Gartner Blog Network


ATM Heist points to fundamental business and technology issues in the payment systems

by Avivah Litan  |  May 14, 2013  |  7 Comments

The recently disclosed $45 million ATM worldwide cashout heist (see bankinfosecurity.com ) points to many practical business and technology issues that payment system participants face.

Here are just a few of them:

a) One of the more troubling issues of these breaches is the difficulty in determining the points of the network chain that were breached by the fraudsters. This makes it very difficult for card issuers to recover their lost funds because they don’t know who is liable for the breach.

b) From conversations I’ve had with various issuer clients regarding recent breaches, the card brands (Visa and MasterCard) are often not has helpful in helping card issuers recover funds as the issuers would like them to be, perhaps because the card brands don’t know where to assign the liability.

c) Frankly, from a holistic viewpoint, companies that accept or process card payments are in a no-win situation when it comes to a breach. They can do their best and spend lots of money and time becoming PCI certified, but this gives them no safe harbor from penalties that are incurred if they are still breached. And the auditors (qualified security assessors) that certify these eventually breached companies as PCI compliant have BIG disclaimers in their contracts that they take NO responsibility if in fact their clients are breached.

d) There are so many parties in the payment chain that it is very difficult to assign blame in these types of breaches. For example, there can easily be seven roundtrip hops or more between an ATM cash disbursement request and the cash disbursement. The leakage can happen at any of those points or hops.

e) A point-the-finger and assign-blame approach is in the end, a dead-end approach and a lose-lose for all parties concerned. A win-win approach would be to strengthen the security of the card payment system through stronger user authentication and more secure media used to request payments or cash withdrawals (e.g. CHIP and PIN based on the EMV standard).

f) Until then, we will continue to try to keep a leaky insecure payment system secure. It reminds me of the little Dutch boy who stuck his finger in the dyke and successfully stopped the sea water from flooding his home town. He was successful because he stopped the leak when it was very small. I think we are too late when it comes to our global card payment systems. We probably need at the least, a major cyber-army, in this instance.

Additional Resources

Category: 

Avivah Litan
VP Distinguished Analyst
19 years at Gartner
34 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Ms. Litan's areas of expertise include endpoint security, security analytics for cybersecurity and fraud, user and entity behavioral analytics, and insider threat detection. Read Full Bio


Thoughts on ATM Heist points to fundamental business and technology issues in the payment systems


  1. atm says:

    Great article, the problem with chip and pin cards is that it is a win-win for the bank – should your card get skimmed, they can come back and tell you that because of the added security they are not willing to investigate the charges. Yes, we do need a cyber-army.

  2. Avivah Litan says:

    Thanks for the feedback. I did hear about those problems with chip and PIN. Certainly it’s not perfect but it definitely raises the security bar and is a standard across the globe already. And hopefully the U.S. public can change the equation so that banks don’t push fraud costs on these cards back to consumers by default, as I have heard has happened in other countries.

    I also heard that this push-back-to-consumer policy has been reversed at a bank, when a bank’s ombudsman office would get too many consumer complaints.

    In any event, what’s our alternative? Sticking with magstripe?

    Avivah

  3. Dogen says:

    I’m curious as to why Chip & Pin hasn’t been adopted by US banks in the US. Do you know why this is?

    I can think of two possible reasons, but I’m sure there could be others: 1) Do they really think the cost of going to C&P is more than what they are losing to fraud from magstripe?
    2) Or are they concerned that it isn’t really that much more secure and so it isn’t worth the cost until it’s improved?

    I hear that it’s getting harder and harder to travel overseas without a chip & pin card, at least for getting cash from ATMs.

    I agree that Chip & Pin is more secure than magstripe, and in theory it seems actually very much more secure. There seems to be at least one problem with implementations in practice differing from theory (i.e. using sequenced, predictable numbers instead of random numbers in some ATMs).

    Thanks!

  4. Avivah Litan says:

    Hi Dogen,

    My understanding is that no one wants to pay for Chip and PIN, neither the banks, merchants, ATM and POS vendors, Visa, Mastercard, etc. In the U.S., our systems are so diffuse and extensive that it will take moving a lot of parts, all in unison and on a staged plan – to make it happen. And it’s very expensive, I’ve heard estimates in the billions of dollars (up to $20 billion). For now, I suppose, the fraud costs don’t justify that type of expenditure.

    It may be simpler once we move to mobile payments because mobile enables chip and pin from the mobile device without having to provision special cards. Still, there is the cost of upgrading the payment acceptance devices.

    In the meantime, Visa and MasterCard do have deadlines for upgrading POS terminals to be able to accept chip payments in the next couple of years.

    thanks,
    Avivah

  5. Boaz Dolev says:

    Hi Aviva,
    Do yo have a more clear view of the nature of the data breach ?
    – How did the attackers gain control on ElectraCard and Enstage systems ? is it the same software ?
    – How did the attackers gain control on the Pin number of the card ?
    TNX

  6. Sandra says:

    Nice and interesting post. Thanks for sharing it.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.