ATM Security: 3 Key VulnerabilitiesInterview with Chuck Somers, VP of ATM Security, Diebold
Diebold recently conducted a risk analysis of global ATM vulnerabilities and narrowed those risks down to three core focus areas:
- Physical security - the actual break-in of an ATM;
- Logical security - protection from malware;
- Fraud - what we commonly know as skimming.
"The largest of the three, in terms of losses to institutions, is fraud," Somers says. "The fraud typically occurs via the attachment of external skimmers onto the machine with some sort of a PIN recording device."
But recent malware attacks in eastern Europe and Latin America have raised new concerns about logical threats, he says.
Among the trends that currently concern Somers: Greater sophistication of skimming devices - they're getting smaller and harder to detect - as well as improved organization of the fraud rings to obtain and redeem card information; and the growth of internal vs. external ATM violations.
The greater concern, though, is how lucrative ATM attacks have become for the fraudsters.
"Unfortunately, there's a high ROI on this crime," Somers says. "At the end of the day, even the people who are out there taking the biggest risks, either attaching the skimming devices or redeeming the fraudulent cards ... even if they do get arrested, even if they do get prosecuted, they do pretty soft time in a local jail."
Because ATM skimming is a non-violent crime - as opposed to bank robbing - the courts have generally treated criminals more leniently. "This crime is more lucrative than drugs," Somers says. "There's a lower chance of being caught and lower punishment for the crime afterwards."
In an exclusive interview on global ATM security, conducted at the BAI Payments Connect Conference & Expo in Phoenix, Ariz., Somers discusses:
- The ATM threat landscape;
- Evolution of malware;
- Tips for banking institutions to reduce ATM fraud.
Somers, Jr., was appointed vice president, ATM security and systems, for Diebold, Incorporated in March 2010. He is responsible for leading all aspects of ATM security for Diebold, including physical threats, logical security and fraud. Somers' team works closely with Diebold's global risk and security group to identify emerging threats, and leverages all development groups within Diebold to develop reliable security solutions to customers in a timely manner.
Prior to his current position, Somers served in roles including vice president, global software development, vice president, global professional services, and general manager, software and services, for Diebold.
Somers is a native of Braintree, Mass. He received a bachelor's degree in economics from the University of Massachusetts in Boston. He is a member of the Association for Services Management International (AFSMI) and the Technology Professional Services Association (TPSA).
Global ConcernsTOM FIELD: So, Chuck, I know that you've done a lot of work in the past couple of years, and before we sat down to talk you were outlining for me the organization that you're in charge of. Tell us a little bit about the work that you've done at Diebold, specifically in terms of ATM security.
CHUCK SOMERS: Happy to. I happen to lead a group of people who are focused on ATM security for Diebold. The components of that group include the responsibility for the portfolio solutions we have: those that are already created and deployed; those that are in the process of being created; those that we're considering strategically; the marketing of those, and what that really means is the linkage between our internal organizations, the sales and the customers to make sure that we're effectively deploying the solutions. Also, we're involved with project involvement and management of all of those solutions to make sure that they effectively hit our dates, and then finally the architecture of the logical security piece of that and delivery of the logical security components.
FIELD: And we're talking about global security issues here, not just regional, correct?
SOMERS: Were talking about global security issues. We receive incident reports on a daily basis from all reaches of the globe. We publish security alerts internally intended to go out to the customers when we see something. We began sending those out regionally and then realized that it really did have global implications. So now we send those security alerts globally.
3 Key VulnerabilitiesFIELD: Now, part of your work, I know, has been sort of detecting what the key vulnerabilities are, and I know you've got it down to three core areas. What are those?
SOMERS: Those core areas we determined, based on the risk analysis that we did, were:
- Physical security, which is the securing of the assets;
- Logical security, and that really means protecting it against malware;
- Then, finally, the fraud, which is really card and currency fraud on the machines and the skimming attacks.
FIELD: What's the priority of those vulnerabilities now? Which is, say, the biggest of the three?
SOMERS: The largest of the three in terms of losses for financial institutions is and remains fraud. The card fraud, and those are typically what occurs by the attachment of external skimmers onto the machines and some type of a PIN recording device to be able to do that.
