Tuesday, 14 May 2013

Coordinated ATM Heists, and a rant...

Been a while since I posted, have been a bit flat out with lots of multiple projects on different continents.

This story is a great one for those of us in the payments security field.
http://krebsonsecurity.com/2013/02/crooks-net-millions-in-coordinated-atm-heists/
http://www.theverge.com/2013/5/13/4326336/cyber-caper-behind-the-scenes-of-the-45-million-atm-heist
http://www.reuters.com/article/2013/05/13/us-usa-crime-cybercrime-electracard-idUSBRE94C0K220130513

This is an interesting story in that it was not the card-holder data that was attacked, but the balance and withdrawal limits data that was breached. There is a chance that the payment processors were PCI compliant as these standards are concerned with the protection of card-holder data, not with balances on accounts or withdrawal limits.

This is a good lesson to all payment processors that PCI compliance alone is not sufficient security. You must continually assess and test your payment environment for security vulnerabilities.

Also, countries not using chip-card/EMV should hurry up and join the rest of the world.


Magstripe is a broken technology, it contributed to the above attack (the pre-paid cards were cloned allowing an exponential increase in the losses occured).
EMV/Chip Cards cannot be economically cloned, which reduces the economic impact of attacks like the one above.


Why is a product like this: https://squareup.com/stand even feasible in 2013? Almost all payment terminals produced now support Chip/EMV transactions.
$299 for a product that is not PCI compliant, already obsolete and insecure; sounds like the Windows 3.1 of payment terminals...