Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Personal identification number

PCI SSC releases its Best practices to help prevent card data compromise at ATMs

The PCI SSC has released their latest supplement, the ATM Security Guidelines Information Supplement. 

The guidelines were developed to provide guidance to ATM manufacturers on how to prevent credit cards from being compromised. 

The ATM Industry Association’s (ATMIA) 2012 ATM Global fraud survey reveals that skimming remains the leading global threat to ATMs because criminals use stolen information to produce counterfeit cards for fraudulent transactions, primarily ATM cash withdrawals. 

Also see Europol reveals €1.5 Billion Euro in Credit Card Fraud, how it is stolen and why they struggle to catch the criminals  

Skimming and other types of attacks on ATMs continue to be top of mind for our constituents,” said Bob Russo, general manager, PCI Security Standards Council. “There are already some excellent resources out there that help with various pieces of ATM security. What this guidance does is pull together these different best practices into one comprehensive set, which is what our stakeholders have been asking for.

The guidance document provides an introduction to ATM security and outlines best practices around the following key areas and objectives:

  • Integration of hardware components to avert magnetic-stripe and other account data compromise and PIN stealing
  • Security of basic software to avert magnetic-stripe skimming and PIN stealing
  • Device management/operation to ensure adequate management of: ATM during manufacturing, ATM in storage of deployed ATM estates and ATM’s individual security configuration
  • ATM application management to address security aspects of the ATM application.

ATM manufacturers, hardware and software integrators, and deployers of ATMs can use this guidance to aid in the secure development, deployment and maintenance of ATMs. As with all PCI guidance documents the ATM Security Guidelines Information Supplement does not replace or supersede the PCI Standards, nor is it to be used as a set of security requirements for the formal certification of ATMs. The PTS POI security requirements provide for the testing and approval of encrypting PIN pads and secure readers used in ATMS for handling PIN and account data, and organizations should continue to use this standard to address these components of ATM security.

For a link to the full document please use my PCI Resources page here.

.

New figures show spread of audacious telephone scam targeting cardholders’ PIN

New fraud intelligence released demonstrates the extent of the rise of an audacious telephone-based deception targeting British credit and debit card holders.

Figures released by Financial Fraud Action UK and The UK Cards Association show that the scam has already caused over £7.5m worth of fraud on credit and debit cards between January and August 2012. Over that time, more than 1,600 bank customers have fallen victim, with average losses per case weighing in at over £4,200.

Police are warning of an exponential rise in reported cases, with intelligence showing the estimated amount stolen through this method over the first eight months of this year was already ten times the amount stolen during the whole of 2011. The deception, undertaken by criminal gangs, tends to target elderly and vulnerable bank customers, with fraud intelligence showing that the average age of victims is 69. Particular hot spots for this crime in the UK include London, Surrey and Strathclyde.

The scam involves a person being called by a criminal posing as someone from their bank, or even the police. The caller tells the victim that their credit or debit card needs collecting and replacing following fraud on their account. Police have found that the criminal caller reassures the victim that the call is genuine by getting them to hang up and call the bank’s number for confirmation. Following this, the criminal caller stays on the line, tricking the victim into believing they are on a new call and that the person at the end of the line is their bank.

The criminal caller will then either ask the person for their PIN or ask them to key their PIN number into their telephone keypad, before sending a courier to collect the card. The victim is told that the card is going to the bank, but actually is delivered to the fraudster along with the PIN obtained during the scam.

The rapid spread of this fraud, and steep incline of losses, takes place against the background of some customers being unaware that bank staff will never request their card or PIN. New findings released today by Financial Fraud Action UK shows that 12% bank customers do not realise they should NEVER reveal their card PIN.

DCI Dave Carter, Head of the Dedicated Cheque and Plastic Crime Unit (DCPCU) said:

“This fraud relies on deception of the customer, who cases show is often elderly and vulnerable, sometimes alone in the house, and who often takes the fraudster’s word at face value. While these new figures confirm that this scam and others like it, is on a steep rise, we can all protect ourselves and our relatives by remembering that banks will never ask for either your card or your PIN The only people who will ever ask you for your PIN are criminals. If someone on the phone asks for it, hang up immediately. If you believe you have had one of these calls or know someone who has, get in contact with your bank.”

