It is the responsibility of an EMV Cardholder (someone holding a Chip enabled card) to protect their PIN when entering it into an ATM, or at any payment terminal. Best industry advice is to shield it whenever entering it into a device, thereby preventing visual compromise. Sometimes this is not easy.........and you have to be creative in how you do it. EURO Kartensysteme in Germany has produced the short amusing video below, which illustrates this point. If you don't read German the text says:
At the Supermarket checkout.......................my PIN remains secret
For more cardholder security tips, and to watch seized criminal video footage of ATM PIN compromise, visit the website of the European ATM Security Team (EAST).
Showing posts with label PIN compromise. Show all posts
Showing posts with label PIN compromise. Show all posts
Monday, 17 October 2011
Tuesday, 30 August 2011
PIN compromise using thermal imagery unlikely at metal ATM PIN pads
Since my last post I have come across more information on the thermal camera threat relating to PIN compromise. Having read the research paper it seems that most ATMs are not at risk from this threat as, at the moment, the possibility of PIN compromise from thermal imaging technology really only exists for PIN entry at plastic PIN pads, and even then the success rate is not high - although the researchers claim that it is economically viable. As most ATMs seem to have metal key pads, this is a relief for the industry. The possibility of using thermal imaging for PIN compromise was first demonstrated by Michael Zalewski in 2005.
At the Woot '11 5th USENIX Workshop on Offensive Technologies held on 8th August 2011 in San Francisco, a presentation entitled Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks was delivered. This was based on research and analysis carried out by Keaton Mowery, Sarah Meiklejohn, and Stefan Savage from the University of California, San Diego. If you want to read more you can visit the website of the USENIX Workshop and download the slide presentation made by Mowery et al and/or the full research paper.
At the Woot '11 5th USENIX Workshop on Offensive Technologies held on 8th August 2011 in San Francisco, a presentation entitled Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks was delivered. This was based on research and analysis carried out by Keaton Mowery, Sarah Meiklejohn, and Stefan Savage from the University of California, San Diego. If you want to read more you can visit the website of the USENIX Workshop and download the slide presentation made by Mowery et al and/or the full research paper.
Thursday, 25 August 2011
Covering your PIN may not protect it from cameras?
The industry is already aware that covering a PIN when entering it may not be 100% effective as, if the criminals use a PIN pad overlay, the PIN will be compromised regardless. It is still recommended as cardholder 'best practice', however, as the risk of visual compromise is significantly mitigated. For cardholder security tips, and a criminal video showing actual PIN compromise, visit the website of the European ATM Security Team.
Now, according to Security News on msnbc.com, new research in the U.S. has indicated that thermal cameras can be used for PIN compromise, even if the cardholder covers their hand when the PIN is entered. How? Apparently the keys touched by a human hand still retain some residual heat and this can be detected be a thermal camera once the hand has been removed. Researchers from the University of California have carried out a series of proof-of-concept attacks using a thermal camera mounted above a traditional ATM pinpad.
Now, according to Security News on msnbc.com, new research in the U.S. has indicated that thermal cameras can be used for PIN compromise, even if the cardholder covers their hand when the PIN is entered. How? Apparently the keys touched by a human hand still retain some residual heat and this can be detected be a thermal camera once the hand has been removed. Researchers from the University of California have carried out a series of proof-of-concept attacks using a thermal camera mounted above a traditional ATM pinpad.
Thursday, 26 May 2011
65% of EAST Poll respondents always cover their PIN at an ATM
“Do you protect your PIN at an ATM?” That was the question asked by EAST in its website research poll conducted from January to March 2011. The poll showed the following results:
Why should you cover your PIN? If the magnetic stripe on your card is compromised or skimmed, the criminals need your PIN to maximize fraudulent usage of it. You can watch seized criminal footage of PIN compromise on the EAST Website to see what the criminals see. If you cover your PIN you are at least protected against visual compromise.
Sunday, 30 January 2011
Chinese ATM criminal using Fake ATM jailed for 10.5 years..
Ten and half years for a financial crime, now that is indeed a penalty! In Western Europe sentences for similar crimes are typically less, often a lot less ............ and according to the Shanghai Daily the man in question, a Mr Huang, was also convicted of forging financial bills and fined 50,000 Yuan ($7,143 approx).
It seems he used the internet to teach himself how to obtain card and PIN data, and then how to make counterfeit cards. He started in 2007 after losing his job. His initial modus operandi appeared to be the installation of skimmers into modified lobby door opening devices leading to ATMs (the door opening devices were modified by having the PIN shield removed - thereby making visual PIN compromise easier).
More recently he seems to have acquired a fake ATM machine and installed it in Beijing. This time the skimmer would no doubt have been fixed at the card reader, and the PIN compromised by micro camera. Apparently people trying to use the ATM got an 'out-of-service' message on the screen. Mr Huang is stated to have used the fraudulently acquired data to make 31 counterfeit cards, thereby netting himself 127,600 Yuan ($18,229 approx). According to a plan found by Police on his computer, his target was to make 500,000 Yuan ($71,429 approx) over a 10 day period.
This form of scam is well known in the USA, and has occured in Europe - what is noteworthy of this one is that a self-taught individual perpetrated the crime......seemingly in isolation. While the total sums involved may not seem a lot to those hardened to published financial crime loss information in the West, in China the sums represent an awful lot of money to the average person.
Mr Huang has been sent to jail for over 10 years and also fined just under half the amount he stole - which possibly means that he will leave jail with debt (although he is appealing against the fine). For those frustrated by the apparent leniency of penalties for similar crimes in Europe, it may be of interest to monitor China more closely to see if related crime levels remain lower...............read the full story in the Shanghai Daily here
It seems he used the internet to teach himself how to obtain card and PIN data, and then how to make counterfeit cards. He started in 2007 after losing his job. His initial modus operandi appeared to be the installation of skimmers into modified lobby door opening devices leading to ATMs (the door opening devices were modified by having the PIN shield removed - thereby making visual PIN compromise easier).
More recently he seems to have acquired a fake ATM machine and installed it in Beijing. This time the skimmer would no doubt have been fixed at the card reader, and the PIN compromised by micro camera. Apparently people trying to use the ATM got an 'out-of-service' message on the screen. Mr Huang is stated to have used the fraudulently acquired data to make 31 counterfeit cards, thereby netting himself 127,600 Yuan ($18,229 approx). According to a plan found by Police on his computer, his target was to make 500,000 Yuan ($71,429 approx) over a 10 day period.
This form of scam is well known in the USA, and has occured in Europe - what is noteworthy of this one is that a self-taught individual perpetrated the crime......seemingly in isolation. While the total sums involved may not seem a lot to those hardened to published financial crime loss information in the West, in China the sums represent an awful lot of money to the average person.
Mr Huang has been sent to jail for over 10 years and also fined just under half the amount he stole - which possibly means that he will leave jail with debt (although he is appealing against the fine). For those frustrated by the apparent leniency of penalties for similar crimes in Europe, it may be of interest to monitor China more closely to see if related crime levels remain lower...............read the full story in the Shanghai Daily here
Subscribe to:
Posts (Atom)