Fraud seems to be the biggest vulnerability globally in terms of losses. However in several geographies that have experienced logical security breaches -- Eastern Europe, which was well documented several years ago by Visa, as well as some recent instances in Latin America - these have certainly raised those customers' knowledge about that as well as their reaction to it.
Responding to ThreatsFIELD: So in response to those vulnerabilities that you've studied. I know you've focused on a couple of key areas. What are those?
SOMERS: Well, the key areas that we focus on are to look at what the risks are. We look at what the attack factors are, and then we validate to see if we have or have already deployed solutions and if the solutions deployed are effective to be able to do that. We get very frustrated when we have solutions that are available to go that aren't deployed. Because what that really means is we haven't done a good enough job educating our customers as to what is available and what the real risk are to be able to do that. In the area of fraud, really, it's two parts. First is prevention -- the various techniques to do that -- and then the second one is detection.
FIELD: You do a fair amount in education. Tell me about that.
SOMERS: Well, we have in North America this year 39 seminars broken up into 39 cities where we spend a whole day in the city ... going through the various vulnerabilities, as well as going through some of the mitigating things that they can do for that. It is an education piece. It is not at all a sales pitch -- relative to those solutions, those can happen afterwards if people are interested. But what we're really trying to do is raise the awareness of the financial institutions that are out there.
FIELD: I just got done working on a session with a banking security leader who said for all the efforts that we put into awareness, there is no evidence that we prevented a dollar's worth of fraud. What are your thoughts on what we put into education and awareness?
SOMERS: Well, let me put it this way. Up until two years ago, Diebold was not in the business of educating the customers. So, we think what we have seen over the past couple of years is a gap between the vulnerabilities that are being exploited and the deployment of solutions that already exist. We think that that is due to an effective way of being able to communicate or have those conversations, and we're now having the conversations with the fraud and risk people at the financial institutions not just the ATM operations people, and we think that's a key.
Skimming TrendsFIELD: Let's talk about some of the trends that you're seeing in the marketplace right now. Skimming, of course, comes up to the top here. What can you tell us about skimming trends that you're seeing globally?
SOMERS: What we're seeing globally is maturation of the market. We're seeing significant investments in maturation and componentization. We see that the people who are creating the skimmers are scientists -- these are not garage shop people. They are taking advantage of trends in terms of miniaturization of components, in terms of battery life, in terms of miniaturization of the storage media, in terms of short-range communications. And so what we're seeing is true investment from the criminals in being able to be better at their trade. And then what we're seeing is a complete disaggregation of the crime in that there are centers of excellence to be able to create the skimmers, there are mules that go out to be able to attach them and collect their centralization of the data and the storage and sale of that information, and then there's [the component] to be able to collect to duplicate the cards and collect. So, therefore it's really a chain. It is highly organized. It is highly well-funded, and so therefore we continue to see investment in the manufacturing portion of that as a result of this whole chain.
Impact of EMVFIELD: What difference do you see with the predominance of EMV in different marketplaces? How is that affecting skimming trends?
SOMERS: It affects the redemption part of the skimming trends. In other words, if I am an EMV issuer someplace in western Europe, and I give a card to you and the card is then redeemed inside the western European Union, I know for a fact that that card is a card that was issued, and so therefore it's not can't be skimmed. If, however, a skimmer is attached to that device and the mag stripe is recorded and then subsequently attempted to be redeemed outside of the European Union, I have to have fraud analytic capabilities to be able to detect that that was a non-EMV terminal. So, what we looked at is ... year to year we see a significant decline in losses, even though the number of skimming incidents remain the same, and what we are attributing that to is that all of the back and front analytics are now turned on non-EMV acquiring terminals.
High ROI from FraudFIELD: Now you hinted at this before. It sounds like the criminals are getting a whole lot better.
SOMERS: Criminals are getting better and smarter. It's also unfortunate that there's a high ROI on this crime. At the end of the day even the people who are out there taking the biggest risks, either attaching the skimming devices or redeeming the fraudulent cards. even if they do get arrested with their criminal wares, and if they do get prosecuted, they do pretty soft time in a local jail. To look for the same type of return going and robbing a bank with guns, for example, they're looking at 25 to life. So you know it's a much more attractive crime for criminals.
