PCI Compliance for Unattended Self-Service Kiosks – Kiosk Manufacturer Association Announcement

Press Release

PCI Compliance for Unattended Self-Service Kiosks

PCI Compliance for Unattended Self-Service Kiosks

PCI Compliance for Unattended Self-Service Kiosks

WESTMINSTER, Colo., Dec. 15, 2020 (SEND2PRESS NEWSWIRE) — The Kiosk Manufacturer Association (KMA), the leading unattended self-service kiosk association established in 1995, today announced the launch of new initiatives in the PCI Compliance space for unattended self-service kiosks. Those initiatives include providing content for the PCI Perspectives Blog, creating a SIG or Special Interest Group on PCI SSC for unattended and semi-attended transaction, as well as new guidepost content from our sponsors and members outlining best practices.

The kiosk association has a standing PCI Compliance committee and a Slack-based working group (free to join). Members include OTI Global,  Unattended Card Payments (UCP),  Datacap Systems,  Ingenico,  KioWare,  Olea Kiosks, Lilitab and  Self-Service Networks  who provide Cash2Card Giftwise.

“The pandemic is fundamentally altering the relationship that business and customer have had historically. Rather than the conventional ‘push’ from storefront to customer, the ratio of customers ‘pulling’ from business is rapidly increasing. Online mechanisms are no longer optional but instead, mandatory,” says association spokesman, Craig Keefner. “Contactless and touchless are the new cornerstones. Shortening those transaction timeframes whether Drive-Thru or Text-to-pay are the new base metrics.”

The pandemic impact on the currencies and payment methods involved in today’s secure transaction has also expanded. Cash2Card deployments are rising and instead of the old Redbox DVDs at McDonalds you may soon have a new Bitcoin ATM Kiosks.

Technologies emerging and in-use include conversational artificial intelligence (AI) and all types of visual recognition systems (automobile license and facial examples given).

To stay informed on customer self-order and employee terminals sign up for our monthly news update or you can visit our website.

Visit: https://kioskindustry.org/standards/pci-emv-kiosk/.

About Kiosk Manufacturer Association:

PCI Compliance – Payment Card Security Requirements PTS POI – November 2020

PCI SSC Technical FAQs for use with Version 6

UCP Unattended Payments

UCP Unattended Payments is a PCI Compliance expert

A new November update to the PCI SSC Technical FAQs has been issued. It is listed below. We have also listed some other interesting questions.

For a full copy of this document, it is provided by the PCI Security Standards Council

November 2020: POI devices must support one or more of four specified techniques for the loading of private or secret keys. Methods a and b are for plaintext key loading and methods c and d are for encrypted key loading. The requirement specifies that EPPs and OEM PEDs intended for use in an unattended environment shall only support methods a, c, and d. It further specifies that SCRPs shall only support the loading of encrypted keying material. Are there any other restrictions?

A Yes. For all new evaluations (i.e., evaluations that result in a new approval) of POI v5 devices, the POI devices must support at least one of the encrypted key loading methods for the loading of private or secret keys

Requirement A9 stipulates that the device must provide a means to deter the visual observation of PIN values as they are being entered by the cardholder. What methods are acceptable?

A The POI Security Requirements provide for several options that may be used separately or in combination to provide privacy during PIN entry. These options are: ▪ A physical (privacy)shielding barrier. Note that in case the privacy shield is detachable, a user’s guide must accompany the device that states that the privacy shield must be used to comply with ISO 9564. Optionally, the user’s guide can also reference PCI device requirements; ▪ Designed so that the cardholder can shield it with his/her body to protect against observation of the PIN during PIN entry, e.g., a handheld device; ▪ Limited viewing angle (for example, a polarizing filter or recessed PIN pad); ▪ Housing that is part of the ATM or kiosk, cardholder’s hand or body (applies to handheld devices only); and ▪ The installed device’s environment.

May (update) 2018: PIN entry devices may physically integrate in the same device other functionality, such as mobile phone, PDA capabilities or POS terminal. Handheld configurations of PIN entry devices may accommodate the attachment (e.g., via a sled, sleeve or audio jack) of a mobile phone, PDA or POS terminal, where the attached device communicates with the PED. Such a configuration appears as a single device, with separate interfaces for input by the clerk and cardholder. What considerations must be taken into account for either of these configurations?