Take the following steps to protect yourself:

  1. Never hand over your card: Your bank or the police will NEVER ring you to tell you they are coming to your home to pick up your card. Never hand it over to anyone who comes to collect it.
  2. Never share your PIN: Your bank will NEVER ask you to authorise anything by entering your PIN into the telephone. NEVER share your PIN with anyone – the only times you should use your PIN are at a cash machine or when you use a shop’s Chip & PIN machine.
  3. Always speak to the bank securely: Before calling your bank, make sure you can hear the dial tone. Only ever call your bank on an advertised number.

.

Feedback requested from PCI community on best practices to help prevent card data compromise at ATMs

The PCI SSC is seeking feedback from Participating Organizations (POs) on draft ATM security guidelines. The draft information supplement provides best practices to mitigate the effect of attacks to ATMs aimed at stealing PIN and account data, a direct response to stakeholder feedback for guidance on ATM security.

Participating Organizations have until November 13, 2012 to review and comment on the ATM Security Guidelines Information Supplement, which is slated for final publication later this year.

PIN and account data present in ATMs has become a growing target for criminals who use this stolen information to produce counterfeit cards for fraudulent transactions, primarily ATM cash withdrawals. Purchases with PIN at the point of sale and purchases without PIN in card-not-present environments are also other avenues of fraudulent card activity.

PCI Standards currently address ATM PIN pads, but not the ATM as a whole. In the absence of a global industry standard for securing ATMs, the Council has developed a set of compromise-prevention best practices based on existing standards from a number of industries, including IT, security, payment card and ATM that stakeholders can leverage in their ATM security efforts.

The draft ATM Security Guidelines Information Supplement provides an introduction to ATM security and outlines best practices that address the software, hardware and device components of the ATM. The intent is for the final document to guide ATM manufacturers, hardware and software integrators, and deployers of ATMs in the secure development, deployment and maintenance of ATMs.

We rely on industry feedback to develop PCI Standards and resources, said Bob Russo, general manager, PCI Security Standards Council. By sharing an early version of the guidelines with the PCI community, we re aiming to ensure these best practices reflect the key challenges and areas of concerns when it comes to addressing ATM security. Specifically, we encourage ATM manufacturers and software vendors to provide their input, as experts in the space and as those will be applying these guidelines in their everyday business.

.

UK Card Association offers advice on avoiding fraud

Please enter you personal identification numbe...
Image by hugovk via Flickr

The UK Card Association has recently published advice on avoiding fraud.

Some common sense advice that should be used:-

i) Ensure you are the only person who knows your PIN. Your bank or the police will never phone or email you and ask you to disclose it.

ii) Your bank will never ring you and tell you that they are coming around to pick up your card, so never hand it over to anyone who comes to ‘collect it’.

iii) Shield your PIN with your free hand when typing it into a keypad in a shop or at a cash machine.

iv) Only shop on secure websites. Before entering card details ensure that the locked padlock or unbroken key symbol is showing in your browser.

v) Rip up or preferably shred statements, receipts and documents that contain information relating to your financial affairs when you dispose of them.

vi) Never accept a cheque from someone unless you know and trust them, especially if the cheque is for a high value.

vii) When writing a cheque make sure you draw a line through all unused space on the payee line and the amount line to help prevent the cheque being fraudulently altered.

viii) Make sure you have up-to-date anti-virus software installed on your computer.

Some common sense advice.

.

Five Ways to Fall Victim to Credit Card Fraud

Fox News Talk
Image via Wikipedia

Originally published on September 09, 2011 by Fox News this article by Lora Shinn is a simple but effective way of avoiding becoming another victim of credit card fraud.

Review these mistakes to avoid becoming a victim of  debit or credit card fraud.

1. Failing to Look for Skimmers

Thieves may attach skimming devices to the exterior  of an ATM or point-of-sale terminals requiring a PIN, or personal identification  number. It’s worth the few seconds it takes to glance before you swipe.

“Always take a look at the machine to see if there  (are) any visible traces of activity, such as glue or scuff marks or loose bits  around the PIN pad or the place where you insert your card,” says Manisha  Thakor, co-author of “On My Own Two Feet: A Modern Girl’s Guide to Personal  Finance.” “Those are telltale signs that an attempt may have been made to attach  a skimmer.”

She says you should pay close attention when you’re  visiting an ATM in a low-traffic locale, where it’s easier for someone to attach  a device. When in doubt, use a different ATM.

2. Banking Online in a Cafe

You may have free Wi-Fi access at your favorite  coffee shop, but you might not want to use it to check the balance in your  savings account. If you’re using an open wireless network, it’s easier for  hackers to intercept online transactions, passwords and other private business.

 “It’s not the time to do financial business, your online banking or your  shopping,” says Marian Merritt, a Norton Internet safety advocate at Symantec,  a manufacturer of security software.

