Extremely comprehensive training packages tailored to the training objectives of our clients. The depth of coverage and duration of our training courses are customized to the client’s requirements.

Click here for typical Course Evaluation & Student Feedback

DFR Risk Management provides extremely comprehensive training packages tailored to the training objectives of our clients. The depth of coverage and duration of our training courses are customized to the client’s requirements and typically range from half-day overview sessions to a four day in-depth analysis of criminal attack methods, trends and risk reduction measures.

Our courses are constantly being updated with the latest intelligence and trends reflecting real world attacks globally. Whether you are concerned about the latest ATM malware, black boxes that can jackpot ATMs or the latest miniature skimming devices, we can help your teams gain the knowledge and experience to reduce financial and reputational risk from attacks by sophisticated global organized syndicates

As ATM crime becomes ever-more organized and technically sophisticated, those tasked with investigating ATM fraud and ATM security attacks need increasingly effective tools and skills to properly understand the technologies and risks involved. Likewise, those tasked with developing new ATM Fraud and Security detection and prevention solutions, and those considering purchasing new solutions, need a comprehensive way of assessing the likely benefits as well as the residual risks that will remain.

Comprehensive characterization checklists are important tools when assessing ATM fraud and ATM security threats. The vendor-independent ATM checklists developed by DFR Risk Management Ltd help their clients throughout the ATM life-cycle from solution conception, development and deployment to decommissioning and disposal. Some of the benefits include:

Recognize and understand the many technologies and methods used in ATM crime
Assess the likely effectiveness of new ATM security and ATM fraud prevention solutions
Identification of residual risks
Enabling accurate and consistent incident recording and reporting
Facilitate compliance with the most rigorous of ATM security policies and procedures
Individual checklists have been developed to cover almost every type of ATM fraud and security threat reported today, as well those predicted to emerge in the future with the criminal adaption of new and emerging technologies. Some examples include:

ATM Physical Attack Checklist (APA)

ATM Cash Trapping Checklist (ACT)

ATM Deposit Fraud Checklist (ADP)

ATM Dispenser Manipulation Checklist (ADT)

ATM Card Trapping & Card Theft Checklist (ALT)

ATM PIN Compromise Checklist (APC)

ATM Skimming & Systems Compromise Checklist (ASK)

Click the following two buttons to see examples of extracts from our suite of checklists:

When creating strategies and tactical responses to ATM and Self-Service Terminal fraud and security threats the importance of the role that consumers can play should not be underestimated. Consumers far out-number employees, law enforcement and other interested parties within the industry. Further, they are often more than familiar with specific terminals and their locations.Like most successful initiatives, one which is win-win for all parties (except the perpetrators of crime) is almost certainly going to gain favour and thus be accepted and acted upon. Consumer education, when designed, structured, and implemented well is an immensely important component of ATM and Self-Service terminal fraud prevention.

A consumer education initiative needs to consider not only the key messages to be presented but also the most effective way of delivering the messages. A campaign that works well in one country may be much less effective in another due to local cultural differences. Thought must be given to how the objectives will be achieved in different operating environments.Objectives include educating consumers to help themselves avoid becoming victims of crime while not exaggerating and fuelling the perception that ATM and Self-Service crime is worse than it actually is.

Causing unnecessary fear, leading to mistrust, of what is an important and convenient service channel, benefits neither the consumer nor the industry. Making it clear what steps are being taken to protect consumers and emphasizing that they will be helped if ever anything does go wrong will strengthen trust. Consumer education campaigns should be approached in much the same way as other marketing campaigns. In addition to printed material, full use should be made of the ATM and Self-Service terminal environment itself and in particular the graphics capabilities that most terminals have today. Displaying a high quality image of someone’s hand covering a keyboard as the PIN is entered is but one example of the effective use of pictures and graphics.Some points and messages which may be considered include:

1) Safety first. Use terminals in well-lit and safe locations for the time of day. If suspicious persons are around the location move to an alternative location.

2) Be observant. If something about the ATM does not seem or ‘feel’ right then abort the transaction and move away. Do not remove any suspicious devices from the ATM as it may be under surveillance by the criminals.

3) Card is cash. Consider the card to be representative of all the cash you have secured in the banks vault. Don’t leave your card somewhere that you would not be happy leaving all your cash.

4) PIN is your key. Treat your PIN like you would the keys to your private drawer that contains your personal diary. Don’t allow anyone to see it or know it, not a family member, not a bank employee nor any other person.

