Attacks against automated teller machine (ATM) are legion. From ATM card skimmers to web based phishing attacks, banking customers are in constant danger of having their sensitive financial information stolen.
While strong anti fraud features in ATM and credit cards are fast replacing older magnetic strip cards in the U.S. Startups are proposing even bigger fixes for ATM networks and other point of sale systems, from “swipe biometrics” to ditching the ATM card altogether.
One of those companies, Trusona, emerged from stealth mode on Monday. The company, which is based in Scottsdale, Arizona, says it has patented technology, dubbed TruToken, that derives a unique signature from the physical magnetic signature found in each card’s mag-stripe. “No two mag-stripes are the same, which allows the TruToken’s technology to easily recognize a counterfeit card,” the company said in a press release.
In an interview with The Security Ledger, Ori Eisen, Trusona’s founder and CEO, said the company measures the presence of Barium Ferrite particles on the magnetic strips that store data on standard-issue ATM cards. The random distribution of those particles creates a unique fingerprint on each card that Trusona’s technology can check when the card is inserted into an ATM or other card reader, Eisen said.
But Eisen said that measuring unique card characteristics won’t prevent fraud via compromised ATM machines or point of sale systems. To prevent so-called “session replay” attacks, in which an attacker uses malicious software on the ATM or another device to capture the unique card signature and “replay” it during a transaction, Eisen said Trusona also measures the unique characteristics of each swipe. Subtle differences in the card angle, swipe speed and the condition of the ATM card make each swipe through a reader slightly different, Eisen said. Combined with the unique fingerprint, Trusona claims to be able to prevent 100% of card fraud.
Eisen along with longtime partner Frank Abagnale (whose life story was the subject of the film “Catch Me If You Can”), previously founded 41st Paremeter, an anti fraud and device identification firm that was acquired by the credit rating firm Experian for $324 million in 2013.
Trusona’s technology has already been used to prevent ATM fraud, said Eisen. Now the company is marketing a new solution that combines a mobile application and card reader to help secure high value transactions such as wire transfers. The company received a Series A funding round of $8M led by Ted Schlein and Kleiner, Perkins, Caufield and Byers (KPCB).
The problem of card fraud is growing, even though fraud rates are declining. Thirty percent of respondents in the most recent ATM Industry Association (ATMIA) Fraud and Security Survey (PDF) found that card skimming was the most serious form of ATM fraud, while malware and so-called “black box” attacks were reported by 8% of respondents.
Skimming attacks cost an average of $650 per card, or $5,000 to $100,000 per
incident, while malware and black box attacks averaged $104,000 per incident, the ATMIA survey found.
Other firms are hoping to remove cards from the transaction entirely. A recent report noted that banks in the US, including Wells Fargo, Bank of America and Chase, are updating ATMs to allow cardless withdrawals that use a mobile application to display a scan-able code at the ATM to access funds, without requiring a PIN.
At the Consumer Electronics Show (CES) in January, the ATM manufacturer Diebold teamed up with the firm EyeLock, which sells iris-based identity authentication solutions, on a prototype of an ATM cash machine that combines proximity based authentication using an NFC-based token on a smart phone and iris scanning technology to authorize withdrawals.
Eisen of Trusona said that sophisticated banking trojans and other malware have made it easy to steal sensitive credentials and mimic legitimate transactions to fool anti-fraud systems. The new generation of technology seeks to circumvent insecurity in those transactions, which Eisen said is rooted in protocols like DNS and TCP/IP which were “designed insecure” and make networks and transactions that happen online inherently insecure.
The combination of strong authentication – in part using now-ubiquitous mobile devices – with biometrics may provide a way to authenticate high value transactions, social media accounts and other IT assets, he said.