In this post, we get insights from David Phister, Diebold Nixdorf Product Management – Platform Security Technologie. He will present “The Evolving ATM Security Landscape” at the Asia-Pacific Community Meeting in Singapore.
What are some unique payment security challenges that ATMs face?
David Phister: ATM systems contain a safe stocked with currency operating in unattended and often remote environments with limited connectivity or ability to be monitored. As such, ATM security is typically threatened in three ways – physical, card/currency and cybersecurity attacks. Traditional physical attacks such as the use of explosives are common globally to gain access to the currency. Skimming, shimming and trapping attacks are also common and targeted towards currency, cardholder data and/or PIN compromise. Finally, sophisticated cybersecurity attacks are typically designed to attack an ATM network or system using malware and can compromise cardholder and PIN data or ‘jackpot’ the currency from one or several machines.
What are some defenses against ATM Skimming?
David Phister: Several innovations have taken hold in the industry over the past decade to counter the skimming threat against the magnetic stripe. The most prominent has been the elimination of the magnetic stripe. The EMV standard and chip technology replaces the magnetic stripe and is the technology most widely adopted globally to eliminate the skimming threat. Since the magnetic stripe continues to be used, the long-edge card reader was developed to eliminate the skimming threat by changing the way the magnetic stripe is presented and processed by the card reader. Contactless card readers and mobile devices are also emerging as fast, easy authentication techniques that inherently defend against skimming in today’s increasingly contactless and cardless world of connected commerce.
What are some emerging authentication technologies and what are some of the challenges they face?
David Phister: Mobile device and biometric authentication are beginning to appear in the ATM self-service channel. While these innovations also inherently defend against skimming, they introduce new threat vectors. Mobile devices and payment applications are subject to mobile device fraud and hacking which introduce risk if the mobile platform does not sufficiently protect cardholder information. The use of biometrics is an effective means of identification and authentication but can be subject to forgery, duplication and continued privacy concerns. Each will require a strategic and global focus on improved interoperability and security standards should they continue to penetrate the payment ecosystem in the years ahead.
Can you talk a little bit about shimming and how it can impact EMV chip cards?
David Phister: The EMV standards defeat skimming through the introduction of the chip technology and elimination of the magnetic stripe. However, the continued use of the magnetic stripe in hybrid card scenarios perpetuates its risk. The fraud has therefore evolved from skimming to shimming devices that are designed to intercept the track data between the EMV chip and the reader for the purposes of capturing cardholder data and magnetic stripe redemption fraud in weak implementations. Issuers and hosts must properly implement different card verification values and check for uniqueness as a part of both magnetic stripe and chip based transaction authorization processing to enable the security intended by the EMV technology in hybrid card scenarios.
What are some best practices when it comes to compliance planning?
David Phister: There are a few key elements to effective security and compliance planning. The most important is to recognize that the threat to cardholder and corporate data and assets is constant. This recognition should drive the necessary risk management framework, information security policy and compliance as well as training and awareness activities. With these in place, financial institutions can then identify and deploy the relevant security controls to mitigate the risk specific to their ATM operating environment and institute recurring security and compliance initiatives to ensure the risk is being addressed appropriately.
