more rollouts. Specifically, I see a lot of effort with fraud detection. Debit card fraud-detection systems are way behind; credit card fraud-detection systems, as a class, are much better. It used to be, on debit, that the bank had enough authentication with just the PIN. Now, all of that is being broken by the latest trend of attacks, so banks are getting much smarter in the way they are approaching fraud detection and the systems are getting more sophisticated. I'm starting to see the roll out of point-of-compromise analysis systems, assuming the bank has access to that data. So, there is a lot of innovation in fraud detection, and there is a lot of experimentation and interest in stronger cardholder authentication. While the attacks are increasing, so are the defenses.