Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Automated teller machine

PCI SSC releases its Best practices to help prevent card data compromise at ATMs

The PCI SSC has released their latest supplement, the ATM Security Guidelines Information Supplement. 

The guidelines were developed to provide guidance to ATM manufacturers on how to prevent credit cards from being compromised. 

The ATM Industry Association’s (ATMIA) 2012 ATM Global fraud survey reveals that skimming remains the leading global threat to ATMs because criminals use stolen information to produce counterfeit cards for fraudulent transactions, primarily ATM cash withdrawals. 

Also see Europol reveals €1.5 Billion Euro in Credit Card Fraud, how it is stolen and why they struggle to catch the criminals  

Skimming and other types of attacks on ATMs continue to be top of mind for our constituents,” said Bob Russo, general manager, PCI Security Standards Council. “There are already some excellent resources out there that help with various pieces of ATM security. What this guidance does is pull together these different best practices into one comprehensive set, which is what our stakeholders have been asking for.

The guidance document provides an introduction to ATM security and outlines best practices around the following key areas and objectives:

  • Integration of hardware components to avert magnetic-stripe and other account data compromise and PIN stealing
  • Security of basic software to avert magnetic-stripe skimming and PIN stealing
  • Device management/operation to ensure adequate management of: ATM during manufacturing, ATM in storage of deployed ATM estates and ATM’s individual security configuration
  • ATM application management to address security aspects of the ATM application.

ATM manufacturers, hardware and software integrators, and deployers of ATMs can use this guidance to aid in the secure development, deployment and maintenance of ATMs. As with all PCI guidance documents the ATM Security Guidelines Information Supplement does not replace or supersede the PCI Standards, nor is it to be used as a set of security requirements for the formal certification of ATMs. The PTS POI security requirements provide for the testing and approval of encrypting PIN pads and secure readers used in ATMS for handling PIN and account data, and organizations should continue to use this standard to address these components of ATM security.

For a link to the full document please use my PCI Resources page here.

.

Advertisements

PCI SSC’s insights on mobile, encryption and payment security following the North American community meeting

After the sixth annual North American Community Meeting in Orlando, Florida which was attended by over 1,000 stakeholders representing 460 organizations from 17 countries to discuss the PCI SSC summaries the key discussion topics as: –

  • Feedback on the standards in preparation for the release of the next version of the PCI DSS and PA-DSS in 2013
  • New guidance on secure mobile payment acceptance application development
  • Updates to the Council’s Point-to-Point Encryption (P2PE) program
  • Newly released guidelines for ATM security
  • The Council’s new training programs and professional qualifications
  • Updates from PCI Special Interest Groups on cloud, eCommerce and risk assessment

“The Community Meetings play an important part in bringing together PCI stakeholders to discuss the latest payment card security efforts, and we’re encouraged to see the continued growth of interest and participation in this initiative,” said Bob Russo, general manager, PCI Security Standards Council. “Gaining the feedback from our Participating Organizations is absolutely vital for us to develop new guidance on key topics such as mobile payment acceptance and ATM security, as well as in the on-going improvement of the PCI Standards. The input and discussion at this year’s meetings are especially important as we look to introduce the next version of the PCI Standards in 2013.”

“It is important for us to meet face-to-face with our stakeholders, not only to update them on the most recent developments, but also to have one-on-one interactions and personal conversations on the issues that matter most to them,” said Jeremy King, European director, PCI Security Standards Council. “We look forward to seeing more of our global counterparts in Dublin for the European Community Meeting on October 22-24, 2012.”

See you in Dublin next month.

Feedback requested from PCI community on best practices to help prevent card data compromise at ATMs

The PCI SSC is seeking feedback from Participating Organizations (POs) on draft ATM security guidelines. The draft information supplement provides best practices to mitigate the effect of attacks to ATMs aimed at stealing PIN and account data, a direct response to stakeholder feedback for guidance on ATM security.

Participating Organizations have until November 13, 2012 to review and comment on the ATM Security Guidelines Information Supplement, which is slated for final publication later this year.

PIN and account data present in ATMs has become a growing target for criminals who use this stolen information to produce counterfeit cards for fraudulent transactions, primarily ATM cash withdrawals. Purchases with PIN at the point of sale and purchases without PIN in card-not-present environments are also other avenues of fraudulent card activity.

PCI Standards currently address ATM PIN pads, but not the ATM as a whole. In the absence of a global industry standard for securing ATMs, the Council has developed a set of compromise-prevention best practices based on existing standards from a number of industries, including IT, security, payment card and ATM that stakeholders can leverage in their ATM security efforts.

The draft ATM Security Guidelines Information Supplement provides an introduction to ATM security and outlines best practices that address the software, hardware and device components of the ATM. The intent is for the final document to guide ATM manufacturers, hardware and software integrators, and deployers of ATMs in the secure development, deployment and maintenance of ATMs.

We rely on industry feedback to develop PCI Standards and resources, said Bob Russo, general manager, PCI Security Standards Council. By sharing an early version of the guidelines with the PCI community, we re aiming to ensure these best practices reflect the key challenges and areas of concerns when it comes to addressing ATM security. Specifically, we encourage ATM manufacturers and software vendors to provide their input, as experts in the space and as those will be applying these guidelines in their everyday business.

