Visa on How to Foil Cash-Out SchemesExecutive Says 'Sloppy' Network Security a Key Issue
Visa recently warned card issuers to be on the lookout for an upswing in ATM cash-out schemes, which involve cash withdraws from multiple ATMs in multiple locations within a short period of time. But what can be done to thwart this type of fraud?
Eduardo Perez, head of global payment system security at Visa, stresses that card issuers, payments processors and other entities involved with PIN-debit transactions need to take specific steps to help thwart the schemes including:
- Enhance their corporate network security;
- Deepen their intrusion detection and penetration testing;
- Use customer alerts to encourage cardholders to notify them when fraudulent ATM transactions are suspected.
Visa's alert about cash-out schemes warned card issuers to be on the lookout for suspicious activity linked to debit accounts. Although Perez would not discuss any additional details related to the alert, he says the real problem is sloppy network security and gaps in Payment Card Industry Data Security Standard compliance. These bad habits can enable hackers to access card data that's used in the cash-out schemes.
"Lack of robust access controls is a risk we see," he says. "Processors aren't diligent enough about monitoring access to certain systems."
And it's not just about protecting the systems that house and host the card data, Perez says. It's about ensuring the entire network and enterprise is protected.
"Corporate, systemwide vulnerabilities are what the attackers are taking advantage of," Perez says. "That is what we see in the vast majority of compromises: The hackers find a way to get into the corporate network and then take advantage of that to access other databases and systems."
Even in cases where entities are PCI compliant, breaches of networks have exposed sensitive data, he says.
"Almost in every case we've seen, the hacker was able to exploit corporatewide systems; so we try to promote basic security practices," Perez says.
Insufficient password protections for administrators often lead attackers right to the source of card data that can be used for cash-out fraud, Perez says.
"When hackers get into a system, they identify who the admins are and then they spear phish and attack those individuals to get their usernames and passwords," he says. "And once they get those administrative credentials, then they can access other parts of the network" where sensitive cardholder data could be viewable.
ATM cash-out schemes, such as the global $9 million heist that hit 2,100 ATMs in November 2008, usually trace back to a payments processor breach, experts say.
In the 2008 scheme, scattered across 280 countries, money mules fraudulently withdrew funds within a 12-hour time period - a window narrow enough to fly under the fraud-detection radar.
"Detecting and eliminating fraud around this kind of scheme is challenging," says Nicole Sturgill, an ATM expert and research director within the retail banking and cards practice at CEB TowerGroup. "These types of schemes are happening so quickly, no one has time to respond by the time reporting comes in."
While detecting cash-out schemes as they are happening could prevent fraud losses, experts say the best solution is to address the vulnerabilities that allow attackers to access the card numbers and PINs in the first place.
In the 2008 cash-out scheme, investigators linked the white cards used to withdraw the funds to card numbers and PINs that had been infiltrated during a network breach of U.S. payments processor RBS WorldPay.
After hacking RBS's system, attackers are believed to have stolen 1.5 million card numbers and PINs associated with payroll accounts. Even though only 100 of those cards were reportedly affected by fraud linked to the cash-out scheme, the losses to those cards were extreme - a fraud facet common in cash-outs, Perez says.
"In some cases we have seen thousands of dollars withdrawn from one debit account," he says.
PCI: The Root Problem
Visa's Perez says issuers, processors and even e-commerce merchants have to ensure overall security. In the end, when massive compromises expose cardholder data, gaps in PCI compliance are typically to blame.
"Compliance with the data security standards is a big part of it," he says. "When these attacks are successful, it usually comes down to the fact that the entity breached was not protecting the PINs and got access to them in clear text. This is why we need to focus on good network hygiene."
The PCI Security Standards Council has released PCI guidance for e-commerce merchants, reminding them to be mindful of security gaps that often result from outsourcing to third parties.
Bob Russo, general manager of the PCI SSC, says many recent merchant breaches have been linked to insecure third-party practices. "Outsourcing is not the panacea everyone thinks it is," he says. "A lot of people think if they outsource the entire environment and have someone else handle their credit card data that everything is done and they don't have to worry. But that's a big mistake."
Perez says card issuers, merchants, networks and payments processors should take several steps to prevent card data breaches that could fuel cash-out schemes. Among his top recommendations:
- Secure the entire network. In addition to making sure the corporate network is secure, they must keep in mind the risks that outsourcing any link in the payments processing chain to a third party can create. "Know how processors comply with each security standard as it relates to card data and PINs," he says.
- Follow best practices for PIN security. Issuers are familiar with Visa's best practices for PIN security, but other organizations should follow the same standards.
- Enhance fraud-detection and monitoring systems. When a card number and PIN are used to make ATM withdrawals or purchases multiple times from multiple locations in a brief time period, flags should go up, especially if transactions are occurring in different countries.
- Implement consumer alerts. Consumer alerts are one of the best ways for issuers to quickly detect a cash-out scheme. "If a user gets an alert about his card being used at an ATM that he did not visit, then he can notify the issuer," Perez says. "That could be one of the first signs of a cash-out scheme, too, if multiple reports start coming in from consumers."
- Share information. Sharing information about potential compromises and fraud with Visa and law enforcement helps the industry get the word out about suspected events, such as cash-out schemes, before they strike.
- Use penetration scanning. Penetration scans and tests of the entire corporate network, which fall outside the scope of PCI, should be conducted on a regular basis by all payments processors. "In most cases, what we see when we investigate a breach is a Web-facing application was created with vulnerabilities," he says. "SQL injections or Web applications that third parties use to access the network are usually to blame."
- Address social engineering risks. The compromise of administrative logins and passwords continues to be a problem. Most of the time, these credentials are compromised via a phishing attack.
- Conduct ongoing network testing. Once a breach is detected, intrusion testing should go deeper to ensure malware has not been installed somewhere else on the network or system. "When an intrusion-detection system is activated, institutions and processors need to do a thorough job to make sure the hackers have not infiltrated other parts of the system, or have continued access to the system, where they can remain for months."
In some large processor breaches, the testing and investigation has not been as robust as it could have been, Perez contends. "Processors have to really focus on reviewing logs and monitoring databases and system access for several months," he says. "They need to look at logs for admin access to sensitive systems, and [look] at outbound traffic ... for unusual times and the extraction of unusual amounts of data."