How to rob banks and get away with it?

How to rob banks and get away with it?

Foto: Dražen Tomić

For more than a decade I was questioning myself, why do people need a gun, sunglasses and hoodies to rob the bank. As an operational risk management expert, while assessing business process and IT operations security I keep finding same vulnerabilities. This time, I decided to exploit one and get some cash from the bank as evidence. Why am I publishing it, instead of making money exploiting the vulnerability? Because there are thousands of banks and smart card issuers out there vulnerable and they should change it.

It's a credit or debit card fraud

When new payment card is issued, issuer is required to deliver the card and the corresponding PIN to a card holder. To use the card, you need both. Most common approaches banks use to deliver these are:

  1. Deliver the PIN and the card by post in separate envelopes (cheap and convenient)
  2. Deliver the PIN and require card holder to visit the branch office to retrieve the card (inconvenient and expensive)
  3. Inform the card holder to visit the branch office, retrieve the card and set the PIN (inconvenient and expensive)

Fraud step by step

You need to get into possession of the valid, activated payment card and associated PIN to commit a fraud, and you need to make sure missing card or compromised PIN are not reported to a bank. Ideal time to do that is before card reaches the cardholder.

Getting the card and the PIN without bank or cardholder knowing it

Identify the bank sending both, cards and PINs by post. (In this case it was one of the leading European banks.)

Follow the postman and check mailboxes where he left envelopes containing the PIN and take the envelope out. Make sure to target locations you are able to get the envelope out of the mailbox easily (i.e. big buildings with exposed mailboxes).

Make a note of mailboxes you found PIN inside, and make sure you take utility bills from there too.

In about one-week postman will leave the card there. Take the card and read the carrier letter.

Now you have the card and the PIN. Some banks are sending activated cards so you can use it right away. However, this wasn't the case here.

Activating the card

Some banks send un-activated cards and provide activation instructions in letter accompanying the card. This was the case here.  Card wasn’t activated. According to the instructions, to activate the card, card-holder has to call the bank using provided phone number. They could record calling numbers, so I used Skype number registered at opposite side of the planet (just to check bank’s ability to identify fraud – real fraudster would use prepaid mobile phone). During the call I clearly stated that I just received the card and would like to activate it, providing that way the information I just traveled half of the planet in few hours. Bank didn’t care. However, they said I have to provide my national identification number (similar like social security number in US) so I couldn’t activate the card. This is the time utility bills become important. First bill I opened was bill for gas, and ….bingo!  Required number has been printed on this bill. It is amazing what kind of information you can find on utility bills. I called the bank again, again from the opposite side of the planet, provided the number and card has been activated.

Now it’s time for the hoodie and the sunglasses.

I went to ATM and withdraw some cash – fraud successful. Whole beauty of this approach is that fraudster can do this up to one month, until real cardholder receives his first bill and calls the bank. This wasn't the case here, but some banks also provide information about daily spending and withdraw limits in card carrier letter so you can even know how much money you can get daily. Preventing such fraud is bank’s responsibility, but impacted cardholders could have problems providing evidences that their cards have been stolen together with the PIN and activated by an identity theft.  Because such frauds could go public, issuing banks could easily suffer significant reputation damage, probably much bigger than the direct financial loss.

Disclaimer: Described fraud has been committed with the approval of the card holder in order to point out to this wide spread vulnerability so banks can improve the security in card and PIN delivery processes. Since EMV (chip&PIN) introduction, risk of payment card fraud is moving from forging the card to stealing it.

* Author: Stanko Cerin, CTO at PINswift banking services

More from category

What Creates Competition in Telecom Market

What Creates Competition in Telecom Market

29 Mar 2017 comment

Telecom operators, regulators and competition authorities need to update their knowledge of what creates competition in the market, according to Strand Consult’s report. Consolidation in the telecom market is heating up around the world, particularly in Europe.

Big Data and Business Analytics Revenues Will Reach $150.8 Billion in 2017

Big Data and Business Analytics Revenues Will Reach $150.8 Billion in 2017

29 Mar 2017 comment

A new update to the Worldwide Semiannual Big Data and Analytics Spending Guide from IDC forecasts worldwide revenues for big data and business analytics (BDA) will reach $150.8 billion in 2017, an increase of 12.4% over 2016.

Data Center Colocation Market in APAC to Grow at a CAGR Over 16%

Data Center Colocation Market in APAC to Grow at a CAGR Over 16%

28 Mar 2017 comment

Data center colocation market in APAC is about to grow at a CAGR of more than 16% during the forecast period, according to the latest report published in latest forecast made by Technavio market research analysts.