ATM fraud: Forget EMV; Try Mobile Money

This christmas did not pass without much drama for many Kenyans. Banks had for some days before the holidays sent what looked like panic notifications advising customers to change their ATM card PIN numbers. Although I don't recall being a targeted recipient of the "Change your PIN" plea by my bank, good old twitter amplified the message at some point on 23rd and 24th December.

As fate would have it, having been unable to scamper for the seemingly account-saving change of PIN, Christmas eve would be the day fraudsters would hit my account. In the resulting helplessness of things, where else to go but good old twitter to share the experience with the rest of the world?

So off went the message, if only to tell fellow Kenyans that the earlier "Change your PIN" messages were not to be taken as jokes. Some of what followed would become history with some coverage on Citizen TV.

When old friend Henry called me up for an interview on the fiasco, one key message was in my mind to tell their TV audience. That message was;

"Using mobile money is comparatively safer than using ATM cards".

Obviously my message did not come out in the interview - it must have been so under developed in my mind that the editors could not infer much from what I said. Or perhaps the story needed to link better with the apparent agitation by Kenya Bankers Association and Pesa Point for banks to migrate their ATMs and card systems to the Europay, MasterCard, Visa (EMV) standard. The EMV platform also seems to be called the "chip and pin" system by journalists. The more I thought through my mobile-money-is-better message, the more the questions to myself piled on.

To begin with, lets see what technological challenges the fraudster has; :-

For ATM skimming; the kind of fraud that has apparently hit many Kenyans to happen, the fraudster has to have accessed the victim's account details - which details are usually encoded in the black magnetic strip on the back side of the card. The fraudster has also to somehow discover the victim's four digit PIN number related to the card; which is never stored among the other details in the card - in the case of magnetic strip cards. In short, armed with the information in the magnetic strip, the fraudster makes a clone of the victim's ATM card and the only other thing they need is the victim's pin number after which they can do anything the victim can do with the account at their safest, favorite ATM.

To setup their trap for gathering the above two pieces of information, fairly common place technology is used. In both cases of the magnetic strip ATM card, the fraudster has to overcome two technological challenges; that of cloning the information in the card and that of knowing the original card's PIN number.

In both cases, the technological challenge of knowing the victim's PIN number is easily surmountable with diminishing size and increasing abilities of spy cameras. The fraudsters' other option is to overlay a look a like key entry pad on the ATM's original pad.

To gather account information on the card matching the PIN acquired, the fraudster needs only to acquire a magnetic strip reader that can be appended in a disguised manner to the ATM's authentic reader. Similarly, a smart card reader can be appended to the authentic ATM reader in the case of EMV cards. Once the the information is read (copied) by the fraudster, their next move is to write (paste) it to their own "fake" card which becomes a clone of the original one in the victim's wallet.

For curiosity click here so read a fraudster's how-to - only if you will not join in the crime.

The human action challenge

Since most, if not all ATMs in Kenya have guards assigned to them at all times, the fraudster also must plan to either bribe away the "soldier" or somehow get the guard to sleep so that they get ample time to install paraphernalia on the ATM. The other cheaper way to get pieces of the information required by the fraudster is to be friends with a rogue bank (card center) staff or promise to share the earnings of the venture with them. For my discussion's sake I shall consider this a human challenge and not a technological challenge - the later being the substantive discussion here.

The SMS alert challenge (StanChart Scenario)

In my opinion, the fraudsters' greatest challenge for the magnetic stripe case is that of the SMS alerts sent to the victim's phone detailing when and where a transaction takes place. That allows the user to act promptly in response to the attack. SMS alerts related to Point of Sale purchases usually bear  names and locations of merchants where transactions take place. Specific location information is surprisingly missing in the StanChart SMS alert messages for ATM withdrawals. The alerts do not specify the exact location of the ATM which could assist in "nubbing" fraudsters if for some lucky convergence of factors there are contactable, and cooperative police officers or publics in the vicinity of the crime - among other factors. A workaround for the fraudsters in the StanChart case seems to revolve around the delivery time of SMS alerts. How SMS alerts seemed to get to victims 5 hours after the fraudulent transactions whereas under normal circumstances such notifications are received instantly is a puzzle. 

