ATM cash-out: A rising threat requiring urgent attention

The PCI Security Standards Council (PCI SSC) and the ATM Industry Association (ATMIA) issued a joint bulletin to highlight an increasing threat that requires urgent awareness and attention.

ATM cash-out

What is the threat?

An ATM cash-out attack is an elaborate and choreographed attack in which criminals breach a bank or payment card processor and manipulate fraud detection controls as well as alter customer accounts so there are no limits to withdraw money from numerous ATMs in a short period of time.

Criminals often manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.

How do ATM cash-out attacks work?

An ATM cash-out attack requires careful planning and execution. Often, the criminal enterprise gains remote access to a card management system to alter the fraud prevention controls such as withdrawal limits or PIN number of compromised cardholder accounts. This is commonly done by inserting malware via phishing or social engineering methods into a financial institution or payment processor’s systems.

The criminal enterprise then can create new accounts or use compromised existing accounts and/or distribute compromised debit/credit cards to a group of people who make withdrawals at ATMs in a coordinated manner.

With control of the card management system, criminals can manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.

These attacks usually do not exploit vulnerabilities in the ATM itself. The ATM is used to withdraw cash after vulnerabilities in the card issuers authorization system have been exploited.

Who is most at risk?

Financial institutions, and payment processors are most at financial risk and likely to be the target of these large-scale, coordinated attacks. These institutions stand to potentially lose millions of dollars in a very short time period and can have exposure in multiple regions around the world as the result of this highly organized, well-orchestrated criminal attack.

What are some detection best practices?

  • Velocity monitoring of underlying accounts and volume
  • 24/7 monitoring capabilities including File Integrity Monitoring Systems (FIMs)
  • Reporting system that sounds the alarm immediately when suspicious activity is identified
  • Development and practice of an incident response management system
  • Check for unexpected traffic sources (e.g. IP addresses)
  • Look for unauthorized execution of network tools.

What are some prevention best practices?

  • Strong access controls to your systems and identification of third-party risks
  • Employee monitoring systems to guard against an “inside job”
  • Continuous phishing training for employees
  • Multi-factor authentication
  • Strong password management
  • Require layers of authentication/approval for remote changes to account balances and transaction limits
  • Implementation of required security patches in a timely manner (ASAP)
  • Regular penetration testing
  • Frequent reviews of access control mechanisms and access privileges
  • Strict separation of roles that have privileged access to ensure no one user ID can perform sensitive functions
  • Installation of file integrity monitoring software that can also serve as a detection mechanism
  • Strict adherence to the entire PCI DSS.

75% of cardholders prefer contactless cards to other payment methods

Based on responses from 1,000 U.S. cardholders who are familiar with contactless credit/debit card or “tap and pay” technology, a new Entrust Datacard survey reveals that 75% of U.S.-based payment cardholders prefer contactless cards as their primary payment method over chip insert, card swipe, mobile pay and cash.

OPIS

Contactless cards are here to stay

According to the survey’s results, 83% of respondents believe contactless cards are here to stay and 61% believe it’s at least somewhat of a priority to have a contactless feature on their credit or debit card. This prioritization is most prominent among Gen Z, Millennials and Gen X when compared to Baby Boomers.

In fact, 20% of Boomers reported they never use the contactless payment feature on their debit or credit card when making a purchase while this percentage is less than 10% for each of the other respective generations.

However, while contactless cards are gaining momentum with many in the U.S., the majority of consumers are still unaware of their card replacement options should they not have a contactless chip, or the card is lost or stolen.

Time for banks to educate their customers

With respondents citing sanitation (70%) and speed (67%) as benefits of contactless cards, now is the opportune time for banks to educate their customers on the benefits of replacing their card with a contactless card from their bank.

“As many Americans deal with financial setbacks and heightened concerns around health and safety in the face of COVID-19, the value we are placing on contactless payments has increased markedly,” said Tony Ball, senior vice president for instant payment card issuance at Entrust Datacard.

“Consumers want the ability to shop at their convenience, but also want to minimize personal contact with point of sale devices. Contactless cards are rising in popularity as a result.”

For faster card replacement, visiting a branch is best

Out of the 71% of respondents who cited losing their payment card, 84% notified their bank via phone while only 22% visited a physical bank branch in hopes of getting a replacement card right away.

73% of respondents who notified the bank by phone had to wait 1-7 days for a new card to be delivered by mail. By contrast, 58% of respondents who notified the bank at the branch got a new card instantly.

Instant payment card issuance unawareness

Despite contactless cards growing in popularity, many consumers are unaware of whether or not their banks or credit unions offer instant issuance or replacement of contactless debit or credit cards.

According to the results, 64% of respondents said their banks offer instant card issuance and replacement (63%), yet around one-fourth were unsure of whether their bank offered these options (27% and 24%, respectively) suggesting both an education and marketing opportunity for banks on card issuance solutions.

