Massive payment card upgrade has mixed result

Upgrading Australia's card payment system has been a slow process

Jeremy Kirk (IDG News Service)
06 August, 2012 11:25
Comments

Page:

"By nature, the less secure country becomes a target," Keshek said. "Attackers start looking at fairly large countries that don't have the same secure infrastructure, Australia being one of them."

Commonwealth Bank, which runs more than 4,000 ATMs in Australia, said in November 2011 it would be the first to roll out ATMs that meet the EMV standard. NAB plans for its ATM fleet to be fully EMV-enabled by the end of June 2013, while ANZ said its plans were commercially sensitive but that the upgrade was a "top priority." WestPac said the majority of its ATMs are EMV-capable, but that does not necessarily mean the machines are compliant yet.

About half of the 30,000 ATMs in Australia are run by non-bank companies. The largest are First Data and Customers ATM. Customers ATM declined to comment, while First Data declined to grant an interview but said it was working toward full EMV compliance.

Typically, non-bank ATMs "are not going to be built to the same security standards as bank ATMs because they are cheaper devices," said Iain Swaine, principal consultant for e-crime prevention at Greenway Solutions, a consultancy based in the U.K. The non-bank ATMs must meet the same security standards as mandated by Visa and MasterCard, but Swaine said the devices may not be as physically secure as bank ATMs.

"This is why there is more chance of card skimmers working on them and that attackers can either physically get into the devices to put internal skimmers or to eavesdrop on the modem connection out of the back," Swaine said.

Since not all payment cards have the EMV chip in Australia, some banks may have not turned off the so-called "fallback" mechanism which allows an ATM to read data from the card's magnetic stripe. In some cases, ATMs will also read the magnetic stripe data if the chip appears faulty.

That opens a window of opportunity for fraudsters, who can take advantage of the complexity, testing ATMs to see if the devices will pay out.

If a customer's ATM card has been skimmed and a counterfeit card is made, "there's no way for a bank to tell whether a cloned magstripe or a real magstripe is used," said Steven J. Murdoch, a researcher in the Security Group of the University of Cambridge Computer Laboratory who has extensively studied EMV. "Bank records should be able to distinguish between chip and magstripe."

The situation is bad news for customers, who can bear the liability if their chip card is used fraudulently. If a chip card's magnetic stripe is cloned and a bank's ATM is configured to only read the magnetic stripe, it can be difficult for a customer to prove they did not perform a suspicious transaction.

"The bank takes even more aggressive steps to try and show you've done something wrong and that it is your malpractice," Keshek said. "You're almost guilty before proven innocent."

Banks can use other means to detect counterfeit cards. For example, if a card is used in Sydney and an hour later used to withdraw cash in Romania, it's a good sign a fraudster may be at work.

But geolocation blocks have their limits, particularly when a fraudulent transaction takes place near where a cardholder lives. "It's very difficult to catch these transactions because the fraud systems aren't tight enough," said Avivah Litan, a fraud detection expert and analyst at Gartner. "Otherwise, they start inconveniencing good customers."

Still, banks are developing better systems to catch fraud, Swaine said. The global financial system that enables card payments around the world is so technical, Wilson said, "It's amazing it ever works at all."

Send news tips and comments to jeremy_kirk@idg.com

Page: