Sitting in a restaurant in Doha over the weekend I was shocked to hear a fellow customer bellow out the PIN number for his credit card across the room to the waiter bringing him his bill. This is not the first time I have seen this very casual attitude towards protecting sensitive personal financial information. However, we are all responsible for keeping our PIN numbers and bank account details secure: this was the central message of the recent ictQATAR conference, fin.INFOSEC.
The conference was organized by the Qatar Cyber Emergency Response Team (Q-CERT), a division of ictQATAR and welcomed leading experts in the financial security field from Doha and worldwide. The focus of the conference was to discuss the latest threats and trends in financial information security and the risks faced by the finance sector and individuals.
Among the experts speaking at the event was European ATM Security Team (EAST) chairman, Lachlan Gunn, who highlighted the threat to ATM users of their PIN numbers being nabbed and consequently having their money stolen. “Whenever we enter our PIN number at an ATM or payment terminal, we should cover it. Your PIN is your responsibility. Protect it,” he said. “ATM fraud may only constitute a fraction of the amount lost to financial fraud but it is a significant issue as confidence in the cash distribution chain must be maintained. Criminals continue to keep abreast of the latest technologies to maximize their activities. Most recently we have seen the adoption of MP3 and 4 players to create analogue streams to capture data.”
EAST is set up as a non-profit organization working across Europe to tackle ATM crime, effectively making Gunn a modern day bounty hunter, and with a name like Lachlan Gunn, that seems completely appropriate. Gunn went on to show alarming video footage of criminals in Europe fixing a minuscule camera above an ATM keypad which harnessed a very clear view of users PIN numbers and who then fixed a new facade over the card reader to steal users card information. This was done in a matter of minutes and is a practice known as ‘Skimming’. He explains, “Some of the software and hardware used to read card information that we find attached to ATM’s are freely available online and at specialist outlets because they are used legitimately at trade fairs and bazaars.”
According to Gunn, by 2015 there will be as many as 2.9 million ATM’s globally as this continues to be one of the most convenient methods for bank customers to gain access to their cash. Therefore staying informed of best practice is essential for everyone, he said, so always cover your PIN and keep your number secret. Auke Huistra, of Cybercrime Information Exchange in Holland, also pointed out that as ATM’s become more secure, criminals will switch their activities to PIN numbers used at point of sale.
Other scams that were discussed at the event included ‘Phishing’ and the problem of ‘Money Mule’s’. Brian Krebs, a US investigative reporter and editor of Krebsonsecurity.com highlighted the issue of fake websites which harness your bank account information to steal your money, known as ‘Phishing’, and the second part of this scam, the money mule, whereby unsuspecting people then process this money through their own bank accounts so criminals can get it out of the country.
According to Krebs, this kind of fraud costs US banks at least $70 million a year. “US banks are being targeted in a big way. Mainly by Russian and Ukrainian gangs who are almost open about these activities. They are protected by difficulties in cross border prosecutions and complicated routes of bouncing online traffic, making it almost impossible to trace them. These criminals openly advertise for programmers who can write malware and software for them as this technology continues to evolve,” he said.
Executive Director of Q-CERT, Khalid al-Hashimi said the conference was an extension of ictQATAR’s ongoing work to ensure all sectors in Qatar are aware of the latest cyber threats and are prepared to manage them effectively. “The finance sector has wisely embraced the benefits of technology to enhance their customer services, increase efficiency and better secure their information. While the benefits of technology are unquestionable, they also create new opportunities and channels for criminal activities, such as hacking, data breaches and consumer scams,” he said.
The event also heard from Jason Coupe, the International Bank of Qatar’s Head of Information Security who spoke at length on the importance of ensuring Qatar’s banks use the latest appropriate hardware and software for their ATM’s. Aldi Wahid, VP of Cyber Security Responsive Services at CyberSecurity Malaysia brought insights on how to share financial security information across institutions and news of the very latest in cyber threats. According to Wahid, phishing scam websites are on the increase in Malaysia, from just under 500 in 2009 to over 3000 in 2011. “To date there have been no convictions”, he said. “One attorney general told me we had to catch the criminals in the act of obtaining money this way, which is of course, impossible. This makes it difficult to enforce penal deterrents on the criminals, even though losses from phishing scams went from US $1.2 Million in 2010 to US $4 million in 2011.”