Most global brands fail to implement security controls to prevent data leakage and theft

The global pandemic has seen the web take center stage. Banking, retail and other industries have seen large spikes in web traffic, and this trend is expected to become permanent.

global brands security controls

Global brands fail to implement security controls

As attackers ramp up efforts to exploit this crisis, a slew of high-profile attacks on global brands and record-breaking fines for GDPR breaches have had little impact on client-side security and data protection deployments.

There’s a troubling lack of security controls required to prevent data theft and loss through client-side attacks like Magecart, formjacking, cross-site scripting, and credit card skimming. These attacks exploit vulnerable JavaScript integrations running on 99% of the world’s top websites, Tala Security reveals.

The report indicates that security effectiveness against JavaScript vulnerabilities is declining, despite high-profile attacks and repeated industry warnings over the past 18 months, including the largest GDPR fine to date.

Without controls, every piece of code running on websites – from every vendor included in the site owner’s website supply chain – can modify, steal or leak information via client-side attacks enabled by JavaScript.

In many cases, this data leakage is taking place via whitelisted, legitimate applications, without the website owner’s knowledge. What this report indicates is that data risk is everywhere and effective controls are rarely applied.

Key findings highlight the scale of vulnerability and that the majority of global brands fail to deploy adequate security controls to guard against client-side attacks.

JavaScript risk has increased in 2020

The average website includes content from 32 third-party JavaScript vendors, up slightly from 2019. JavaScript powers richness but also the framework of what renders on customer browsers, including images, style sheets, fonts, media and content from 1st party source- the site owner.

Content delivered by third-party JavaScript integrations

58% of the content that displays on customer browsers is delivered by third-party JavaScript integrations identified above.

This website supply chain leverages client-side connections that operate outside the span of effective control in 98% of sampled websites. The client-side is a primary attack vector for website attacks today.

Websites expose data to an average of 17 domains

Despite increasing numbers of high-profile breaches, forms, found on 92% of websites expose data to an average of 17 domains. This is PII, credentials, card transactions, and medical records.

While most users would reasonably expect this data to be accessible to the website owner’s servers and perhaps a payment clearing house, the analysis shows that this data is exposed to nearly 10X more domains than intended.

Nearly one-third of websites studied expose data to more than 20 domains. This provides some insight into how and why attacks like Magecart, formjacking and card skimming continue largely unabated.

No attack is more widespread than XSS

While other client-side attacks such as Magecart capture most of the headlines, no attack is more widespread than Cross-Site Scripting (XSS). This study found that 97% of websites are using dangerous JavaScript functions that could serve as injection points to initiate a DOM XSS attack.

Standards-based security controls exist that can prevent these attacks. They are infrequently applied.

Unfortunately, despite high-profile risks and the availability of controls, there has been no significant increase in the adoption of security capable of preventing client-side attacks:

  • Over 99% of websites are at risk from trusted, whitelisted domains like Google Analytics. These can be leveraged to exfiltrate data, underscoring the need for continuous PII leakage monitoring and prevention. This has significant implications for data privacy, and by extension, GDPR and CCPA.
  • 30% of the websites analyzed had implemented security policies – an encouraging 10% increase over 2019. However…
  • Only 1.1% of websites were found to have effective security in place – an 11% decline from 2019. It indicates that while deployment volume went up, effectiveness declined more steeply. The attackers have the upper hand largely because we are not playing effective defense.

How much is your data worth on the dark web?

Credit card details, online banking logins, and social media credentials are available on the dark web at worryingly low prices, according to Privacy Affairs.

dark web prices

  • Online banking logins cost an average of $35
  • Full credit card details including associated data cost $12-20
  • A full range of documents and account details allowing identity theft can be obtained for $1,500

Forged documents including driving licenses, passports, and auto-insurance cards can be ordered to match stolen data.

The research team scanned dark web marketplaces, forums, and websites, to create the price index for a range of products and services relating to personal data, counterfeit documents, and social media.

Online banking logins cost an average of $35

Online banking credentials typically include login information, as well as name and address of the account holder and specific details on how to access the account undetected.

Full credit card details including associated data costs: $12-20

Credit card details are usually formatted as a simple code that includes card number, associated dates and CVV, along with account holders’ data such as address, ZIP code, email address, and phone number.

A full range of documents and account details allowing identity theft can be obtained for $1285.

Criminals can switch the European ID for a U.S. passport for an additional $950, bringing the total to $2,235 for enough data and documents to do any number of fraudulent transactions.

Malware installation on compromised systems is prevalent

Remote installation of software on 1,000 computers at a time allows criminals to target the public with malware such as ransomware in various countries with a 70% success rate.

Stolen data is very easy to obtain

The general public needs to not only be aware of how prevalent the threat of identity theft is but also how to mitigate that threat by applying due diligence in all aspects of their daily lives.

Is the stress of card fraud worth the digital convenience?

With a growing portion of consumers having now fallen victim to card fraud, anxiety about the security of our digital accounts is spiking, according to a survey by Marqeta.

card fraud

The survey talked to 4,000 consumers across the United States and the United Kingdom about consumer attitudes toward card fraud in an increasingly digital economy.

