April 24, 2009, 4:16 PM — Security is an ugly business because when you have a problem there's rarely an elegant, straightforward solution. What you usually wind up with is a solution that's just "good enough." I recently learned of a great example that nicely illustrates this point.
A friend sent me a link to an amazing report titled "ATM Card Skimming and PIN capturing Awareness Guide". This document was authored by a gentleman with the job title "protective security advisor" and was published by Commonwealth Bank, a large Australian financial services provider.
Card skimming is the art of stealing data from the magnetic stripe on the back of an ATM card. The devices used to do this are smaller than a deck of cards and (this is the biggie) "often fastened in close proximity to or over the top of an ATM's factory-installed card reader."
Then the crooks typically install another piece of equipment to capture the PIN associated with the user's card. These devices have been found in the lights that illuminate the ATM's keyboard, near the speaker, in the indent that houses the screen, on the side fascias, or even near or over the keyboard. In other words, pretty much anywhere on the machine.
The report offers photographs of machines that have been modified with card skimming devices and the amazing thing is they all look like bona fide parts of the ATM. There is little visual clue that the device you're pushing your card into is an add-on.
The same applies to the PIN capturing modifications, most of which seem to involve cameras mounted in things such as false fascias that are attached to the ATMs or in merchandising add-ons (for example, leaflet holders). Another approach is to overlay a false keypad on the real keypad.
According to the report the bad guys "tend to attach skimming devices either late at night or early in the morning, and during periods of low traffic ... [and usually only leave them] attached for a few hours."
And the advice that the "protective security advisor" offers to those managing ATMs? He has several suggestions but allow me to summarize: Know thy ATM.
This is, of course, a poor solution because it assumes that those charged with the care and feeding of ATMs will be diligent and painstaking. While a percentage might well be, we know for certain that in a large population of these workers at least a few will not.
Second, what they are trying to do is work around a fundamental design flaw. If you can't easily distinguish a modified machine from one that hasn't been, then mistakes will be made even by the most diligent ATM wranglers and security will be breached.
Here we have a classic risk management problem: We've rolled out a solution that is in wide use and, unfortunately, we have now identified a serious problem.
We have two choices: Go to the expense and trouble of redesigning the solution knowing that whatever we do is unlikely to solve the problem perfectly (thus leaving a small but real margin of risk), or devise a workaround as Commonwealth Bank has done (if you can call asking staff to be more vigilant a workaround) and face larger losses but avoid the huge costs associated with a redesign.
In the case of ATMs there's also consumer confidence to consider, but most consumers are blissfully unaware of the issues or just don't care. Some banks are exploring use of one time codes generated by handheld devices that would thwart the skimming/capturing problem, but devices can be easily lost and it would be yet another gizmo you would have to carry.
This ATM security issue is exactly like many other IT security problems in that there is no "best solution", there is only a solution that is less ugly than the alternatives.