5) Shield your PIN. When entering your PIN, use your free hand, wallet or purse to shield your keying.Again, similar to other marketing campaigns the messaging and mode of delivery should be updated over time and refreshed to emphasize specific points in response to new and developing threats. Encouraging consumers to not only protect themselves by following some simple guidelines, but perhaps incentivizing them to notify the authorities about suspicious activity or devices are some of the many possibilities. A small reward or formal recognition for reporting concerns that are subsequently proven to be related to a criminal act builds goodwill between all parties. The Safety first message however must never be compromised.

The above article was written by Douglas Russell, DFR Risk Management Ltd.

ATM Crime:
Attacks against ATMs may be classified as either ATM physical attacks or ATM fraud.

ATM Physical Attacks:
ATM physical attacks are normally perpetrated with the intention of gaining access to the cash or other valuable media within the ATM safe or ATM security enclosure. Some of the most common methods include Ram Raid, Explosive Attack (gas and non-gas) and Cutting (e.g. rotary saw, blow torch, thermal lance, diamond drill). The success of ATM physical attacks is often measured by what percentage of the cash is stolen and the speed by which the attack is completed.

ATM Fraud
There are many different categories of ATM fraud. In general ATM fraud can include any deliberate ‘criminal’ technique which involves the use of an ATM to obtain something of value to the perpetrator. The most common types of ATM fraud include Card Theft (e.g. Lebanese Loop) , PIN Compromise (e.g. Shoulder Surfing), Card Skimming, Cash Trapping, Transaction Reversal and Deposit Fraud.

ATM Fraud in more detail:

Card Theft
Card theft is where the perpetrator physically obtains the consumer’s card at or in the vicinity of an ATM. The most common method of card theft is Card Trapping. The most popular method of trapping a card at the ATM is known as Lebanese Loop. A Lebanese Loop is designed to be entered within the card entry slot of the ATM card reader in such a way as it does not prevent the consumer from entering their card, but it does prevent the ATM card reader from ejecting or returning the card to the consumer. The perpetrator can subsequently remove the trapped card once the consumer has departed from the ATM with the belief that the ATM has captured or swallowed their card. Another variant of card trapping is known as the Algerian V trap. Other methods of card theft include card swapping where the consumer’s card is exchanged for a card of similar appearance. This distraction method is often executed at the time that the consumer’s card is being returned or ejected to the consumer following a transaction at the ATM.

PIN Compromise
PIN compromise methods range from the very technically sophisticated to the relatively easy technique known as shoulder surfing. Shoulder surfing involves the perpetrator standing close enough to the consumer to observe the numbers entered on the key pad. A more sophisticated method of observation or surveillance involves the use of a miniature camera which can either transmit the image of the PIN being entered or store the recording within the device. With the increase in the number of mobile phones with video capture capabilities, such phones are adapted to compromise PINs. Keyboard overlays are devices which are designed to look very like the genuine ATM key pad and are fixed on top of the genuine key pad. The Keyboard Overlay will record the numbers entered on the key pad but also permit the genuine keyboard to accept the PIN being entered. Similarly to the use of cameras, the keyboard overlay may transmit the information to a remote receiver or store the information locally. Sophisticated ATM Infrastructure Hacking, Architecture Hacking, Network Hacking, Social Engineering, Phishing and various other methods are also used to compromise PIN codes.

Card Skimming
Card skimming involves making a copy of the information encoded on the magnetic stripe of the card. There are various different types of skimming device designed to be used in different environments, from hand held devices through door access skimmers to miniature card entry slot skimmers. Hand held skimming devices are more commonly associated with card skimming in restaurants and other retail establishments. When used in the ATM environment the perpetrator will either use distraction techniques to temporarily obtain and copy the consumer’s card or sometimes pick the pocket of the consumer. Some ATMs are installed in a controlled environment whereby the consumer is required to swipe a card at the door of the ATM location to gain access. Skimming devices may be attached to or used as a replacement for a genuine door access device.ATM card entry slot skimmers have various shapes and sizes and also vary in sophistication. When installed correctly they allow normal operation of the ATM in that the consumer’s card is entered and returned correctly, however the magnetic stripe is copied by the skimming device. One of the most effective ATM skimming devices is known as the Sofia skimmer. The skills of the perpetrators in modifying the packaging of skimming devices makes them very difficult for the untrained observer to detect.

Cash Trapping
Cash trapping is the term used to describe attacks where the consumer’s cash is trapped and prevented from being presented or delivered to the consumer. The variety of trapping devices is significant, ranging from those which require insertion within the ATM’s cash dispenser through false fronts to well engineered electro-mechanical devices which simulate the removal of the cash by the consumer.

Transaction Reversal
Transaction reversal techniques involve highly skilled manipulation of the ATM during a transaction with the result that the host computer believes that the consumer did not receive their cash and thus re-credits or reverses the transaction. Other variants of transaction reversal involve either collusion with someone within the ATM network or detailed knowledge of the rules governing transaction processing.

Deposit Fraud
Deposit fraud covers a variety of criminal techniques from making false deposits, trapping deposits through skilful manipulation of the deposit accepting device. False Deposit fraud includes exploiting processing rules to draw on funds before they have been verified and officially cleared for crediting to an account. Similar to cash trapping, Deposit Trapping allows the perpetrator to obtain the valuable media prior to it being secured within the deposit terminals safe or security enclosure. Highly skilled perpetrators of deposit fraud may use techniques by which the deposit terminal believes it has received and successfully validated a deposit when in fact it has not.

The above article was written by Douglas Russell, DFR Risk Management Ltd.

There is little doubt that compliance with minimum security certification requirements is important, whether covering the security of card data or providing a measure of the physical resistance from attacks to the ATM security enclosure.

PCI DSS (Payment Card Industry Data Security Standard) provides a clear and well-documented set of requirements with the primary objective of the protection of card data being processed and stored. Physical security requirements focused on the resistance to attacks against the safe or ATM security enclosure are well-covered by standards such as UL291 (Underwriters Laboratories) or the various CEN (European Committee for Standardization) standards.

Standards are valuable to equipment designers and suppliers in that they provide some clearly defined rules and requirements that they will design their equipment to meet. Designing to a documented and internationally recognized standard helps suppliers have confidence that the product they supply has at least the same protection level (and often cost-base) as their competitors. The requirement for independent testing and certification of new products and modifications to existing products also provides an objective check that vulnerabilities have not been mistakenly introduced.

For purchasers and deployers of equipment, certificated proof that the product being procured meets, at a minimum, an internationally recognized level of security, helps provide confidence in their investment. By specifying compliance with a minimum-standards requirement during the selection process for new equipment is a primary filter for what will and what will not be considered suitable to carry their brand name. Compliance with a particular standard is also often used as a deciding factor when considering the insurance costs for an asset.

Many standards are created and debated by a large group of experts, each of whom is a stakeholder whose own organization or discipline will be impacted in some way by the final details that are specified in the published standard. While this structure helps make sure that the broadest consideration is given to often conflicting needs, it does often create a time-lag between the desire to specify protection against a certain threat and final acceptance and publication of the standard.

The reality of criminality is that new attack techniques are constantly being invented and rapidly deployed to exploit weaknesses in the security of products and systems.

As this article is being written, there is a wide array of physical attacks ongoing against ATMs, proving that the criminal fraternity pays little notice to the label attached to the machine confirming it meets the latest physical security standard. The same can be said for the much-publicised card data compromise attacks against major card processors and personal information thefts from well-known service providers.

Does this mean that the industry is expending money, time and resources to create, design to, test against, purchase and certify compliance for no return?

No.

What must not be overlooked is the number of criminal attacks that have failed, perhaps even at the concept stage, for the simple reason that the potential target was seen to be protected to the extent that the expected return was outweighed by the risk to the potential perpetrators.

There is, and always will be, an absolute need to have internationally approved minimum-security requirements in the shape of measurable and certifiable standards.

However, to increase confidence in the security of your assets, whether you are the supplier or the deployer, assessing current and emerging threats in the real world, in real time, must be a prioritised and ongoing process.

The above article was written by Douglas Russell, DFR Risk Management Ltd.

ATM security issues and ATM fraud issues often follow some distinct patterns based upon the location of the ATM security attacks or ATM fraud incidents. While accurate reporting of bank ATM security and ATM fraud issues varies considerably by country, the following provides a high level overview of some of the geographical patterns of ATM security and ATM fraud attacks:

ATM fraud issues in the most part involve credit card fraud and debit card fraud. The ATM machine may be the ‘common purchase point’ (CPP) where analysis shows that a significant number of credit cards or debit cards were used genuinely in one specific location prior to detection of subsequent fraudulent transactions. Even when not the CPP, automated teller machines may be the mechanism used to convert compromised credit cards and debit cards into hard cash, so long as the credit card fraud or debit card fraud included compromise of the personal identification number (PIN).

