Blog post

The New Flash Attacks

By Avivah Litan | October 26, 2010 | 1 Comment

With so much attention, rightfully so, paid to bank account takeovers at small businesses, churches, school districts, county and other local government agencies — all courtesy of the Zeus trojan — almost no focus has been given to a new type of flash attack that has hit several banks and payment processors I talked with over the last couple of weeks.

And this attack type is particularly worrisome since:

a) there aren’t any ‘security standards’ like PCI that aim to stop point-of-sale or ATM card reader tampering, and

b) the resulting cash transactions fly under the radar of existing fraud detection systems – they are typically small amounts that don’t raise any alarms.

Here’s how the attack works: (We heard something resembling this type of attack in the news re the recent hacks into Aldi grocery store point-of-sale systems in multiple states although details of that hack were lacking).

a) The crooks figure out how to put skimmers in a point-of-sale card reader at a given retailer or store.

b) They put the skimmer in the point-of-sale (POS) device, that will skim the magnetic stripe information on debit cards and record the user PIN.

c) They repeat step b above for all similar POS reader models for a given retailer or groups of retailers, across states and geographies.

d) the skimmed data is transmitted to a central drop location that the fraudsters have access to.

e) The fraudsters then take the data and use it to create hundreds or thousands of counterfeit debit cards, and scotch tape the PIN belonging to the card on the plastic card.

f) they line up their cronies (or mules) to all go to at least a hundred ATM machines all at the same time, and use a few of these cards (about five) in each of these machines, which are scattered across a country (e.g. the U.S. or Canada).

g) The mules withdraw small amounts on each card – and within ten minutes, simultaneous withdrawals at all these ATM machines add up to about $100,000 in proceeds.

g) They repeat this exercise a few times more over the course of the month. At the end of the month, the total heist can add up to $500,000.

h) The mules get their fair share and are happy to sign up for the next round.

What Can Be Done?

The only successful fraud mitigation strategy I’ve seen that works in practice today, is that once the first round of fraud is discovered, an acquiring processor or a payment network tries to figure out the point-of-compromise for these cards.  If that is determined, then all cards that were used at that point of compromise (i.e. breached entity site) are put on a blacklist and are rejected for future use at a point-of-sale or ATM machine. This is obviously a costly measure, since new cards and accounts generally have to be reissued to the customers  – plus it can jeopardize customer relationships – but the alternative is far less attractive,  i.e. risk having the customer account drained.

And these crooks have a lot of staying power. They keep these numbers and accounts around for years and may use them one or two years after the initial breach (if the cards are still current). One banker just told me that his bank is still seeing fraud on cards allegedly stolen during the Heartland Payment Systems breach.

The long term solution: Stronger cardholder authentication, whether using Chip and PIN, dynamic PINs, mobile geolocation information, or other authentication alternatives.

Of course the long term is now, in this case.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed

1 Comment

  • Mike Urban says:

    Hi Avivah,

    Debit card fraud is definitely becoming more of a concern as criminals are targeting debit cards and compromising PINs. Compromises like the one you reference have been taking place for many years as have much larger scale mass compromises of card information at merchants and processors. While the compromise of cards and PINs together is significantly less in the US, as compared to the compromise of the mag stripe data alone, criminals know they can get access to cash, which is much more fungible than fencing a fur coat.

    There are several effective technologies that have recently been developed to impact debit card fraud losses.

    These include:

    Behavior Sorted Lists that learn the places cardholders go and how they transact. Understanding the habits of cardholders including preferred merchants, ATMs and recurring transaction patterns helps issuers spot fraudulent out of pattern behavior regardless of dollar amount.

    Intelligent ATM Profiles build on the activity at specific ATMs in relation to their normal behavior. This is specifically developed to deal with the flash attacks at ATMs. ATM profiles are also very useful for issuers of EMV Chip & PIN cards which can have the mag stripe and PIN compromised in country and used fraudulently in a non Chip & PIN compatible country.

    Adaptive Cascading models are self learning to an issuer’s real time fraud transactions and identifies specific transaction variable information in those transactions, such as dollar amount, location, transaction type, merchant, etc… These are particularly useful to identify fast changing fraud patterns and reducing false positives.

    I agree that the industry needs to use stronger technologies as part of a layered security strategy to protect consumer and business financial transactions. Using a customer’s unique transactional behavior fingerprint is a part of that strategy.

    Thank you,
    Mike Urban
    FICO Global Fraud Solutions