,b>FIELD: You make a good point there. I thought the same thing because I've heard criminals say to the police that this is the crime of choice because it's low contact, low risk, and if they walk into a bank with a gun, there's an automatic 25 years there. We've got to come to a point where if you walk up to a terminal with a skimmer that there's an additional sentence attached to that.
SOMERS: There's some education that needs to go in there about that as this crime continues to occur. I mean, it's more lucrative than drugs, and it's again a higher ROI because there's a lower chance of being caught and also a lower punishment for the crime afterwards. It is non-violent by nature. You don't need a gun to be able to do this. So, I think the courts to date have looked at this a little bit more leniently than they have some of the other types of robberies.
Malware's EvolutionFIELD: Chuck, tell me about the evolution of malware.
SOMERS: Well, the interesting thing about malware is that our first exposure to it in spades came December 24, 2008. That's when we were made aware of the fact that there was malware running in Russia. When we worked with Visa and with Trust Wave, who did some of the forensics with these and then CERT out of Carnegie Mellon Institute, we did some examination of the malware and found that it was quite sophisticated. There was version control, configuration management. There were 14 separate versions that we're able to analyze, and the significant amount of what that malware did was to be able to remain silent. In other words, it was intended to be there for a long time. So we know that some place in Eastern Europe, because that's where its origins seems to be from, there is an engineering facility that every day a group of software engineers goes in with the sole intent to be able to steal money from Diebold and NCR machines, and what we're hoping to be able to do eventually is to find out where they are. Unlike that attack, the attacks that we've seen in Latin America are much less sophisticated, require much more access to the machine on an ongoing basis and yet are still able to do what the malware was intended to do, which is to steal custom information.
FIELD: Well, this interests me because it seems like you've got some unique schemes in different global marketplaces. What are some of those?
SOMERS: It would appear the ones that happened out of Eastern Europe ... have had access at some point in time to some type of source code. Whether that was stolen or whether they hired people -- for whatever reason a significant amount of engineering work went into that.
What happened down in Latin America was much more rudimentary, using older features to be able to look at log files or trace files that have long in recent releases of software long since been removed. Yet when the software is not upgraded, the vulnerability remains.
So various different strains or variance started completely separately by completely different organizations with no apparent DNA connection between them.
FIELD: Any specific trends you're seeing in Asia?
SOMERS: None to date. In Asia, depending on the country, we see some sophistication, a lot of sophistication in skimming attacks that have gone on over there. In Australia we've seen some sophistication in the explosive attacks that they've had there. There was a period of time when an awful lot of explosions were occurring where they were mixing the gas in the safes and then blowing the safes.
Internal ThreatsFIELD: Chuck, one of the things we talked about before sat down here was the sort of migration from external to internal threats against ATMs. What can you tell us about that?
SOMERS: We're starting to see in no way, shape or form a massive wholesale [migration from external to internal, and predominantly still we're seeing external skimmers. However. we're starting to see more and more on a regional basis internal skimmers, and what that really means is when people have had access to the inside of the ATM and they've either replaced the existing card reader with the modified card reader or have gone in and soldered something under the boards that they're trying to tap into the electronic circuitry inside. Now, two things about that. One is it requires different physical access characteristics than external skimmers, so other types of policies, procedures and safeguards can and should be in place. The second thing is there is really no way for a person to be able to detect the presence of an internal skimmer. A consumer can't see it. So as we start to see more of this, and as we get more effective at preventing and detecting the external skimmers, we think that this is a trend that we'll start seeing more of.
Anti-Fraud TipsFIELD: So, let's boil this down to some advice that we can offer to financial institutions globally. What do they need to be doing themselves to prevent and detect some of these skims?
SOMERS: First of all they need to be looking at the risk profile of their ATMs. In other words, machines that sit inside guarded lobbies have a different risk profile than machines that sit in an island with no video camera surveillance. So, what they need to look at is really where they've chosen to deploy their ATMS, and then what type of vulnerabilities might those ATMs have as a result of those locations. And then finally what capabilities should they be deploying to able to either prevent or detect? And when we say "detect," what we really mean is are they part of the branch alarm system or are they part of the ATM software monitoring? In other words, if I detect a skimmer is on a machine, I need to tell somebody. So, there are two paths to go up right now. We need to work with those institutions and to allow them to prepare themselves for that. It's really about risk.