Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Coverage Areas:

The New Flash Attacks

by Avivah Litan  |  October 26, 2010  |  8 Comments

With so much attention, rightfully so, paid to bank account takeovers at small businesses, churches, school districts, county and other local government agencies — all courtesy of the Zeus trojan — almost no focus has been given to a new type of flash attack that has hit several banks and payment processors I talked with over the last couple of weeks.

And this attack type is particularly worrisome since:

a) there aren’t any ‘security standards’ like PCI that aim to stop point-of-sale or ATM card reader tampering, and

b) the resulting cash transactions fly under the radar of existing fraud detection systems – they are typically small amounts that don’t raise any alarms.

Here’s how the attack works: (We heard something resembling this type of attack in the news re the recent hacks into Aldi grocery store point-of-sale systems in multiple states although details of that hack were lacking).

a) The crooks figure out how to put skimmers in a point-of-sale card reader at a given retailer or store.

b) They put the skimmer in the point-of-sale (POS) device, that will skim the magnetic stripe information on debit cards and record the user PIN.

c) They repeat step b above for all similar POS reader models for a given retailer or groups of retailers, across states and geographies.

d) the skimmed data is transmitted to a central drop location that the fraudsters have access to.

e) The fraudsters then take the data and use it to create hundreds or thousands of counterfeit debit cards, and scotch tape the PIN belonging to the card on the plastic card.

f) they line up their cronies (or mules) to all go to at least a hundred ATM machines all at the same time, and use a few of these cards (about five) in each of these machines, which are scattered across a country (e.g. the U.S. or Canada).

g) The mules withdraw small amounts on each card – and within ten minutes, simultaneous withdrawals at all these ATM machines add up to about $100,000 in proceeds.

g) They repeat this exercise a few times more over the course of the month. At the end of the month, the total heist can add up to $500,000.

h) The mules get their fair share and are happy to sign up for the next round.

What Can Be Done?

The only successful fraud mitigation strategy I’ve seen that works in practice today, is that once the first round of fraud is discovered, an acquiring processor or a payment network tries to figure out the point-of-compromise for these cards.  If that is determined, then all cards that were used at that point of compromise (i.e. breached entity site) are put on a blacklist and are rejected for future use at a point-of-sale or ATM machine. This is obviously a costly measure, since new cards and accounts generally have to be reissued to the customers  – plus it can jeopardize customer relationships – but the alternative is far less attractive,  i.e. risk having the customer account drained.

And these crooks have a lot of staying power. They keep these numbers and accounts around for years and may use them one or two years after the initial breach (if the cards are still current). One banker just told me that his bank is still seeing fraud on cards allegedly stolen during the Heartland Payment Systems breach.

The long term solution: Stronger cardholder authentication, whether using Chip and PIN, dynamic PINs, mobile geolocation information, or other authentication alternatives.

Of course the long term is now, in this case.

8 Comments »

Category: Uncategorized     Tags:

8 responses so far ↓

  • 1 Fraudsters Find Holes in Debit Card Fraud Detection | Find Tech News   October 27, 2010 at 2:11 pm

    [...] systems unless they start looking at location or behavior,” said Litan, who also wrote a blog post on the [...]

  • 2 Fraudsters find holes in debit card fraud detection | Hack In The Box | Hacking and Computer security news   October 27, 2010 at 2:53 pm

    [...] systems unless they start looking at location or behavior,” said Litan, who also wrote a blog post on the [...]

  • 3 Netzwelt-Ticker: Halbherziger Trojanerangriff auf Mac OS X | Flash News   October 28, 2010 at 8:30 am

    [...] Trick umgehen Kartenbetrüger Sicherheitsvorkehrungen von Kreditkarten-Unternehmen. In sogenannten Blitz-Attacken tun sich hunderte von Betrügern zusammen und heben fast gleichzeitig geringe Summen von einem [...]

  • 4 Netzwelt-Ticker: Halbherziger Trojanerangriff auf Mac OS X | Flyer Poster Werbung News   October 28, 2010 at 10:00 am

    [...] Trick umgehen Kartenbetrüger Sicherheitsvorkehrungen von Kreditkarten-Unternehmen. In sogenannten Blitz-Attacken tun sich hunderte von Betrügern zusammen und heben fast gleichzeitig geringe Summen von einem [...]

  • 5 Netzwelt-Ticker: Halbherziger Trojanerangriff auf Mac OS X » News-Welt - Informations Blog zu News ueber .....   October 28, 2010 at 10:09 am

    [...] Trick umgehen Kartenbetrüger Sicherheitsvorkehrungen von Kreditkarten-Unternehmen. In sogenannten Blitz-Attacken tun sich hunderte von Betrügern zusammen und heben fast gleichzeitig geringe Summen von einem [...]

  • 6 Paparatzi News » Blog Archive » Netzwelt-Ticker: Halbherziger Trojanerangriff auf Mac OS X News und Infos der Stars Sternchen und Promis   October 28, 2010 at 10:10 am

    [...] Trick umgehen Kartenbetrüger Sicherheitsvorkehrungen von Kreditkarten-Unternehmen. In sogenannten Blitz-Attacken tun sich hunderte von Betrügern zusammen und heben fast gleichzeitig geringe Summen von einem [...]

  • 7 Mike Urban   October 29, 2010 at 2:48 pm

    Hi Avivah,

    Debit card fraud is definitely becoming more of a concern as criminals are targeting debit cards and compromising PINs. Compromises like the one you reference have been taking place for many years as have much larger scale mass compromises of card information at merchants and processors. While the compromise of cards and PINs together is significantly less in the US, as compared to the compromise of the mag stripe data alone, criminals know they can get access to cash, which is much more fungible than fencing a fur coat.

    There are several effective technologies that have recently been developed to impact debit card fraud losses.

    These include:

    Behavior Sorted Lists that learn the places cardholders go and how they transact. Understanding the habits of cardholders including preferred merchants, ATMs and recurring transaction patterns helps issuers spot fraudulent out of pattern behavior regardless of dollar amount.

    Intelligent ATM Profiles build on the activity at specific ATMs in relation to their normal behavior. This is specifically developed to deal with the flash attacks at ATMs. ATM profiles are also very useful for issuers of EMV Chip & PIN cards which can have the mag stripe and PIN compromised in country and used fraudulently in a non Chip & PIN compatible country.

    Adaptive Cascading models are self learning to an issuer’s real time fraud transactions and identifies specific transaction variable information in those transactions, such as dollar amount, location, transaction type, merchant, etc… These are particularly useful to identify fast changing fraud patterns and reducing false positives.

    I agree that the industry needs to use stronger technologies as part of a layered security strategy to protect consumer and business financial transactions. Using a customer’s unique transactional behavior fingerprint is a part of that strategy.

    Thank you,
    Mike Urban
    FICO Global Fraud Solutions

  • 8 American Banker Security Watch « ROAM DATA Smart mCommerce News   November 3, 2010 at 11:55 pm

    [...] and payment processors are being hit by “flash attacks” — so named because their speed and potential for damage are reminiscent of a flash [...]