That goes for websites that start with HTTP and  HTTPS as well because you don’t know how securely the coffee shop, hotel or  other free Internet access point is set up. Hackers can set up “man in the  middle” attacks to grab your passwords, card number and other information while  you’re on the public network. So enjoy the latte and save checking your credit  card statement for later.

3. Responding to Phishing Messages

If you receive a text message on your phone from  your bank, and it asks you to log into your card account immediately — but you  didn’t contact the bank — raise your mental drawbridge. The same goes for a  message that arrives via Facebook, Twitter  or any other mode of communication.

“Any unsolicited phone call, email, text or social  media message could be a phishing attempt,” says Erik Mueller, vice president of  payment system integrity at MasterCard  Worldwide. “Be skeptical of these messages, especially if they request credit or  debit card data or personal information, or link to another website or Web  page.” With the right data, a phisher will quickly find a way to commit credit  card fraud.

If you think the message might be legitimate or you  have concerns about fraud, contact your issuer directly using the customer  service phone number on the back of your debit or credit card.

4. Ignoring Your Rights and Responsibilities

If you’ve lost your credit or debit card, suspect it  was stolen or think someone has lifted your number off the Internet, call your  card issuer immediately. Credit cards offer the greatest protection against  fraud. Most card issuers provide zero-liability fraud protection, and federal  law says once you report the loss or theft, you have no further responsibility  for unauthorized charges. Your maximum liability under federal law is $50 per  card.

With debit cards, your responsibilities and rights  change. While you may have zero-liability fraud protection on your debit card,  it may not apply to PIN-based transactions or ATM withdrawals. Federal law also  has some caveats when it comes to debit card fraud protection. If someone made  fraudulent purchases with the debit card data and you don’t report the theft  immediately, your liability could skyrocket, especially if you wait longer than  60 days to report it. In addition, if a thief uses your debit card to drain your  bank account, you’ll be short on cash while your bank investigates.

5. Not Using Free Fraud Protection

Additional fraud protection is available for free by  numerous card issuers and financial institutions, though most require a little  investigation or enrollment. For example, the Verified by Visa program sets up  Visa cardholders with an additional password they can use to shop at  participating online merchants. MasterCard SecureCode works similarly. It  requires the user to enter the correct PIN during checkout at a participating  online retailer.

Another option: Try one-time or “virtual” credit  card numbers, which are offered by some banks such as Citibank  and Bank of America. These numbers are used for only one purchase and then are  no longer usable — so you don’t have to worry they’ll be swiped and reused by a  fraudulent user.

You can also minimize debit and credit card fraud by  making use of free account alerts, which notify you when certain transactions or  changes occur, such as a transaction for more than a certain dollar amount or a  purchase made overseas.

Check your bank or card issuer’s site to find out  whether they participate in these programs and services.

The original Fox News post can be found here.

.

Smartphone users at risk of ID Fraud

Image representing Equifax as depicted in Crun...
Image via CrunchBase

Credit reference agency Equifax has recently released its research into the implications of Smartphone Theft on Identity Fraud.

The findings of the reasearch are very interesting as they show how cavalier Smartphone owners are with their information and Identity.

The highlights of the research are below:

  • 94% of consumers fear identity fraud and theft yet many keep too much personal data on mobile devices
  • 54% of second-hand phones contain personal data including texts, emails and even banking details, identity fraud expert Equifax is urging consumers to think about what personal data they store on their mobile phone and ensure they delete all data from both the phone and SIM card before recycling or selling it
  • 40% of smartphone users also don’t use the passcode function, leaving them vulnerable to ID fraud. And this jumps when looking at the younger generation that have most embraced the new technologies
  • 62% of 22-25 year olds use their smartphone to regularly check their online banking. Yet despite fears about identity theft, 69% do not use a passcode function on their phone
  • 35% admit to regularly clearing their browsing history after they use online banking. It’s also this generation where there’s probably more chance of them having personal items stolen when out shopping or in bars and clubs, making them the perfect target for fraudsters

 EQUIFAX’S SMARTPHONE SECURITY TIPS

  • Always use the PIN function on your handset
  • Don’t store reminders of passwords on your phone
  • Think about which accounts you access from your phone – would it be better to wait until you’re at the security of your home
  • Wipe browser history, especially if reviewing online banking
  • Keep an eye out for malicious software masquerading as apps
  • Keep your smartphone safe at all times
  • Delete all personal information from the phone and the SIM card before recycling or selling your phone

Read the full press release here.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: