The PCI SSC has released their latest supplement, the ATM Security Guidelines Information Supplement.
The guidelines were developed to provide guidance to ATM manufacturers on how to prevent credit cards from being compromised.
The ATM Industry Association’s (ATMIA) 2012 ATM Global fraud survey reveals that skimming remains the leading global threat to ATMs because criminals use stolen information to produce counterfeit cards for fraudulent transactions, primarily ATM cash withdrawals.
Skimming and other types of attacks on ATMs continue to be top of mind for our constituents,” said Bob Russo, general manager, PCI Security Standards Council. “There are already some excellent resources out there that help with various pieces of ATM security. What this guidance does is pull together these different best practices into one comprehensive set, which is what our stakeholders have been asking for.
The guidance document provides an introduction to ATM security and outlines best practices around the following key areas and objectives:
Integration of hardware components to avert magnetic-stripe and other account data compromise and PIN stealing
Security of basic software to avert magnetic-stripe skimming and PIN stealing
Device management/operation to ensure adequate management of: ATM during manufacturing, ATM in storage of deployed ATM estates and ATM’s individual security configuration
ATM application management to address security aspects of the ATM application.
ATM manufacturers, hardware and software integrators, and deployers of ATMs can use this guidance to aid in the secure development, deployment and maintenance of ATMs. As with all PCI guidance documents the ATM Security Guidelines Information Supplement does not replace or supersede the PCI Standards, nor is it to be used as a set of security requirements for the formal certification of ATMs. The PTS POI security requirements provide for the testing and approval of encrypting PIN pads and secure readers used in ATMS for handling PIN and account data, and organizations should continue to use this standard to address these components of ATM security.
For a link to the full document please use my PCI Resources page here.
New fraud intelligence released demonstrates the extent of the rise of an audacious telephone-based deception targeting British credit and debit card holders.
Figures released by Financial Fraud Action UK and The UK Cards Association show that the scam has already caused over £7.5m worth of fraud on credit and debit cards between January and August 2012. Over that time, more than 1,600 bank customers have fallen victim, with average losses per case weighing in at over £4,200.
Police are warning of an exponential rise in reported cases, with intelligence showing the estimated amount stolen through this method over the first eight months of this year was already ten times the amount stolen during the whole of 2011. The deception, undertaken by criminal gangs, tends to target elderly and vulnerable bank customers, with fraud intelligence showing that the average age of victims is 69. Particular hot spots for this crime in the UK include London, Surrey and Strathclyde.
The scam involves a person being called by a criminal posing as someone from their bank, or even the police. The caller tells the victim that their credit or debit card needs collecting and replacing following fraud on their account. Police have found that the criminal caller reassures the victim that the call is genuine by getting them to hang up and call the bank’s number for confirmation. Following this, the criminal caller stays on the line, tricking the victim into believing they are on a new call and that the person at the end of the line is their bank.
The criminal caller will then either ask the person for their PIN or ask them to key their PIN number into their telephone keypad, before sending a courier to collect the card. The victim is told that the card is going to the bank, but actually is delivered to the fraudster along with the PIN obtained during the scam.
The rapid spread of this fraud, and steep incline of losses, takes place against the background of some customers being unaware that bank staff will never request their card or PIN. New findings released today by Financial Fraud Action UK shows that 12% bank customers do not realise they should NEVER reveal their card PIN.
DCI Dave Carter, Head of the Dedicated Cheque and Plastic Crime Unit (DCPCU) said:
“This fraud relies on deception of the customer, who cases show is often elderly and vulnerable, sometimes alone in the house, and who often takes the fraudster’s word at face value. While these new figures confirm that this scam and others like it, is on a steep rise, we can all protect ourselves and our relatives by remembering that banks will never ask for either your card or your PIN The only people who will ever ask you for your PIN are criminals. If someone on the phone asks for it, hang up immediately. If you believe you have had one of these calls or know someone who has, get in contact with your bank.”
Take the following steps to protect yourself:
Never hand over your card: Your bank or the police will NEVER ring you to tell you they are coming to your home to pick up your card. Never hand it over to anyone who comes to collect it.
Never share your PIN: Your bank will NEVER ask you to authorise anything by entering your PIN into the telephone. NEVER share your PIN with anyone – the only times you should use your PIN are at a cash machine or when you use a shop’s Chip & PIN machine.
Always speak to the bank securely: Before calling your bank, make sure you can hear the dial tone. Only ever call your bank on an advertised number.
The PCI SSC is seeking feedback from Participating Organizations (POs) on draft ATM security guidelines. The draft information supplement provides best practices to mitigate the effect of attacks to ATMs aimed at stealing PIN and account data, a direct response to stakeholder feedback for guidance on ATM security.
Participating Organizations have until November 13, 2012 to review and comment on the ATM Security Guidelines Information Supplement, which is slated for final publication later this year.
PIN and account data present in ATMs has become a growing target for criminals who use this stolen information to produce counterfeit cards for fraudulent transactions, primarily ATM cash withdrawals. Purchases with PIN at the point of sale and purchases without PIN in card-not-present environments are also other avenues of fraudulent card activity.
PCI Standards currently address ATM PIN pads, but not the ATM as a whole. In the absence of a global industry standard for securing ATMs, the Council has developed a set of compromise-prevention best practices based on existing standards from a number of industries, including IT, security, payment card and ATM that stakeholders can leverage in their ATM security efforts.
The draft ATM Security Guidelines Information Supplement provides an introduction to ATM security and outlines best practices that address the software, hardware and device components of the ATM. The intent is for the final document to guide ATM manufacturers, hardware and software integrators, and deployers of ATMs in the secure development, deployment and maintenance of ATMs.
We rely on industry feedback to develop PCI Standards and resources, said Bob Russo, general manager, PCI Security Standards Council. By sharing an early version of the guidelines with the PCI community, we re aiming to ensure these best practices reflect the key challenges and areas of concerns when it comes to addressing ATM security. Specifically, we encourage ATM manufacturers and software vendors to provide their input, as experts in the space and as those will be applying these guidelines in their everyday business.
The UK Card Association has recently published advice on avoiding fraud.
Some common sense advice that should be used:-
i) Ensure you are the only person who knows your PIN. Your bank or the police will never phone or email you and ask you to disclose it.
ii) Your bank will never ring you and tell you that they are coming around to pick up your card, so never hand it over to anyone who comes to ‘collect it’.
iii) Shield your PIN with your free hand when typing it into a keypad in a shop or at a cash machine.
iv) Only shop on secure websites. Before entering card details ensure that the locked padlock or unbroken key symbol is showing in your browser.
v) Rip up or preferably shred statements, receipts and documents that contain information relating to your financial affairs when you dispose of them.
vi) Never accept a cheque from someone unless you know and trust them, especially if the cheque is for a high value.
vii) When writing a cheque make sure you draw a line through all unused space on the payee line and the amount line to help prevent the cheque being fraudulently altered.
viii) Make sure you have up-to-date anti-virus software installed on your computer.
Originally published on September 09, 2011 by Fox News this article by Lora Shinn is a simple but effective way of avoiding becoming another victim of credit card fraud.
Review these mistakes to avoid becoming a victim of debit or credit card fraud.
1. Failing to Look for Skimmers
Thieves may attach skimming devices to the exterior of an ATM or point-of-sale terminals requiring a PIN, or personal identification number. It’s worth the few seconds it takes to glance before you swipe.
“Always take a look at the machine to see if there (are) any visible traces of activity, such as glue or scuff marks or loose bits around the PIN pad or the place where you insert your card,” says Manisha Thakor, co-author of “On My Own Two Feet: A Modern Girl’s Guide to Personal Finance.” “Those are telltale signs that an attempt may have been made to attach a skimmer.”
She says you should pay close attention when you’re visiting an ATM in a low-traffic locale, where it’s easier for someone to attach a device. When in doubt, use a different ATM.
