How to rob banks and get away with it?
For more than a decade I was questioning myself, why do people need a gun, sunglasses and hoodies to rob the bank. As an operational risk management expert, while assessing business process and IT operations security I keep finding same vulnerabilities. This time, I decided to exploit one and get some cash from the bank as evidence. Why am I publishing it, instead of making money exploiting the vulnerability? Because there are thousands of banks and smart card issuers out there vulnerable and they should change it.
It's a credit or debit card fraud
When new payment card is issued, issuer is required to deliver the card and the corresponding PIN to a card holder. To use the card, you need both. Most common approaches banks use to deliver these are:
Fraud step by step
You need to get into possession of the valid, activated payment card and associated PIN to commit a fraud, and you need to make sure missing card or compromised PIN are not reported to a bank. Ideal time to do that is before card reaches the cardholder.
Getting the card and the PIN without bank or cardholder knowing it
Identify the bank sending both, cards and PINs by post. (In this case it was one of the leading European banks.)
Follow the postman and check mailboxes where he left envelopes containing the PIN and take the envelope out. Make sure to target locations you are able to get the envelope out of the mailbox easily (i.e. big buildings with exposed mailboxes).
Make a note of mailboxes you found PIN inside, and make sure you take utility bills from there too.
In about one-week postman will leave the card there. Take the card and read the carrier letter.
Now you have the card and the PIN. Some banks are sending activated cards so you can use it right away. However, this wasn't the case here.
Activating the card
Some banks send un-activated cards and provide activation instructions in letter accompanying the card. This was the case here. Card wasn’t activated. According to the instructions, to activate the card, card-holder has to call the bank using provided phone number. They could record calling numbers, so I used Skype number registered at opposite side of the planet (just to check bank’s ability to identify fraud – real fraudster would use prepaid mobile phone). During the call I clearly stated that I just received the card and would like to activate it, providing that way the information I just traveled half of the planet in few hours. Bank didn’t care. However, they said I have to provide my national identification number (similar like social security number in US) so I couldn’t activate the card. This is the time utility bills become important. First bill I opened was bill for gas, and ….bingo! Required number has been printed on this bill. It is amazing what kind of information you can find on utility bills. I called the bank again, again from the opposite side of the planet, provided the number and card has been activated.
Now it’s time for the hoodie and the sunglasses.
I went to ATM and withdraw some cash – fraud successful. Whole beauty of this approach is that fraudster can do this up to one month, until real cardholder receives his first bill and calls the bank. This wasn't the case here, but some banks also provide information about daily spending and withdraw limits in card carrier letter so you can even know how much money you can get daily. Preventing such fraud is bank’s responsibility, but impacted cardholders could have problems providing evidences that their cards have been stolen together with the PIN and activated by an identity theft. Because such frauds could go public, issuing banks could easily suffer significant reputation damage, probably much bigger than the direct financial loss.
Disclaimer: Described fraud has been committed with the approval of the card holder in order to point out to this wide spread vulnerability so banks can improve the security in card and PIN delivery processes. Since EMV (chip&PIN) introduction, risk of payment card fraud is moving from forging the card to stealing it.
* Author: Stanko Cerin, CTO at PINswift banking services