A For any device where the cardholder is expected to use the same interface for PIN entry as the clerk would use for phone, PDA, payment application, etc. purposes, or where there are multiple interfaces in a single integrated device, the integrated device must be physically and logically hardened in accordance with the PTS POI security requirements. In a handheld configuration with an attached device, there is a risk that the cardholder enters the PIN on the wrong interface. Furthermore, the communication interface between the PED and the attached device may give the latter access to MSR functions without cryptographic controls, allowing skimming of card account data. In this integration model, then either: ▪ Both devices are assessed and validated as compliant to the PTS POI requirements, or PCI PTS POI Evaluation FAQs – Technical – For Use with Version 6 November 2020 Copyright © 2013-2020 PCI Security Standards Council, LLC. All Rights Reserved Page 8 ▪ The PED device, which must also control the card reader(s), must implement and be validated against the PTS POI SRED module. The PED must enforce SRED functions for encryption of card data at all times. The PED is only allowed one state, and that is to encrypt all account data. It cannot be configured to enter a state where account data is not encrypted.

May (update) 2018: PIN Entry Devices that attach to a mobile phone, PDA or POS terminal via a sled, sleeve, audio jack, or wireless connection are required to support SRED. Does this apply to PEDs that are integrated with other devices (such as a tablet or mobile phone) that appear as a single device?

A Yes. An integrated device is one where two physically and electronically distinct devices (e.g., a PED and a commercial off the shelf (COTS) device such as a mobile phone) appear as a single device through the use of the plastics to mask the connectivity. In such a configuration, there is a risk that the cardholder enters the PIN on the wrong interface. Furthermore, the communication interface between the PED and the integrated device may give the latter access to card reader functions without cryptographic controls, allowing skimming of card account data. In this integration model, then either: ▪ Both the PED and non-PED are assessed and validated as compliant to the PTS POI requirements, or ▪ The PED, which must also control the card reader(s), must implement and be validated against the PTS POI SRED module and be both physically and electronically distinct from the non-PED system (for example, it is not acceptable to have the PED firmware execute within the same processor as the non-PED firmware). The PED must enforce SRED functions for encryption of card data at all times. The PED is only allowed one state, and that is to encrypt all account data. It cannot be configured to enter a state where account data is not encrypted. The Security Policy must also state that the non-PED has not been assessed under the PCI PTS program and security guidance is required to ensure the secure operation of the solution. An additional note will be added to the portal noting that the non-PED has not been assessed under the PTS program.

October 2018: Are there minimum requirements for the version of Android to be used within a PTS device?

A Yes, it is expected that the Android version is officially supported with security patches, at a minimum. Any reports, including deltas, where the Android version is not supported with regular security patches will be rejected. Where these patches are not provided by Google, evidence of security patches (implemented at least monthly) provided by the vendor must be documented in the report provided by PCI; evidence for this is expected to be validation of the update code by the laboratory for at least two previous patches, as well as validation by the laboratory that these patches have remediated existing known vulnerabilities in the version of Android used. Vendors should note that this means that consideration for the future patch status of any Android version used must be made during the initial design stages of the device, to prevent unexpected rejection of devices after an Android version becomes unsupported during the development of a solution.

 

What vulnerabilities must be taken into account for a touchscreen?

A If the sides are accessible, an overlay attack utilizing a second, clear touchscreen could be a problem. The connection/path from the touchscreen to the processor (and any devices used for decoding the signals in between) needs to be verified to be secure. Bezels around the touchscreen are especially dangerous because they can conceal access to areas of concern that are described above. The API for firmware and applications (if applicable) needs to be looked at carefully to determine the conditions under which plain-text data entry is allowed. Example: It should not be possible unless under acquirer display prompt-controlled devices, for a third party to display an image (JPEG) that states “press enter when ready for PIN entry” and then have a plain-text keypad pop up on the next screen. The extra caution is warranted for touchscreen devices because of the desire to make touchscreen devices user-friendly and to run many different, unauthenticated, uncontrolled applications. This is especially true for the devices that are intended to be held because of the tendency to regard them as a PDA that can perform debit transactions.

February (update) 2014: Does the use of protective keypad overlays impact the approval status of a device?

A Yes. In general, overlays are not supported by the device approval program due to the potential for keypad tapping or hiding tamper evidence. Overlays may be used where they do not cover any portion of the PIN entry area. For example, in a touchscreen device where the touchscreen is used for both signature capture and PIN entry, an overlay may be used to protect the signature area from excessive wear. In this example only the area used for signature capture may be protected. The material used must be transparent, and not merely translucent, so as not to obstruct the key-entry area when viewed from any angle

Some devices ship with firmware that may be convertible into a compliant version but is not compliant as shipped. When is this acceptable?

A This is only acceptable where the conversion is one way and cannot be reversed. A device can only be converted to a compliant version. It shall not be capable of converting a compliant version to a non-compliant version. The conversion must be performed at the initial key loading of the acquiring entity’s secret keys. The transformation must result in the zeroization of any previously existing acquiring entity secret keys. The compliant version of firmware must be clearly distinguishable from the non-compliant version. Merely appending a suffix (one or more characters) to an existing firmware version is not acceptable. Rather the conversion must result in a high order version number that is clearly distinguishable to purchasers of such devices. Only the compliant version shall be approved and listed.

January 2015: There are a number of FAQs on the use of wireless technologies, such as Bluetooth and Wi-Fi. What is the intent of these FAQs, and does PCI have any specific requirements for other types of communications technologies?

A The intent of the FAQs on all wireless communications for POI devices is to ensure that the interfaces of the POI are protected such that: ▪ Card data cannot be easily intercepted. ▪ Command interfaces to the terminal cannot be easily accessed, intercepted for attack (such as MITM), or used as an attack vector into the device. ▪ Compromise of the interface does not lead to, support, or facilitate further compromise of security assets of the POI. PCI does not mandate or require the use of any specific communication technology, but any implementation must meet the above requirements through some aspect of the physical or logical layers of communication. Physical or direct wired communication often achieves this through the nature of its physical interface. Wireless communications cannot rely on this and therefore must rely instead on security at the link or application layers through use of a Security Protocol to establish a trusted path for all communications over the wireless link. This Security Protocol must have been tested and approved under the open-protocols module of the PCI PTS evaluation of that device, and examples of acceptable Security Protocol implementations include WPA2 (implemented at the link layer), or VPN encrypted tunnels (implemented at the application layer)

December (update) 2016: Can a PTS device be used as a beacon (iBeacon or BLE beacon) transmitter?

A Beacons for any version of BLE (e.g., 4.0, 4.1) are allowed providing the following conditions exists and are validated by a PTS approved lab: ▪ The beacon is listed as a device interface in the PTS POI report. ▪ Over the Air (OTA) provisioning is not allowed at any time. Provisioning and updating of beacons must be consistent with existing PTS standards. (i.e., Section J, B4 or B4.1) ▪ Must be referenced in the security policy. ▪ Beacons are transmit-only. The lab must validate that BLE communication cannot be used to respond to any external requests, connect, pair, or otherwise provide two-way communication to any other device. ▪ The vendor provides documentation on the secure use and provisioning of the beacon and that the documentation clearly states the beacon is used for transmit only, and that OTA provisioning is not allowed. ▪ The vendor will document the purpose of use of the beacon functionality⎯i.e., its intended use. The documentation must include what data is transmitted and ensure that no sensitive data can be transmitted. ▪ The PTS device is never allowed to receive beacon transmissions.

Additional Links

Relevant PCI Compliance Member Links

PCI Compliance Tips COVID and Small Merchants by PCI SSC

PCI Compliance Tips from PCI SSC

OTI Contactless Credit Card Reader

OTI Contactless Credit Card Reader

From PCI SSC –  The COVID-19 pandemic is quickly changing how many small merchants accept payments. Merchants that previously only had brick-and-mortar locations are moving to accept e-commerce and over-the-phone transactions. PCI Security Standards Council shares key
considerations to help small merchants keep their customers’ payment data secure in this rapidly changing environment.

One tip from Kiosk Industry Group is to understand and know what access, if any, your vendors and supply chain have access to.  The Target breach for example was due to a vendor using out-of-date free Malware protection on their PC and getting in via Microsoft infrastructure.

TIP #1: REDUCE WHERE PAYMENT CARD DATA CAN BE FOUND

The best way to protect against data breaches is not store card data at all. Many small merchants are offering curbside pickup now and are accepting telephone payments in lieu of former face-to-face transactions. Avoid writing payment card details down and instead enter them directly into your secure terminal. More Information: PCI SSC Special Interest Group Paper: Accepting Telephone Payments Securely

TIP #2: USE STRONG PASSWORDS

The use of weak and default passwords is one of the leading causes of payment data breaches for businesses. To be effective, passwords must be strong and updated regularly. Weak and vendor default passwords are a frequent source of small merchant breaches. More Information: Strong Passwords Infographic

TIP #3: KEEP SOFTWARE PATCHED AND UP TO DATE

Criminals look for outdated software to exploit flaws in unpatched systems. Timely installation of security patches is crucial to minimize the risk of being breached. One way to keep up with all the necessary changes is by ensuring vulnerability scans are performed regularly to identify security issues. PCI Approved Scanning Vendors (ASVs) can help you identify vulnerabilities and misconfigurations in your Internet-facing payment systems, e-commerce website, and other systems, providing a report of your vulnerabilities and how to address them—for example, what patches to
apply. Be sure to act upon the results of ASV vulnerability scans and keep your software up to date. More Information: Patching Infographic

TIP #4: USE STRONG ENCRYPTION

Encryption makes payment card data unreadable to people without a specific key, and can be used to protect stored data and data transmitted over a network. Ask your vendor whether your payment terminal encryption is done via a Point-to-Point Encryption solution and is on the PCI SSC’s List of PCI P2PE Validated Solutions. If you are setting up a new website, confirm the shopping cart provider is using proper encryption, such as TLS v1.2, to protect your customers’ data. More Information: Information Supplements on Use of SSL/Early TLS

TIP #5: USE SECURE REMOTE ACCESS

To minimize the risk of being breached, it’s important that you take part in managing how and when your vendors can access your systems. Criminals can gain access to your systems that store, process, or transmit payment data through weak remote access controls. You should limit use of remote access and disable it when not needed. If you must allow remote access, ask your vendors to use multi-factor authentication and strong remote access credentials that are unique to your business and not the same as those used for other customers. More Information: PCI SSC Secure Remote Access Infographic

TIP #6: ENSURE FIREWALLS ARE CONFIGURED PROPERLY

A firewall is a device or software that sits between your network and the Internet. It acts as a barrier to keep traffic out of your network and systems that you don’t want and didn’t authorize. Firewall rules can seem complex, but configuring them properly is vital to security. If you require additional assistance to properly configure your firewall, seek help from a network professional. More Information: Resource for Small Merchants: Firewall Basics

TIP #7: THINK BEFORE YOU CLICK

Hackers use phishing and other social engineering methods to target organizations with legitimate-looking emails and social media messages that trick users into providing confidential data, such as payment card number, merchant account number or password. Small merchants should be extra vigilant and be on the look out for common phishing and social engineering hacks. More Information: Beware of COVID-19 Online Scams and Threats

TIP #8: CHOOSE TRUSTED PARTNERS

It’s critical you know who your service providers are and what security questions to ask them. Is your service provider adhering to PCI DSS requirements? For e-commerce merchants (and those of you that recently started accepting e-commerce payments in lieu of face-to-face payments), it is important that your payment service providers are PCI DSS compliant, including the service provider that manages your payment process (your “payment service provider” or PSP). More Information:

Additional Links

Relevant PCI Compliance Member Links

PR – Self-Service Kiosk Association Launches New Website and Kiosk Market Analysis

kiosk association round logo

WESTMINSTER, COLORADO, UNITED STATES, November 17, 2020 /EINPresswire.com/ — The kioskindustry.org communications site for the Kiosk Manufacturer Association (KMA) is pleased to announce the launch of our new website design.

The new design emphasizes content such as videos, opinion, sponsor and member news as well as industry-wide news in the self-service kiosk related markets. Coverage of digital signage, smart city, POS and retail automation are also part of the content mix.

Major improvements include:

o More relevant content more quickly found
o Demo videos in articles by default
o Up to date SEO mechanisms such as Structured Data
o Inbuilt Ad and Analytics hooks (though we are no fan of Adsense)
o HTML5 | CSS3 support
o Author pagestyles
o Responsive slider for features
o And lastly, it is extremely quick (as measured by Google)

As part of the launch the KMA has commissioned a 2021-2022 Kiosk Market Analysis report covering a minimum of 40 companies (members and non-members). Participation is open to any company involved in self-service kiosks. That includes deployers and customers, as well as device supply chain providers (printers, service, displays, menuboards, touchscreens, drive-thru, mobile scanning, touchless touch, computers and more).

Markets covered include self-service kiosks, customer-facing POS (with exception of supermarkets checkout), Smart City, International markets such as SE Asia and Europe, plus a wide range of “interactive” and smart digital signage (including menuboards, outdoor and drive-thru).

How the market was before the pandemic and how it has changed due to the pandemic is a major focus. Looking forward to how self-service will be utilized in the future is final component.

Your input is welcome and completely confidential with the nationally recognized research firm commissioned (BCC Research). Contact Craig at catareno.com and we will forward your contact information to the research firm.

Lastly, as a public service announcement, we would like to bring to the attention recent in-depth content on current VA fever screening actions which are endangering veterans as well as content on deceptive temperature screening tablets from China. IPVM has been the leading independent test authority for temperature kiosks and surveillance cameras.

craig keefner
KMA/ Kiosk Manufacturer Association
+ +1 720-324-1837
email us here
Visit us on social media:
LinkedIn

Kiosk Association Sponsors MUFSO Paul Brown, Inspire Brands Innovation Session

mufso restaurants rise

WESTMINSTER, Colo.–(BUSINESS WIRE)–Tomorrow, Tuesday the 20th at 3:30 pm EDT, the CEO of Inspire Brands Paul Brown speaks on innovation and lessons from Arby’s, Jimmy John’s, Sonic, and other Inspire Brands companies. The Kiosk Association is the session sponsor. Our mission is to inform and educate. Towards that end here is a direct link to register. Some of the innovations include new drive-thru designs as well as integration to Alexa and Amazon.

