An old article on ATMs in France ... please note:
Almost all hack and scam stories fall into two categories. The first includes all the most incredible stories about witty juvenile hackers or humble programmers who, sitting at their personal computers, break into American banks. This also includes stories about the most complex devices that can be installed ... for example at ATMs and, by forging a credit card, withdraw huge amounts from the accounts of the holders. Such stories are extremely loved by both journalists and readers. However, most often you can find the "flip side of the coin". Someone did not watch something, someone did not follow the measures to protect information, or simply did not look after their own employees. But sometimes a lot of time passes before the truth is revealed. Recently, a series of frauds involving Eurocard / MasterCard and VISA plastic cards took place in Russia. Its essence was that the money of clients of Western banks began to disappear from the accounts (mostly Western, although, according to our information, Russian cards, for example, IMPEXBANK cards, were also compromised). The card holders contacted their banks on this matter. Those, in turn, informed the payment systems about this. Somewhat earlier, suspicious transactions were tracked by payment systems. An investigation by the Europay payment system has led to Russia. "The first results obtained in the course of the investigation," says the official statement of Europay, "made us pay close attention to the activities of the Union Card processing center located in Moscow, and all participants in this case are extremely reluctant to comment, while adhering to the "official version" of the bank or organization. Having conducted our own investigation, we interviewed a large number of personalities of the plastic card market and made our own picture of what happened. In order to withdraw money from a "card" account at an ATM, you need to: 1. Have an exact copy of the magnetic stripe. 2. Know the PIN. Where can you find this information? Only at an ATM. However, the ATM has, figuratively speaking, two sides. You can approach it from the side of the street and use smart and expensive devices to read the magnetic stripe and spy on the PIN-code. This is where the first category of scam stories comes into play - addictive and hard to follow. There is another option: to find out all the information "from inside" the ATM, which could be simpler and more accessible ... provided that somewhere there sits one (or several) people and receives it. For example, you can disable the cryptographic scheme that encrypts the PIN code at the ATM, and then the code will be sent to the processing center in unencrypted form. A chip with a cryptographic key (SAM, Secure Authentication Module) must be certified by FAPSI. It is much easier to work with an ATM that does not have such a microcircuit. There is a third option, which some of our colleagues liked: “Artful crooks manage to steal a card in the locker room of the gym, when a person waves dumbbells, make a copy in 10 minutes and return it to its place. You can find out the PIN code simply by looking over your shoulder. to the future victim when he or she withdraws money from an ATM "(see Belyakov D. Russian ATMs in Danger. Moscow Express. 1999. No. 14). However, in this case (remember that at least 280 cards were compromised, the holders of which are scattered all over the world) there is no point in thinking about such an option. The first two options remain. According to the Europay payment system dated November 17, 1999 (see World of Cards. 1999. No. 11), the following steps were taken to prevent further fraudulent actions. Banks issuing compromised cards have canceled most of them and issued new cards instead. The Union Card processing center on November 15, 1999 was deprived of its license to process transactions with Europay cards through ATMs. The management of Europay motivated this decision by the fact that "the Union Card center did not take measures to remedy the situation that would satisfy the management of Europay, and did not identify the persons responsible for the incident." Banking institutions, whose ATMs were connected to the Union Card center, decided to reconnect their ATMs to other processing centers. Europay claims that the license can only be reinstated if Union Card meets Europay's security requirements. However, the head of the Europay representative office in Russia, Andrei Korolyov, refused to tell us exactly which requirements Union Card had not fulfilled, arguing that the investigation had not yet been completed. So, the traces led us to the Russian Union Card payment system. This system first appeared on the Russian market in 1993. Union Card processing company is the processing center of this payment system and a certified Member Service Provider in Europay. It can serve several banks at once, providing them with processing on Europay cards. In particular, the system processed transactions with Europay cards through ATMs of Avtobank and Alfa-Bank. If we imagine for a second that the fraud was committed “from within” the ATM-processing system, it becomes obvious that the security requirements were not met either by the banks that installed the ATMs or by the company that processes the cards. As for banks, both Europay and VISA have officially announced that the two Russian banks involved in this case meet security standards. In particular, Tim Murthy, Senior Vice President of VISA CEMEA for Risk Management, said that VISA has strict requirements for security standards, regularly carries out a number of security preventive measures. periodically checks banks. Investigations often reveal that banks sometimes overly rely on vendors of ATM hardware and software. The same is the case with Russian banks. All equipment of Russian banks - members of Europay and VISA is certified by these payment systems. Although, of course, it is difficult to assume that someone would dare to say that the SAM chip was not at all in ATMs, or, more simply, that banks did not follow the most basic security measures. Regarding the Union Card, the VISA management officially stated that "the Union Card processing system has never been certified to carry out transactions with VISA cards" (see World of Cards. 1999. No. 11). According to representatives of Union Card, this processing company did not conduct transactions with VISA cards, and acted as a "transit medium" for these transactions. Mr. Murphy claims that there was no agreement on transit operations for VISA cards. Moreover, he was very surprised to hear such a concept as "transit environment" at a press conference on November 30, 1999. This ignorance is startling. For its part, Union Card has always claimed that it has been broadcasting VISA transactions in Russia for several years now, as it is a major payment system and every second transaction goes through the Union Card "transit network". Avtobank has taken a number of measures to stabilize the situation and strengthen the security system of its ATM network. These measures are coordinated with Europay, VISA and Union Card. Now Avtobank ATMs temporarily do not accept cards from third-party issuers. As for the cards issued by Avtobank, then the bank has its own processing center that processes these cards. In addition, Avtobank intends to physically replace cryptographic keys at 400 ATMs throughout Russia. This is a rather serious set of expensive measures, which looks at least strange if the bank is doing well. On the other hand, Europay stated directly that Union Card did not fulfill the security requirements of the payment system, although it was certified by Europay. According to Mr. Korolev, compromise of cards could also occur inside the Union Card processing center, although it is not yet clear at what stage of the transaction. In response, Union Card processing company also issued an official press statement (see World of Cards 1999, no. 11), in which it stated, that he considers the measures to temporarily deprive the company of the right to process transactions with Europay cards through ATMs quite reasonable. Union Card is also taking steps to improve security and, in particular, has invited an independent auditor to audit the processing company. Funding for the Union Card audit. In a telephone interview to World of Cards, Andrei Zhabinsky, deputy general director of the Union Card processing company, said that the termination of card transactions through its ATMs is only due to the need to be insured, and an audit is needed to prove that all security measures have been observed. Mr. Zhabinsky states that there was no large, planned fraud with plastic cards and could not be, since all security measures were observed, and Union Card has nothing to do with those cards that have been compromised. He believes that an investigation should be carried out on each specific case of fraud, since isolated cases of fraud did take place. However, since it was mainly foreign cards that had been in many countries that were compromised, all accusations, direct or indirect, against Union Card are groundless. However, nobody blames the processing company. For example, not a single bank has yet expressed its intention to end cooperation with Union Card. A reasonable question arises, where did this fraud story come from. According to Mr. Zhabinsky, it was "promoted" by the media, and competitors of Union Card began to talk about it. "This is a blow to the Russian card market," said Mr. Zhabinsky. Yury Koval, Deputy Chairman of Avtobank, agrees with him. In his opinion, all the difficulties that have arisen recently in our "card" market may be associated with the competition between Russian banks and Western payment systems. Western systems do not seem to be interested in discussing such delicate issues in the open press, which suggests their desire to "silence" cases of fraud. On the other hand, it is useless to deny that the competitors of Union Card, Avtobank and Alfa-Bank are interested in "fanning" this scandal, and this could explain the whole problem if the cases of fraud were not really serious. In fact, the international card fraud scheme was no different from the Union Card fraud in December 1998. According to our information, then several fraudulent transactions took place with the cards of this payment system. Neither the method of fraud, nor the specific perpetrators were identified. Then, in 1999, according to the same scenario, money was withdrawn from the "card" accounts of the holders of cards of the international payment system VISA (see Kommersant-Daily. 1999, November 19). People who were withdrawing money from ATMs (not in Russia) were arrested. The scammers used counterfeit cards with a copied magnetic stripe, they knew the PIN code. When asked about the case, Mr. Murphy barely recalled that "there were several fraudulent transactions," but declined to provide details of the case. All international payment systems keep repeating that security is the cornerstone of any payment system. Constant control of employees.
For the card issuer, compromise of both the magnetic stripe and the PIN can lead to significant financial losses, therefore, special attention should be paid to checking the software and hardware. Now all the participants in this case assure cardholders that the danger of such fraud through ATMs has been eliminated. However, it cannot be argued that the fraud will end there, since those people who make copies of cards and learn PIN codes have not been caught, and it is not known whether they will be caught at all (recall December 1998). Only after the final investigation of this case will it be possible to terminate the cases of fraud. But we will be able to find out its results, perhaps, not soon ... or never. Of course, the hype around this case will not facilitate the investigation, and maybe even hinder it. However, it forces those who keep silent about their mistakes to take adequate measures to protect the interests of participants in payment systems, and first of all, holders of payment cards. Almost all hack and scam stories fall into two categories. The first includes all the most incredible stories about witty juvenile hackers or humble programmers who, sitting at their personal computers, break into American banks. This also includes stories about the most complex devices that can be installed ... for example at ATMs and, by forging a credit card, withdraw huge amounts from the accounts of the holders. Such stories are extremely loved by both journalists and readers. However, most often you can find the "flip side of the coin". Someone did not finish something, some did not follow the measures to protect information or simply did not look after their own employees. But sometimes a lot of time passes before the truth is revealed. Recently, a series of frauds involving Eurocard / MasterCard and VISA plastic cards took place in Russia. Its essence was that the money of clients of Western banks began to disappear from the accounts (mostly Western, although, according to our information, Russian cards, for example, IMPEXBANK cards, were also compromised). The card holders contacted their banks on this matter. Those, in turn, informed the payment systems about this. Somewhat earlier, suspicious transactions were tracked by payment systems. An investigation by the Europay payment system has led to Russia. "The first results obtained during the investigation, Therefore, all facts and figures related to the case were not disclosed for obvious reasons. The investigation has not yet been completed, and all participants in this case are extremely reluctant to comment, while adhering to the "official version" of the bank or organization. Having conducted our own investigation, we interviewed a large number of personalities of the plastic card market and made our own picture of what happened. In order to withdraw money from a "card" account at an ATM, you need to: 1. Have an exact copy of the magnetic stripe. 2. Know the PIN. Where can you find this information? Only at an ATM. However, the ATM has, figuratively speaking, two sides. You can approach it from the side of the street and use smart and expensive devices to read the magnetic stripe and spy on the PIN-code. This is where the first category of scam stories comes into play - addictive and hard to follow. There is another option: to find out all the information "from inside" the ATM, which may be simpler and more accessible ... provided that one (or several) people are sitting there somewhere and receiving it. For example, you can disable the cryptographic scheme that encrypts the PIN code at the ATM, and then the code will be sent to the processing center in unencrypted form. A chip with a cryptographic key (SAM, Secure Authentication Module) must be certified by FAPSI. It is much easier to work with an ATM that does not have such a microcircuit. There is also a third option, which some of our colleagues liked: make a copy in 10 minutes and return it to its place. The PIN code can be found simply by looking over the shoulder of the future victim when he or she withdraws money from an ATM "(see D. Belyakov, Russian ATMs are in Danger. Moscow Express. 1999. No. 14). However, in this case (remember that at least 280 cards have been compromised, the holders of which are scattered all over the world) there is no point in thinking about such an option. The first two options remain. Further fraudulent actions were taken as follows: Banks issuing compromised cards canceled most of them and issued new cards in return Union Card Processing Center November 15, 1999 was deprived of the license to process transactions with Europay cards through ATMs. The management of Europay motivated this decision by the fact that "the Union Card center did not take measures to correct the situation that would satisfy the management of Europay, and did not identify the persons responsible for the incident." Banking institutions, whose ATMs were connected to the Union Card center, decided to reconnect its ATMs to other processing centers. Europay claims that the license can only be reinstated if Union Card meets Europay's security requirements. However, the head of the Europay representative office in Russia, Andrei Korolyov, refused to tell us exactly which requirements Union Card had not fulfilled, arguing that the investigation had not yet been completed. So, traces led us to the Russian Union Card payment system. This system first appeared on the Russian market in 1993. Union Card processing company is the processing center of this payment system and a certified Member Service Provider in Europay. It can serve several banks at once, providing them with processing with Europay cards. In particular, the system processed transactions with Europay cards through ATMs of Avtobank and Alfa-Bank. If we imagine for a second that the fraud was committed “from within” the ATM-processing system, it becomes obvious that the security requirements were not met either by the banks that installed the ATMs or by the company that processes the cards. As for banks, both Europay and VISA have officially announced that the two Russian banks involved in this case comply with security standards. In particular, Tim Murthy, senior vice president of VISA CEMEA for risk management, said that VISA imposes strict requirements on security standards, regularly carries out a number of security preventive measures, and periodically checks banks. Investigations often reveal that banks sometimes overly rely on vendors of ATM hardware and software. The same is the case with Russian banks. All equipment of Russian banks - members of Europay and VISA is certified by these payment systems. Although, of course, it is difficult to assume that someone would dare to say that the SAM chip was not at all in ATMs, or, more simply, that banks did not follow the most basic security measures. Regarding the Union Card, the VISA management officially stated that "the Union Card processing system has never been certified to carry out transactions with VISA cards" (see World of Cards. 1999. No. 11). According to representatives of Union Card, this processing company did not conduct transactions with VISA cards, but acted as a "transit medium" for these transactions. Mr. Murphy claims that there was no agreement on transit operations for VISA cards. Moreover, he was very surprised to hear such a concept as "transit environment" at a press conference on November 30, 1999. This ignorance is startling. For its part, Union Card has always claimed that it has been broadcasting VISA transactions in Russia for several years, since it is a large payment system and every second transaction goes through " the compromise of cards could also occur inside the Union Card processing center, although it is not yet clear at what stage of the transaction. In response, Union Card processing company also issued an official press statement (see World of Cards. 1999. No. 11), in which it stated that it considers the measures to temporarily deprive the company of the right to process transactions with Europay cards through ATMs as reasonable. Union Card is also taking steps to improve security and, in particular, has invited an independent auditor to audit the processing company. Funding for the Union Card audit. In a telephone interview to the World of Cards, Andrei Zhabinsky, deputy general director of the Union Card processing company, said that the termination of card transactions through its ATMs is only due to the need to secure himself. and an audit is needed to prove that all security measures have been followed. Mr. Zhabinsky states that there was no large, planned fraud with plastic cards, and could not be, since all security measures were observed, and Union Card has nothing to do with those cards that were compromised. He believes that an investigation should be carried out on each specific case of fraud, since isolated cases of fraud did take place. However, since it was mainly foreign cards that had been in many countries that were compromised, all accusations, direct or indirect, against Union Card are groundless. However, nobody blames the processing company. For example, not a single bank has yet expressed its intention to end cooperation with Union Card. A reasonable question arises, where did this fraud story come from. According to Mr. Zhabinsky, it was "promoted" by the media, and competitors of Union Card began to talk about it. "This is a blow to the Russian card market," said Mr. Zhabinsky. Yury Koval, Deputy Chairman of Avtobank, agrees with him. In his opinion, all the difficulties that have arisen recently in our "card" market may be associated with the competition between Russian banks and Western payment systems. Western systems do not seem to be interested in discussing such delicate issues in the open press, which suggests their desire to "silence" cases of fraud. On the other hand, it is useless to deny that the competitors of Union Card, Avtobank and Alfa-Bank are interested in "fanning" this scandal, and this could explain the whole problem if the fraud cases were not really serious. In fact, the international card fraud scheme was no different from the Union Card fraud in December 1998. According to our information, then there were several fraudulent transactions with the cards of this payment system. Neither the method of fraud, nor the specific perpetrators were identified. Then, in 1999, according to the same scenario, money was withdrawn from the "card" accounts of the holders of cards of the international payment system VISA (see Kommersant-Daily. 1999, November 19). People who were withdrawing money from ATMs (not in Russia) were arrested. The scammers used counterfeit cards with a copied magnetic stripe, they knew the PIN code. When asked about this case, Mr. Murphy could hardly remember, that "there were several fraudulent transactions", but declined to provide details of the case. All international payment systems keep repeating that security is the cornerstone of any payment system. Constant control of employees, monitoring of transactions and periodic verification of equipment will lead to the fact that confidential information does not fall into the hands of criminals and losses from fraud will be reduced to a minimum. For the card issuer, compromise of both the magnetic stripe and the PIN can lead to significant financial losses, therefore, special attention should be paid to checking the software and hardware. Now all the participants in this case assure cardholders that the danger of such fraud through ATMs has been eliminated. However, it cannot be argued that this will end the fraud, since those people who make copies of cards and find out PIN-codes are not caught, and it is not known whether they will be caught at all (remember December 1998). Only after the final investigation of this case will it be possible to terminate the cases of fraud. But we will be able to find out its results, perhaps, not soon ... or never. Of course, the hype around this case will not facilitate the investigation, and maybe even hinder it. However, it forces those who keep silent about their mistakes to take adequate measures to protect the interests of participants in payment systems, and first of all, holders of payment cards. Only after the final investigation of this case will it be possible to terminate the cases of fraud. But we will be able to find out its results, perhaps, not soon ... or never. Of course, the hype around this case will not facilitate the investigation, and maybe even hinder it. However, it forces those who keep silent about their mistakes to take adequate measures to protect the interests of participants in payment systems, and first of all, holders of payment cards. Only after the final investigation of this case will it be possible to terminate the cases of fraud. But we will be able to find out its results, perhaps, not soon ... or never. Of course, the hype around this case will not facilitate the investigation, and maybe even hinder it. However, it forces those who keep silent about their mistakes to take adequate measures to protect the interests of participants in payment systems, and first of all, holders of payment cards.
Almost all hack and scam stories fall into two categories. The first includes all the most incredible stories about witty juvenile hackers or humble programmers who, sitting at their personal computers, break into American banks. This also includes stories about the most complex devices that can be installed ... for example at ATMs and, by forging a credit card, withdraw huge amounts from the accounts of the holders. Such stories are extremely loved by both journalists and readers. However, most often you can find the "flip side of the coin". Someone did not watch something, someone did not follow the measures to protect information, or simply did not look after their own employees. But sometimes a lot of time passes before the truth is revealed. Recently, a series of frauds involving Eurocard / MasterCard and VISA plastic cards took place in Russia. Its essence was that the money of clients of Western banks began to disappear from the accounts (mostly Western, although, according to our information, Russian cards, for example, IMPEXBANK cards, were also compromised). The card holders contacted their banks on this matter. Those, in turn, informed the payment systems about this. Somewhat earlier, suspicious transactions were tracked by payment systems. An investigation by the Europay payment system has led to Russia. "The first results obtained in the course of the investigation," says the official statement of Europay, "made us pay close attention to the activities of the Union Card processing center located in Moscow, and all participants in this case are extremely reluctant to comment, while adhering to the "official version" of the bank or organization. Having conducted our own investigation, we interviewed a large number of personalities of the plastic card market and made our own picture of what happened. In order to withdraw money from a "card" account at an ATM, you need to: 1. Have an exact copy of the magnetic stripe. 2. Know the PIN. Where can you find this information? Only at an ATM. However, the ATM has, figuratively speaking, two sides. You can approach it from the side of the street and use smart and expensive devices to read the magnetic stripe and spy on the PIN-code. This is where the first category of scam stories comes into play - addictive and hard to follow. There is another option: to find out all the information "from inside" the ATM, which could be simpler and more accessible ... provided that somewhere there sits one (or several) people and receives it. For example, you can disable the cryptographic scheme that encrypts the PIN code at the ATM, and then the code will be sent to the processing center in unencrypted form. A chip with a cryptographic key (SAM, Secure Authentication Module) must be certified by FAPSI. It is much easier to work with an ATM that does not have such a microcircuit. There is a third option, which some of our colleagues liked: “Artful crooks manage to steal a card in the locker room of the gym, when a person waves dumbbells, make a copy in 10 minutes and return it to its place. You can find out the PIN code simply by looking over your shoulder. to the future victim when he or she withdraws money from an ATM "(see Belyakov D. Russian ATMs in Danger. Moscow Express. 1999. No. 14). However, in this case (remember that at least 280 cards were compromised, the holders of which are scattered all over the world) there is no point in thinking about such an option. The first two options remain. According to the Europay payment system dated November 17, 1999 (see World of Cards. 1999. No. 11), the following steps were taken to prevent further fraudulent actions. Banks issuing compromised cards have canceled most of them and issued new cards instead. The Union Card processing center on November 15, 1999 was deprived of its license to process transactions with Europay cards through ATMs. The management of Europay motivated this decision by the fact that "the Union Card center did not take measures to remedy the situation that would satisfy the management of Europay, and did not identify the persons responsible for the incident." Banking institutions, whose ATMs were connected to the Union Card center, decided to reconnect their ATMs to other processing centers. Europay claims that the license can only be reinstated if Union Card meets Europay's security requirements. However, the head of the Europay representative office in Russia, Andrei Korolyov, refused to tell us exactly which requirements Union Card had not fulfilled, arguing that the investigation had not yet been completed. So, the traces led us to the Russian Union Card payment system. This system first appeared on the Russian market in 1993. Union Card processing company is the processing center of this payment system and a certified Member Service Provider in Europay. It can serve several banks at once, providing them with processing on Europay cards. In particular, the system processed transactions with Europay cards through ATMs of Avtobank and Alfa-Bank. If we imagine for a second that the fraud was committed “from within” the ATM-processing system, it becomes obvious that the security requirements were not met either by the banks that installed the ATMs or by the company that processes the cards. As for banks, both Europay and VISA have officially announced that the two Russian banks involved in this case meet security standards. In particular, Tim Murthy, Senior Vice President of VISA CEMEA for Risk Management, said that VISA has strict requirements for security standards, regularly carries out a number of security preventive measures. periodically checks banks. Investigations often reveal that banks sometimes overly rely on vendors of ATM hardware and software. The same is the case with Russian banks. All equipment of Russian banks - members of Europay and VISA is certified by these payment systems. Although, of course, it is difficult to assume that someone would dare to say that the SAM chip was not at all in ATMs, or, more simply, that banks did not follow the most basic security measures. Regarding the Union Card, the VISA management officially stated that "the Union Card processing system has never been certified to carry out transactions with VISA cards" (see World of Cards. 1999. No. 11). According to representatives of Union Card, this processing company did not conduct transactions with VISA cards, and acted as a "transit medium" for these transactions. Mr. Murphy claims that there was no agreement on transit operations for VISA cards. Moreover, he was very surprised to hear such a concept as "transit environment" at a press conference on November 30, 1999. This ignorance is startling. For its part, Union Card has always claimed that it has been broadcasting VISA transactions in Russia for several years now, as it is a major payment system and every second transaction goes through the Union Card "transit network". Avtobank has taken a number of measures to stabilize the situation and strengthen the security system of its ATM network. These measures are coordinated with Europay, VISA and Union Card. Now Avtobank ATMs temporarily do not accept cards from third-party issuers. As for the cards issued by Avtobank, then the bank has its own processing center that processes these cards. In addition, Avtobank intends to physically replace cryptographic keys at 400 ATMs throughout Russia. This is a rather serious set of expensive measures, which looks at least strange if the bank is doing well. On the other hand, Europay stated directly that Union Card did not fulfill the security requirements of the payment system, although it was certified by Europay. According to Mr. Korolev, compromise of cards could also occur inside the Union Card processing center, although it is not yet clear at what stage of the transaction. In response, Union Card processing company also issued an official press statement (see World of Cards 1999, no. 11), in which it stated, that he considers the measures to temporarily deprive the company of the right to process transactions with Europay cards through ATMs quite reasonable. Union Card is also taking steps to improve security and, in particular, has invited an independent auditor to audit the processing company. Funding for the Union Card audit. In a telephone interview to World of Cards, Andrei Zhabinsky, deputy general director of the Union Card processing company, said that the termination of card transactions through its ATMs is only due to the need to be insured, and an audit is needed to prove that all security measures have been observed. Mr. Zhabinsky states that there was no large, planned fraud with plastic cards and could not be, since all security measures were observed, and Union Card has nothing to do with those cards that have been compromised. He believes that an investigation should be carried out on each specific case of fraud, since isolated cases of fraud did take place. However, since it was mainly foreign cards that had been in many countries that were compromised, all accusations, direct or indirect, against Union Card are groundless. However, nobody blames the processing company. For example, not a single bank has yet expressed its intention to end cooperation with Union Card. A reasonable question arises, where did this fraud story come from. According to Mr. Zhabinsky, it was "promoted" by the media, and competitors of Union Card began to talk about it. "This is a blow to the Russian card market," said Mr. Zhabinsky. Yury Koval, Deputy Chairman of Avtobank, agrees with him. In his opinion, all the difficulties that have arisen recently in our "card" market may be associated with the competition between Russian banks and Western payment systems. Western systems do not seem to be interested in discussing such delicate issues in the open press, which suggests their desire to "silence" cases of fraud. On the other hand, it is useless to deny that the competitors of Union Card, Avtobank and Alfa-Bank are interested in "fanning" this scandal, and this could explain the whole problem if the cases of fraud were not really serious. In fact, the international card fraud scheme was no different from the Union Card fraud in December 1998. According to our information, then several fraudulent transactions took place with the cards of this payment system. Neither the method of fraud, nor the specific perpetrators were identified. Then, in 1999, according to the same scenario, money was withdrawn from the "card" accounts of the holders of cards of the international payment system VISA (see Kommersant-Daily. 1999, November 19). People who were withdrawing money from ATMs (not in Russia) were arrested. The scammers used counterfeit cards with a copied magnetic stripe, they knew the PIN code. When asked about the case, Mr. Murphy barely recalled that "there were several fraudulent transactions," but declined to provide details of the case. All international payment systems keep repeating that security is the cornerstone of any payment system. Constant control of employees.
For the card issuer, compromise of both the magnetic stripe and the PIN can lead to significant financial losses, therefore, special attention should be paid to checking the software and hardware. Now all the participants in this case assure cardholders that the danger of such fraud through ATMs has been eliminated. However, it cannot be argued that the fraud will end there, since those people who make copies of cards and learn PIN codes have not been caught, and it is not known whether they will be caught at all (recall December 1998). Only after the final investigation of this case will it be possible to terminate the cases of fraud. But we will be able to find out its results, perhaps, not soon ... or never. Of course, the hype around this case will not facilitate the investigation, and maybe even hinder it. However, it forces those who keep silent about their mistakes to take adequate measures to protect the interests of participants in payment systems, and first of all, holders of payment cards. Almost all hack and scam stories fall into two categories. The first includes all the most incredible stories about witty juvenile hackers or humble programmers who, sitting at their personal computers, break into American banks. This also includes stories about the most complex devices that can be installed ... for example at ATMs and, by forging a credit card, withdraw huge amounts from the accounts of the holders. Such stories are extremely loved by both journalists and readers. However, most often you can find the "flip side of the coin". Someone did not finish something, some did not follow the measures to protect information or simply did not look after their own employees. But sometimes a lot of time passes before the truth is revealed. Recently, a series of frauds involving Eurocard / MasterCard and VISA plastic cards took place in Russia. Its essence was that the money of clients of Western banks began to disappear from the accounts (mostly Western, although, according to our information, Russian cards, for example, IMPEXBANK cards, were also compromised). The card holders contacted their banks on this matter. Those, in turn, informed the payment systems about this. Somewhat earlier, suspicious transactions were tracked by payment systems. An investigation by the Europay payment system has led to Russia. "The first results obtained during the investigation, Therefore, all facts and figures related to the case were not disclosed for obvious reasons. The investigation has not yet been completed, and all participants in this case are extremely reluctant to comment, while adhering to the "official version" of the bank or organization. Having conducted our own investigation, we interviewed a large number of personalities of the plastic card market and made our own picture of what happened. In order to withdraw money from a "card" account at an ATM, you need to: 1. Have an exact copy of the magnetic stripe. 2. Know the PIN. Where can you find this information? Only at an ATM. However, the ATM has, figuratively speaking, two sides. You can approach it from the side of the street and use smart and expensive devices to read the magnetic stripe and spy on the PIN-code. This is where the first category of scam stories comes into play - addictive and hard to follow. There is another option: to find out all the information "from inside" the ATM, which may be simpler and more accessible ... provided that one (or several) people are sitting there somewhere and receiving it. For example, you can disable the cryptographic scheme that encrypts the PIN code at the ATM, and then the code will be sent to the processing center in unencrypted form. A chip with a cryptographic key (SAM, Secure Authentication Module) must be certified by FAPSI. It is much easier to work with an ATM that does not have such a microcircuit. There is also a third option, which some of our colleagues liked: make a copy in 10 minutes and return it to its place. The PIN code can be found simply by looking over the shoulder of the future victim when he or she withdraws money from an ATM "(see D. Belyakov, Russian ATMs are in Danger. Moscow Express. 1999. No. 14). However, in this case (remember that at least 280 cards have been compromised, the holders of which are scattered all over the world) there is no point in thinking about such an option. The first two options remain. Further fraudulent actions were taken as follows: Banks issuing compromised cards canceled most of them and issued new cards in return Union Card Processing Center November 15, 1999 was deprived of the license to process transactions with Europay cards through ATMs. The management of Europay motivated this decision by the fact that "the Union Card center did not take measures to correct the situation that would satisfy the management of Europay, and did not identify the persons responsible for the incident." Banking institutions, whose ATMs were connected to the Union Card center, decided to reconnect its ATMs to other processing centers. Europay claims that the license can only be reinstated if Union Card meets Europay's security requirements. However, the head of the Europay representative office in Russia, Andrei Korolyov, refused to tell us exactly which requirements Union Card had not fulfilled, arguing that the investigation had not yet been completed. So, traces led us to the Russian Union Card payment system. This system first appeared on the Russian market in 1993. Union Card processing company is the processing center of this payment system and a certified Member Service Provider in Europay. It can serve several banks at once, providing them with processing with Europay cards. In particular, the system processed transactions with Europay cards through ATMs of Avtobank and Alfa-Bank. If we imagine for a second that the fraud was committed “from within” the ATM-processing system, it becomes obvious that the security requirements were not met either by the banks that installed the ATMs or by the company that processes the cards. As for banks, both Europay and VISA have officially announced that the two Russian banks involved in this case comply with security standards. In particular, Tim Murthy, senior vice president of VISA CEMEA for risk management, said that VISA imposes strict requirements on security standards, regularly carries out a number of security preventive measures, and periodically checks banks. Investigations often reveal that banks sometimes overly rely on vendors of ATM hardware and software. The same is the case with Russian banks. All equipment of Russian banks - members of Europay and VISA is certified by these payment systems. Although, of course, it is difficult to assume that someone would dare to say that the SAM chip was not at all in ATMs, or, more simply, that banks did not follow the most basic security measures. Regarding the Union Card, the VISA management officially stated that "the Union Card processing system has never been certified to carry out transactions with VISA cards" (see World of Cards. 