ATM skimming is now common in most parts of the world that have a mature network of ATMs, self-service terminals and point of sale (POS) terminals that accept magnetic stripe based credit cards and debit cards. Most bank ATM security issues and ATM fraud issues involving ATM skimming are the result of criminals attaching an ATM skimmer to the ATM card reader slot. Europe has historically been one of the most targeted geographies for ATM skimming attacks, although the world-wide spread of such ATM skimming fraud has been, and continues to be significant.

ATM deposit fraud which includes both cash deposit fraud and cheque fraud (check fraud) at automated teller machines is one type of ATM fraud that is particularly common in the US where many banks have a culture of crediting and allowing drawings against the deposit prior to manual reconciliation and verification.

ATM hacking should really only be used to describe attacks against the internals of the ATMs software or the ATMs systems security but is commonly used to describe attacks against card processors and other components of the transaction processing network. The US have experienced a number of high profile ‘ATM hack’ attacks against well known credit card and debit card processors. Some of the systems security breaches have included compromise of the PIN in addition to the card data, with subsequent fraudulent spend using cloned credit cards and cloned debit cards at ATMs.

Another ATM fraud issue is ATM card theft which includes credit card trapping and debit card trapping at ATMs. Originating in South America this type of ATM fraud has spread globally. Although somewhat replaced in terms of volume by ATM skimming incidents, a re-emergence of card trapping has been noticed in regions such as Europe where EMV Chip and PIN cards have increased in circulation.

ATM funds transfer fraud is prevalent in Asia. This ATM scam involves criminals tricking victims into using the automated teller machine to transfer money into the criminals account.

ATM security attacks involving physical attacks against the ATM security enclosure are widely spread. ATM explosive attacks although originating and not uncommon in Europe are more prevalent in Australia and South Africa.

ATM ram raid incidents also occur globally but are most prevalent in the US, perhaps partly due to the large number of ATMs deployed in soft-target locations such as convenience stores.

ATM security incidents involving a high degree of precision to gain access to the ATM security enclosure occur globally. The UK and Canada have experienced many such precision ATM security attacks in recent years.

TThe above article was written by Douglas Russell, DFR Risk Management Ltd.

For those of us who operated in Hong Kong during the SARS (Severe Acute Respiratory Syndrome) near-pandemic in 2002 / 2003 there is much to remember, and many lessons were learned that can be applied to the potential operational risks from Swine Flu (H1N1) today.

Many will clearly recall the visual images of blue face masks and the underlying fear of being confined in an elevator when going up to the 34th floor of an office building, watching the small, wall-mounted, television with the latest ‘number’ (of infected victims) scrolling across the screen, or travelling to work in a crowded, though spotlessly clean, MTR (underground railway) carriage trying so hard to keep at least a small air gap between yourself and your fellow-travellers. Many might have forgotten the intense effort and commitment of staff in every department of their organization who did everything they could think of to keep the business operating and customers served.

It is, perhaps, stating the obvious to say that businesses must have or must now quickly put in place, Business Continuity Plans to address the potential of a serious threat to business operations should Swine Flu or, indeed, any other debilitating risk be realized. Hope for the best, but plan for the worst.

Business Continuity Plans need to cover so many different areas of an operation that sometimes it might be tempting to ‘tick the box’ and simply document that if Jane Doe is unavailable for work then John Doe will cover the task (assuming that staff levels in your organization are sufficient to offer a degree of redundancy). But what if John is also unavailable? Even if he is available, who is going to cover his tasks?

Large organizations usually have an advantage over smaller operations regarding total staff numbers and multiple, often internationally distributed, theatres of operation. Some companies have a response model which includes ‘flying in’ resources from other locations to fill any temporary gaps in expertise. But, should this model be used, it is important to keep in mind the impact of either voluntary or enforced quarantine restrictions that might apply when they return home.

Modern communications make it much more feasible to manage many tasks remotely, but the ability to communicate is only relevant if the person communicating is trained and knowledgeable in the subject that needs managing. It is this precise point that might be more effectively addressed by implementing backup and backup-backup staff education and training now rather than later. Alternatively, or preferably additionally, sourcing and pre-establishing links with third party consultants and subject-matter experts will increase confidence that the right skills are available if required, without putting pressure on the head-count budget.

And, for ATM and Self-Service terminal deployers, don’t forget your brand image in front of your consumers – clean the keyboard….

The above article was written by Douglas Russell, DFR Risk Management Ltd.