The Cloning Challenge

Data on magnetic stripe cards does not have "copy-protection" features and hence cloning of cards based on this technology is fairly straightforward for the criminals. This is not the case for EMV cards. At the point of making a copy of the original cards, fraudsters face a tougher technological challenge of cryptography. This is where banks, merchants and card issuers implement the EMV card system. Cryptography under the EMV standard prescribes a process where data in the smart card can be protected against modification or cloning. This is one of the features that EMV proponents have successfully used to rally banks the world over (including in Nigeria) to transition from the magnetic stripe - with Kenyan banks being left behind.

Although the EMV card system carries reduced chances of ATM fraud, Rober Murdoch  and other researchers at University of Cambridge have exposed a couple of vulnerabilities with EMV implementations. These include the wedge vulnerability, the pin entry device vulnerability, and relay attacks. Below is a UK video narrating two real life fraud experiences and a re-inaction of the fraud against an EMV card

Th more scary concern here is the insistence by EuroPay, MasterCard and Visa that liability for fraud affecting an EMV (Chip and Pin) card implementation MUST be borne by the cardholder. I leave that fight for the consumer rights activists to pick up as they seem to have success with the Digital TV migration issue case.

Mobile Money - Technologically Simpler, and Superior?

An now to my theory about better safety in Mobile Money withdrawals and purchases: This is building on a not so old article in Kopokopo's blog. In the article, Ben Lyon argued that it is safer to pay with M-Pesa than using credit / debit cards. Ben's argument relates well for "point of purchase" situations among ATM card holders and everyone needs to take note of that to begin with.

It can be argued for the specific case of "Point of Withdrawal", that technological challenges for fraudsters capturing PIN numbers in the case of Mobile Money account holders are much greater than with the ATM case. The ATM is a public machine where anyone can "legitimately" access the physical installation. The mobile phone is a personal device. A technological pin capturing scheme by any fraudster against mobile money systems can potentially be reduced to spying on usage of individual mobile phone key pad. This seems much more difficult than setting up spy cameras or overlaid key pads at the ATM accessed by multiple account holders. The question is if the mobile operators can assure people that the communication channel between the mobile phone and the mobile money authentication service is encrypted, which would reduce options for the fraudster sniffing the line for peoples mobile money PIN numbers across the mobile networks.

The mobile money equivalent of cloning the account holder information seemed complicated for the fraudster, until I thought about Sim Cloning. Although there are arguments suggesting that sim cloning is practically impossible, theoretically a fraudster could clone a SIM card if they had enough reason. They might as well steal the original sim card / phone from the account holder if SIM cloning became imposible. Of course the parallel to stealing the SIM card in the ATM fraud case is that of stealing the card from the card holder which is not an area of comparison in this article.

Critics of mobile money will say that mobile money agents are scarce geographically and may not be accessible for withdrawals at night. The same applies for ATM infrastructure, and mobile money fairs better on the same yardsticks in rural areas. More importantly, withdrawal of mobile money from ATMs is possible without using the all-vulnerable ATM cards. Instructions for withdrawing Mpesa and Airtel Money from PesaPoint ATMs is evidence to that. Mobile money's early challenges of float for deposits and agent distribution are also surmountable.

The challenge on volumes of amount acceptable within mobile money is also real. One can pay bills of $2,000 using a credit card in the UK and thats not possible in with Mobile money in Kenya. When reduced to the context of money withdrawals, Mobile money and ATM systems seem comparable since ATM systems often imply daily or weekly withdrawal limits for security.

Putting your mouth where you money is ...

With possible security loopholes in Magnetic stripe systems, EMV cards and mobile money, the discussion of which one to build on and enhance is obvious - to me. Kenyan's financial institutions, mobile network operators and independent innovators should invest resources in making their mobile money implementations more secure -  so secure that for security considerations, they stand out ahead of solutions fronted by foreign corporation such as Visa and Mastercard.

There is already a national competitive advantage built around mobile money among Kenyan institutions. From mobile money transfers to mobile banking to mobile money withdrawal Kenya is at the forefront in showing the world how to grow the platform. The solution to the ATM fraud issue should therefore not be obviously the expensive replacement of banks' the magnetic stripe card infrastructure with a smart card based EMV infrastructure. Part or most of the solution is for banks and other players to better embrace Kenya's mobile money revolution.

Conclusion: Job Creation

By the sheer fact that mobile money systems create jobs at the agency level that upgraded (EMV based) ATM machines will not create, it can be argued that putting our mouth where our money is by developing mobile money systems more is better than mass importing new ATM machines, Point of sale terminals and other related infrastructure items