According to the survey, card fraud has had a pervasive, repeat impact on a large number of American and UK consumers, an issue of skyrocketing importance with the digital economy providing a crucial lifeline to the many millions of people currently sheltering-in-place:

  • 46 percent of US consumers surveyed had fallen victim to card fraud in the past, with 20 percent of consumers hit inside the last 12 months.
  • A sizable portion of US consumers had been repeated prey for fraudsters: 16 percent had been impacted twice, while 10 percent were hit three (or more) times.
  • Each fraudulent transaction had a sizable average ticket price: 33 percent of Americans who were victims said more than $500 was charged to their accounts.

Consumers prefer digital security over convenience

While increasingly common, consumers were reluctant to accept fraud as a fair cost for their increasingly online existences: 69 percent said the stress of card fraud wasn’t a fair trade-off for digital conveniences, while 59 percent said that they didn’t see it as a built-in part of the modern economy.

An overwhelming majority of people surveyed – 87 percent – said they would be happy for online transactions to take longer to complete if their information was better protected.

“Our new survey shows that being a victim of fraud is not an unusual experience for consumers today. There’s an almost fifty-fifty chance you have been impacted, with a growing number of people hit multiple times. With consumers forced to do business almost entirely online throughout COVID-19 quarantines, we are all even more vulnerable.

“Consumers are putting financial services providers on watch. They don’t see convenience at the point of sale as being worth it if they’re not being protected,” said Vidya Peters, CMO at Marqeta.

Card fraud causing growing concerns

The growing threat of card fraud, with people either impacted or likely knowing someone who has, is becoming a major point of anxiety for consumers: 55 percent of US consumers said they worried regularly about card fraud, with 21 percent of people saying they worried about security every time they entered their details online.

Despite this, consumers admitted to complacency, which plays a big part in giving fraudsters the jump. More than half of all fraudulent transactions (52 percent) reported in the survey took place within half an hour of a card going missing, but less than a third of consumers (29 percent) said they noticed immediately when their card was stolen, and less than half (42 percent) canceled their cards right away. Fifty-two percent of consumers surveyed said that they could do a better job in protecting their card information.

“There’s a real catch-22 inherent in consumer behavior today, that presents an opportunity for banking and payments innovators. There’s a rising tide of anxiety about being a victim of card fraud, but yet a complacency and lack of awareness of how to protect yourself,” Peters continued.

“Given the new possibilities brought about by modern card issuing platforms today, there’s a chance to create digital-first product experiences that consumers love while providing the strongest fraud prevention controls possible.”

Merchants must find ways to balance security with a seamless customer experience

69% of U.S. merchants reported that significant amount of company time and expense is dedicated to dealing with payment fraud, in a survey by American Express. Balance security with a streamlined customer experience Nearly eight-in-ten U.S. merchant respondents (77%) reported that their companies experienced some type of fraud over the course of being in business, and their efforts to manage security are impacting their businesses’ bottom lines. At the same time, the survey found that … More

The post Merchants must find ways to balance security with a seamless customer experience appeared first on Help Net Security.

Cybercriminals targeting e-commerce website vulnerabilities this holiday season

Expect unprecedented levels of online data theft this holiday season due to a lack of deployed client-side security measures.

data theft holiday season

Disturbing lack of security measures

Tala Security highlights the widespread vulnerability resulting from integrations that enable and enhance website functionality. These integrations, which exist on nearly every modern website operating today, allow attackers to target PII and payment information.

98% of the Alexa 1000 websites were found to be lacking security measures capable of preventing attacks. In related warnings, both the FBI and the PCI Council cautioned that hackers are targeting online credit card information.

“Online merchants and website owners must recognize the critical need for client-side security. The fundamental driver of online commerce — consumer trust — is at stake as attackers target widespread client-side vulnerabilities to steal credentials, credit card numbers, financial data and other PII,” said Aanand Krishnan, CEO and co-founder of Tala Security.

data theft holiday season

Key findings from the survey

  • Only 2% of Alexa 1000 sites have implemented effective controls to prevent personal, financial and credential theft.
  • User form data sent, captured on forms available on 98% of websites, is exposed to 10 times more domains than intended by the website owner. This creates a massive opportunity for data theft from attackers.
  • The average website relies on 31 third-party integrations, which provide nearly two-thirds of the content customers view on their browsers. This content is delivered via client-side connections that lack effective security controls.
  • Most consumers will be surprised to learn that only one-third of the content rendering on their browser is owned, created and served by the owner of the website. The remaining two-thirds is served via client-side connections that lack effective security.
  • Although 27% of website owners attempt to deploy security measures, only 2% succeed in deploying effective policies capable of preventing client-side attacks.

Do your infosec habits make you vulnerable to fraud?

A third of Americans have been a victim of information fraud or identity theft. Despite notable data breaches in 2019, when asked if they update or change passwords/PINs after a company they do business with suffers a data breach, more than a quarter (28%) say only sometimes and nearly one in 10 (9%) say they don’t update their passwords at all, according to a Shred-it survey. Safeguarding sensitive data Four in ten (41%) Americans who … More

The post Do your infosec habits make you vulnerable to fraud? appeared first on Help Net Security.