2. Banking Online in a Cafe
You may have free Wi-Fi access at your favorite coffee shop, but you might not want to use it to check the balance in your savings account. If you’re using an open wireless network, it’s easier for hackers to intercept online transactions, passwords and other private business.
“It’s not the time to do financial business, your online banking or your shopping,” says Marian Merritt, a Norton Internet safety advocate at Symantec, a manufacturer of security software.
That goes for websites that start with HTTP and HTTPS as well because you don’t know how securely the coffee shop, hotel or other free Internet access point is set up. Hackers can set up “man in the middle” attacks to grab your passwords, card number and other information while you’re on the public network. So enjoy the latte and save checking your credit card statement for later.
If you receive a text message on your phone from your bank, and it asks you to log into your card account immediately — but you didn’t contact the bank — raise your mental drawbridge. The same goes for a message that arrives via Facebook, Twitter or any other mode of communication.
“Any unsolicited phone call, email, text or social media message could be a phishing attempt,” says Erik Mueller, vice president of payment system integrity at MasterCard Worldwide. “Be skeptical of these messages, especially if they request credit or debit card data or personal information, or link to another website or Web page.” With the right data, a phisher will quickly find a way to commit credit card fraud.
If you think the message might be legitimate or you have concerns about fraud, contact your issuer directly using the customer service phone number on the back of your debit or credit card.
4. Ignoring Your Rights and Responsibilities
If you’ve lost your credit or debit card, suspect it was stolen or think someone has lifted your number off the Internet, call your card issuer immediately. Credit cards offer the greatest protection against fraud. Most card issuers provide zero-liability fraud protection, and federal law says once you report the loss or theft, you have no further responsibility for unauthorized charges. Your maximum liability under federal law is $50 per card.
With debit cards, your responsibilities and rights change. While you may have zero-liability fraud protection on your debit card, it may not apply to PIN-based transactions or ATM withdrawals. Federal law also has some caveats when it comes to debit card fraud protection. If someone made fraudulent purchases with the debit card data and you don’t report the theft immediately, your liability could skyrocket, especially if you wait longer than 60 days to report it. In addition, if a thief uses your debit card to drain your bank account, you’ll be short on cash while your bank investigates.
5. Not Using Free Fraud Protection
Additional fraud protection is available for free by numerous card issuers and financial institutions, though most require a little investigation or enrollment. For example, the Verified by Visa program sets up Visa cardholders with an additional password they can use to shop at participating online merchants. MasterCard SecureCode works similarly. It requires the user to enter the correct PIN during checkout at a participating online retailer.
Another option: Try one-time or “virtual” credit card numbers, which are offered by some banks such as Citibank and Bank of America. These numbers are used for only one purchase and then are no longer usable — so you don’t have to worry they’ll be swiped and reused by a fraudulent user.
You can also minimize debit and credit card fraud by making use of free account alerts, which notify you when certain transactions or changes occur, such as a transaction for more than a certain dollar amount or a purchase made overseas.
Check your bank or card issuer’s site to find out whether they participate in these programs and services.
The findings of the reasearch are very interesting as they show how cavalier Smartphone owners are with their information and Identity.
The highlights of the research are below:
94% of consumers fear identity fraud and theft yet many keep too much personal data on mobile devices
54% of second-hand phones contain personal data including texts, emails and even banking details, identity fraud expert Equifax is urging consumers to think about what personal data they store on their mobile phone and ensure they delete all data from both the phone and SIM card before recycling or selling it
40% of smartphone users also don’t use the passcode function, leaving them vulnerable to ID fraud. And this jumps when looking at the younger generation that have most embraced the new technologies
62% of 22-25 year olds use their smartphone to regularly check their online banking. Yet despite fears about identity theft, 69% do not use a passcode function on their phone
35% admit to regularly clearing their browsing history after they use online banking. It’s also this generation where there’s probably more chance of them having personal items stolen when out shopping or in bars and clubs, making them the perfect target for fraudsters