.

UK Card Association offers advice on avoiding fraud

Please enter you personal identification numbe...
Image by hugovk via Flickr

The UK Card Association has recently published advice on avoiding fraud.

Some common sense advice that should be used:-

i) Ensure you are the only person who knows your PIN. Your bank or the police will never phone or email you and ask you to disclose it.

ii) Your bank will never ring you and tell you that they are coming around to pick up your card, so never hand it over to anyone who comes to ‘collect it’.

iii) Shield your PIN with your free hand when typing it into a keypad in a shop or at a cash machine.

iv) Only shop on secure websites. Before entering card details ensure that the locked padlock or unbroken key symbol is showing in your browser.

v) Rip up or preferably shred statements, receipts and documents that contain information relating to your financial affairs when you dispose of them.

vi) Never accept a cheque from someone unless you know and trust them, especially if the cheque is for a high value.

vii) When writing a cheque make sure you draw a line through all unused space on the payee line and the amount line to help prevent the cheque being fraudulently altered.

viii) Make sure you have up-to-date anti-virus software installed on your computer.

Some common sense advice.

.

Cyber Criminals Shifting to Smaller, More Opportunistic Attacks; External Attacks, Especially Hacking, on Rise

Verizon logo
Image via Wikipedia

Verizon have released their Data Breach Investigations Report 2011 and as usual with the Verizon report there is a lot to take in.

The investigations by Verizon and the U.S. Secret Service discovered that data breaches had dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report’s launch in 2008.

 The percentage of internal breaches fell massively from 49% to 16% which the report claim is due to the large increase in external attacks rather than a fall in internal breaches.

Key results from the 2011 report shown in the Verizon press release are below:  

  • Focus on essential controls. Many enterprises make the mistake of pursuing exceptionally high security in certain areas while almost completely neglecting others.  Businesses are much better protected if they implement essential controls across the entire organization without exception.
  • Eliminate unnecessary data.  If you do not need it, do not keep it.  For data that must be kept, identify, monitor and securely store it.  
  • Secure remote access services. Restrict these services to specific IP addresses and networks, minimizing public access to them. Also, ensure that your enterprise is limiting access to sensitive information within the network.
  • Audit user accounts and monitor users with privileged identity. The best approach is to trust users but monitor them through pre-employment screening, limiting user privileges and using separation of duties.  Managers should provide direction, as well as supervise employees to ensure they are following security policies and procedures.
  • Monitor and mine event logs.  Focus on the obvious issues that logs pick up, not the minutiae. Reducing the compromise-to-discovery timeframe from weeks and months to days can pay huge dividends.  
  • Be aware of physical security assets. Pay close attention to payment card input devices, such as ATMs and gas pumps, for tampering and manipulation.

Verizon Recommendations for Enterprises

  • Large-scale breaches dropped dramatically while small attacks increased.  The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favor highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.
  • Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources.  Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks.  Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches.
  • Physical attacks are on the rise.  After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals.  The data indicates that organized crime groups are responsible for most of these card-skimming schemes.
  • Hacking and malware is the most popular attack method.  Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data.  The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and keylogger functionalities.
  • Stolen passwords and credentials are out of control.  Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security.  Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.

Download the report here

.

Top 5 Riskiest Places To Use Your Credit Card | B2B News

From B2B News

You can still be a victim of credit card fraud even if you use it with utmost caution. Credit card companies and banks are more and more often putting the onus of catching phony or incorrect credit card charges on the consumer.
The most important thing is to check your billing statement. And there are organizations like Creditcards.com that offer tips on how to keep your cards safe as well. Here, we take a look at 5 of the riskiest places you might use your card, according to Creditcards.com, and what you can do to stay away from dangers.

 Non-Bank Owned ATMs

Encryption at these ATMs is often not as good as at bank ATMs. These ATMs also are more likely to be hacked. And in some cases, people have put up devices that look like ATMs but don’t give out cash. Instead, they are just card-skimming devices aimed at stealing your credit card or debit card information.

 Flea Markets

Flea market merchants are often transient and can be difficult to locate if there is a problem with charges. It’s especially true for vendors who don’t have online credit card terminals and instead make carbon copies of your credit card.

That doesn’t mean those vendors are necessarily fraudulent, but it makes the transaction less secure. The credit card company might have trouble doing a charge back. If you’re going to the flea market, take cash. It’s also easier to negotiate that way.

 Small Shops/Cafes in Foreign Countries

These smaller merchants have a significantly higher percentage of credit card fraud as reported by large banks and credit card companies. Many of these transactions end up being written off by the banks because the merchants simply can’t be located. There’s just a higher chance of fraud when you get outside of the mainstream, so when in doubt, use cash.

Non-Secure Online Checkout

Any safe, reputable e-commerce site is going to have a secure checkout page, like the one shown at left. If that doesn’t appear, it should be a red flag. You can almost be sure it’s not legitimate, and even if it is, you’re opening yourself to that transaction being seen by others.

Purchases on Smart Phones

Purchases on smart phones can also be less than secure. If your smart phone connects to a public wi-fi signal, you’re going to be much less secure. Someone else can potentially see the transaction, or malware can be placed on your device that can potentially transmit your personal information

Top 5 Riskiest Places To Use Your Credit Card | B2B News.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: