ATM Skimming Controls and Their Implications for NFC
powers-do-not-use! 270000NC1K Visits (2537)
A recent report at the bank
This latest series of skimming attacks is just one of several high profile ATM skimming attacks across the country lately. It seems to be a favorite of organized criminals and it makes sense because it requires a certain level of investment in producing credible functional card readers that can be fitted over the original card reader. They have to be designed to be quickly installed over existing hardware and have to be convincing enough to fool customers.
Given the prevalence of this real world problem, I think it’s worth taking threat model/security controls based look at ATM skimming attacks to get to the essence of the problem.
The basic scenario in a skimming attack works like this:
The ATM skimming attack is basically a physical manifestation of a classic “man in the middle” attack. So what sorts of ways can you thwart a man in the middle attack and how can you apply them to this scenario?
Detect The Man In The Middle Before He Does Harm
Owners of gas stations that are susceptible to ATM skimming attacks have been encouraged to shore up the physical security of gas pumps. Often they are unlocked or protected by simple, common PIN numbers that are easily guessed. Fixing these basic physical security problems is simple in concept, but often difficult in the gas station/convenience store environment. The staff turn over is high and enforcing effective key management practices in these environments can be difficult.
Banks, on the other hand, have the resources to invest in the physical security of ATMs, and yet they are still vulnerable to installation of skimmers. The BankInfoSecurity article notes the reuse of existing controls to help manage the detection of skimmers being installed: video cameras:
“Banking institutions and merchants have improved monitoring, through physical inspection and surveillance video, as well as fraud-detection techniques and systems. "Those cameras have been active at ATMs for a long time, but it's a relatively new development that someone is actually monitoring the activity that the camera is recording," [AITE Group Research Director Julie] McNelley says.”
Surveillance cameras have been used for a long time to collect evidence in criminal cases. But the problem is that there is way to much of it to be monitored in real time. That’s why projects like the IBM Smart Surveillance System are important. We need automated systems that are smart enough to analyze what’s captured in a video and determine the difference between a customer legitimately using an ATM and an attacker installing a skimmer and raise a red flag when it detects the latter.
Require Out Of Band Knowledge
I’ve seen some card reader systems that request extra information during the transaction that the customer has to know independently of the information exchanged during the transaction.
For example, I’ve seen card reader based terminals ask for “billing zip code” during the transaction. That information is not stored on the card in any fashion so it’s out of band information that the end user has to know to complete the transaction. Likewise, online transactions often require the “CVV” number on the back of the card in order to complete a transaction. I have never seen a physical card reader system ask for this information, but I don’t see any reason why it couldn’t.
What would this out of band data protect? It might protect the particular transaction from being performed by an attacker at that time. It effectively helps authenticate the identity of the person initiating the transaction by knowing something about the account and/or proving physical possession of the card.
The problem is that the data on the magnetic stripe itself is vulnerable and fraud can be committed knowing just that information contained on the magnetic stripe. So while it’s helpful in authenticating the end user, it’s not particularly effective at preventing this man in the middle attack.
Protect the Information Exchange
The other basic protection against man in the middle attacks is to protect the information exchange in a way that renders the captured information useless. The problem with this approach is that the protection has to be built into the standards being used, which is not the case with magnetic stripe-based technology. The article again quotes Julie McNelley:
“The organized crime rings behind much of the skimming continue to target ATMs and POS devices, and will continue to do so as long as our cards rely on mag-stripe technology.”
The much of the information on a magnetic stripe of a card can be read by anyone with physical access to the mag stripe data. It’s not encrypted or otherwise protected in any way. So as long as the protocols for using card-based point of sale systems relies on them, it will be impossible to secure the exchange of transaction information.
Implications for Near Field Communication
This leads most people to raise the issue of Near Field Communications (NFC) based technology instead. As I understand it, the current NFC specifications do not address protection against man in the middle attacks. This is largely due to the fact that the two endpoint devices have to be in such close proximity to each other, but the ATM skimming cases have proven that it’s possible for man in the middle attacks to occur even when the two devices in the transaction have to touch each other. So the “limited range of NFC devices argument doesn’t hold up, in my opinion.
Could NFC transactions be secured against man in the middle attacks? Probably. “Security in Near Field Communication (NFC)” by Ernst Haselsteiner and Klemens Breitfuß is probably the most cited discussion of this topic and in this paper they describe how it is theoretically possible for two NFC devices to establish a secure channel that would be able to protect, or at least detect, the presence of a man in the middle attack. Also, it has to be noted that many of the NFC transactions will have active, powerful computation at both ends of the transaction so the data exchange protocols layered on top of the base NFC protocol could leverage cryptographically strong key exchange algorithms to secure the channel.
For the foreseeable future, it looks like we are going to have to rely on detection controls to detect the presence of skimmers on card readers. There does not appear to be any practical method for securing the magnetic stripe data on cards on the horizon. There are a variety of groups developing NFC-based payment standards and it will be interesting to see how they compare in terms of protections against man in the middle attacks. One thing’s for sure, I wouldn’t trust the “limited distance as security” argument from anyone. The current rash of ATM skimming attacks prove that physical distance is not an adequate control.