1999. No. 11). According to representatives of Union Card, this processing company did not conduct transactions with VISA cards, but acted as a "transit medium" for these transactions. Mr. Murphy claims that there was no agreement on transit operations for VISA cards. Moreover, he was very surprised to hear such a concept as "transit environment" at a press conference on November 30, 1999. This ignorance is startling. For its part, Union Card has always claimed that it has been broadcasting VISA transactions in Russia for several years, since it is a large payment system and every second transaction goes through " the compromise of cards could also occur inside the Union Card processing center, although it is not yet clear at what stage of the transaction. In response, Union Card processing company also issued an official press statement (see World of Cards. 1999. No. 11), in which it stated that it considers the measures to temporarily deprive the company of the right to process transactions with Europay cards through ATMs as reasonable. Union Card is also taking steps to improve security and, in particular, has invited an independent auditor to audit the processing company. Funding for the Union Card audit. In a telephone interview to the World of Cards, Andrei Zhabinsky, deputy general director of the Union Card processing company, said that the termination of card transactions through its ATMs is only due to the need to secure himself. and an audit is needed to prove that all security measures have been followed. Mr. Zhabinsky states that there was no large, planned fraud with plastic cards, and could not be, since all security measures were observed, and Union Card has nothing to do with those cards that were compromised. He believes that an investigation should be carried out on each specific case of fraud, since isolated cases of fraud did take place. However, since it was mainly foreign cards that had been in many countries that were compromised, all accusations, direct or indirect, against Union Card are groundless. However, nobody blames the processing company. For example, not a single bank has yet expressed its intention to end cooperation with Union Card. A reasonable question arises, where did this fraud story come from. According to Mr. Zhabinsky, it was "promoted" by the media, and competitors of Union Card began to talk about it. "This is a blow to the Russian card market," said Mr. Zhabinsky. Yury Koval, Deputy Chairman of Avtobank, agrees with him. In his opinion, all the difficulties that have arisen recently in our "card" market may be associated with the competition between Russian banks and Western payment systems. Western systems do not seem to be interested in discussing such delicate issues in the open press, which suggests their desire to "silence" cases of fraud. On the other hand, it is useless to deny that the competitors of Union Card, Avtobank and Alfa-Bank are interested in "fanning" this scandal, and this could explain the whole problem if the fraud cases were not really serious. In fact, the international card fraud scheme was no different from the Union Card fraud in December 1998. According to our information, then there were several fraudulent transactions with the cards of this payment system. Neither the method of fraud, nor the specific perpetrators were identified. Then, in 1999, according to the same scenario, money was withdrawn from the "card" accounts of the holders of cards of the international payment system VISA (see Kommersant-Daily. 1999, November 19). People who were withdrawing money from ATMs (not in Russia) were arrested. The scammers used counterfeit cards with a copied magnetic stripe, they knew the PIN code. When asked about this case, Mr. Murphy could hardly remember, that "there were several fraudulent transactions", but declined to provide details of the case. All international payment systems keep repeating that security is the cornerstone of any payment system. Constant control of employees, monitoring of transactions and periodic verification of equipment will lead to the fact that confidential information does not fall into the hands of criminals and losses from fraud will be reduced to a minimum. For the card issuer, compromise of both the magnetic stripe and the PIN can lead to significant financial losses, therefore, special attention should be paid to checking the software and hardware. Now all the participants in this case assure cardholders that the danger of such fraud through ATMs has been eliminated. However, it cannot be argued that this will end the fraud, since those people who make copies of cards and find out PIN-codes are not caught, and it is not known whether they will be caught at all (remember December 1998). Only after the final investigation of this case will it be possible to terminate the cases of fraud. But we will be able to find out its results, perhaps, not soon ... or never. Of course, the hype around this case will not facilitate the investigation, and maybe even hinder it. However, it forces those who keep silent about their mistakes to take adequate measures to protect the interests of participants in payment systems, and first of all, holders of payment cards. Only after the final investigation of this case will it be possible to terminate the cases of fraud. But we will be able to find out its results, perhaps, not soon ... or never. Of course, the hype around this case will not facilitate the investigation, and maybe even hinder it. However, it forces those who keep silent about their mistakes to take adequate measures to protect the interests of participants in payment systems, and first of all, holders of payment cards. Only after the final investigation of this case will it be possible to terminate the cases of fraud. But we will be able to find out its results, perhaps, not soon ... or never. Of course, the hype around this case will not facilitate the investigation, and maybe even hinder it. However, it forces those who keep silent about their mistakes to take adequate measures to protect the interests of participants in payment systems, and first of all, holders of payment cards.
