On the DBS/POSB ATM card fraud case in Singapore
So I’ve been writing in to a Minister once again. Probably not the first or last person to bring up these simple facts to Tharman Shanmugaratnam, Minister for Finance of Singapore, but I thought I would contribute my two cents (ha, ha). Here it goes :
…
Delivered-To: …
Subject: Improving security for ATM/NETS cards
From: Low Ee Mien [...]
To: tharman_s@mof.gov.sg
Dear Minister for Finance,
I am writing in my personal capacity regarding the recent DBS/POSB ATM fraud case. As we have seen, the two-factor authentication mechanism of ATM/NETS cards has been defeated. The perpetrators have managed to successfully obtain both factors of authentication : something you have (ATM card details via the card skimming device), and something you know (ATM PIN via a strategically-located pinhole camera).
It has been proven time and again that the magnetic stripe data such as those being used in the ATM and NETS cards in Singapore is quite easily copied. This magnetic stripe technology was invented over 50 years ago and is able to contain at most a few bytes of information, and has no processing capability of any sort, nor any form of cryptographic technology to resist cloning or tampering. In short, this is a completely outdated technolgy that the whole of our nation is using for our daily financial transactions, at thousands of retail establishments, ATM’s, top-up kiosks, and so on.
Something needs to be done about this glaring security vulnerability.
As you can see from the link below, Malaysia’s Maybank is already ahead of Singapore in this respect :
http://www.maybank2u.com.my/mbb_info/m2u/public/personalDetail04.do…
The Maybank ATM card includes an embedded smartcard chip, which as their website states, offers “Increased security, as the smart chip is tamper-resistant and the data stored is harder to extract and copy”. This is the key point : smartcard technology, well established by now, mitigates many of the shortcomings of magnetic stripes. It is much harder to simply clone compared to magnetic stripes and requires sophisticated and intrusive physical attacks to get to the private key data contained in the smartcard chip. The technology currently required to carry out such attacks does not fit in a simple card skimmer that can be installed in an ATM card slot. Other security measures such as revocation of the certificates of any particular set of smartcards can be carried out on demand. In addition, manufacturers have already included a number of on-board security measures in smartcard processor chips to resist cloning and tampering.
Hence, in the interest of increased security for banking customers, I would like to suggest that MAS work towards regulations requiring all banks issuing ATM and NETS cards to include embedded smartcard technology such as the EMV technology being used by VISA and other credit card issuers.
As an additional security measure, I would also like to suggest industry-wide regulation to eventually disallow transaction fallback to magnetic strip reading, thus removing one of the main factors contributing to ATM card fraud. The ultimate goal is for ATM/NETS cards to be issued *without* any form of magnetic stripes whatsoever, and ATM’s as well as POS terminals to be updated to smartcard-acceptance only, thus finally retiring this outdated 50-year old magnetic stripe technology.
Thank you for your attention.
Low Ee Mien (Mr)
- Sure, smartcards are not impossible to defeat, but they are much harder than the increasingly laughable magnetic stripes, with card skimmers being more readily available nowadays, even apparently custom fitted to closely resemble the “anti-intrusion” devices installed over the ATM card slots. Some have said that 3D printers have now been used to create the exact shapes of these “anti-skimming” devices, or Fraudulent Device Inhibitor (FDI), in an ironic application of cutting-edge technology being used to defeat a simple physical device that was meant to guard against just such occurrences of card skimmers being installed.
The measures announced by the bank are well and fine, such as blocking foreign ATM withdrawals for folks who have not used them overseas, sending out SMS messages and so on, but all these reek of reactionary and stop-gap measures.
I don’t quite agree with the DBS CEO’s claim that replacing the magstripes with smartcard chips has its own set of problems, such as : “The problem with that is it’s a huge inconvenience to customers. When you go to the US, they don’t accept chip cards”. My man, the world is moving away from this outdated magstripe technology, I am frankly surprised and amazed simply that Singapore has not gone along and our neighbour Malaysia has. Fact is, we are actually behind Maybank Malaysia in this area and there’s quite a bit of catching up to do.
J3tpost from :
On the DBS/POSB ATM card fraud case in Singapore
