Mar 20, 2006

An example of ATM fraud that cannot be eliminated with mag stripe cards

If you want to see an example of ATM fraud that cannot be eliminated with mag stripe cards, no matter what back-end solutions are put in place, see “How ATMs have been converted to steal IDs of bank customers” for a detailed article including pictures of tampered ATMs.

“A team of organized criminals is installing equipment on legitimate bank ATMs in at least 2 regions to steal both the ATM card number and the PIN. The team sits nearby in a car receiving the information transmitted wirelessly over weekends and evenings from equipment they install on the front of the ATM.”

Photographs show an ATM equipped by scammers with a duplicate card reader and wireless camera.

The author gives the following advice:

“For now the best defense is for ATM customers to remain cautious and vigilant when using their cards, but distinguishing a rigged machine from the real thing can be extremely difficult even for the most careful of users. NCR hopes that the introduction of “smart cards” (i.e., cards with embedded chips) will eliminate the problem of counterfeit fraud.”

1 comment:

Sausheong said...

Another example: phishing.

"For banking credentials, the preferred though more difficult method is ATM fraud, where the casher actually encodes the banking information (tracking) onto an ATM card and withdraws the maximum daily funds from that account. The popularity of tracking has grown because it has become increasingly difficult to ship purchased goods to countries where credit card fraud is a major problem.

The main difficulty with tracking is the encoding of bank data to the ATM card. The preferred hardware used to encode information onto magnetic stripe cards is the MSR–206. Although the MSR–206 hardware most preferred by cashers can be easily obtained, each bank uses a specific encoding algorithm to translate the credentials into the encoded data written to an ATM card. The tracking algorithm may be as simple as appending the expiration date and cvv2 code along with a fixed numeric value to the end of a check card number, or as complex as encrypting the information with a secret key and then encoding the encrypted block to the card.

It is no surprise that Washington Mutual, Key Bank, and various other institutions are at the top of phishers’ lists. The tracking algorithms for these financial institutions are easily obtained from within the phishing economy, while Bank of America, a huge financial institution, is nearly off phishers’ radar because their encoding algorithm is very hard to obtain or crack. According to statements by phishers, it may be based on Triple–DES, a strong encryption algorithm."

The economy of phishing - A survey of the operations of the phishing market