Some other recent innovations in the QSR and Fast Casual space that the Kiosk Association has noted include:

  • Contactless transactions combined with facial recognition for authentication
  • Weatherproof Android EMV Terminals Introduced – link
  • Touchless Kiosk Software (patent pending) – podcast interview at FinTech – link
  • QSR Market Review by Kiosk Industry – in SLED and Federal $6B in Opportunities – link
  • Contactless Curbside Pickup with Geo-Fencing – El Pollo Loco – link
  • Self-Service Kiosks With Pickup “Cubbies” ala Brightlook and Caesars Pizza – link

If you are interested in self-order kiosks we have a catalog on kioskindustry.org of many manufacturers (customers include Appetize and McDonald’s to name some). There are 22 COVID-related solutions available from the Kiosk Association including automatic sanitizers, CDC-approved kiosks, and temperature scanning. You can see the catalog Temperature COVID Catalog on the Intel Marketplace Solutions.

About the Kiosk Association (KMA) 

  • On ADA and accessibility, we work directly with the U.S. Access Board and have a complete set of guidelines.
  • On PCI – we are a participating organization with PCI SSC. Our primary focus is on unattended ordering and ADA.
  • We are international with members in US, Germany, UK, SE Asia, and more.
  • Our mission is to inform and educate.

Contact Information

If your company, organization, association, local, city, state or federal agency would like free no-cost consulting, information, or assistance on ADA, EMV or Health (HIPAA), please contact [email protected] or call 720-324-1837. Thanks to the generous financial support of our GOLD sponsors Olea KiosksKioWareFrank Mayer and Associates, Inc.NanonationPyramidKiosk GroupVisperoZebraAUO22Miles, and Honeywell.

Contacts

Craig Keefner
720-324-1837
[email protected]
https://www.linkedin.com/in/kiosk/

Section 508 Best Practices Webinar: Creating Accessible Websites using the U.S. Web Design System (USWDS) and Integrated Digital Experience Act (IDEA)

section 508 accessible website

Section 508 Webinar: Creating Accessible Websites

Intro

Graphic showing Section 508 webinars on laptop screenThe 21st Century Integrated Digital Experience Act (IDEA) aims to improve the digital experience for government customers. It requires federal agencies to update their websites according to the U.S. Web Design System (USWDS) to make them more user-friendly. Developed by the General Services Administration (GSA) and U.S. Digital Service, the USDWS helps federal agencies create websites that are accessible, fast, and easy to use on mobile devices.

Webinar Subject

The next webinar in the Section 508 Best Practices Webinar Series on November 24 from 1:00 to 2:30 (ET) will explain how to create accessible websites using the USWDS and meet the requirements of the IDEA. Representatives from GSA will review USWDS code, tools, and guidance for website accessibility. They will also cover common issues, offer recommendations and best practices, and suggest resources for meeting IDEA requirements.

For more details or to register

Visit www.accessibilityonline.org. Questions can be submitted in advance of the session or can be posed during the live webinar. The webinar will include video remote interpreting (VRI) and real-time captioning.

The Section 508 Best Practices Webinar Series provides helpful information and best practices for federal agencies in meeting their obligations under Section 508 of the Rehabilitation Act which ensures access to information and communication technology in the federal sector. This webinar series is made available by the Accessibility Community of Practice of the CIO Council in partnership with the U.S. Access Board.

Section 508 Best Practices: Creating accessible websites using the U.S. Web Design System (USWDS) and the 21st Century Integrated Digital Experience Act (IDEA)

November 24, 2020, 1:00-2:30 (ET)       Add to Calendar 

Presenters:

• Ammie Farraj Feijoo, 21st Century IDEA Implementation Lead, Technology Transformation Services (TTS), GSA

• Dan Williams, U.S. Web Design System, Technology Transformation Services (TTS), GSA

Note: Registration closes 24 hours before the start of the session. Instructions for accessing the webinar on the day of the session will be sent via email to registered individuals in advance of the session. Communication Access Realtime Translation (CART) and Video Sign Language Interpreters are available for each session and will be broadcast via the webinar platform. A telephone option (not toll-free) for receiving audio is also available.

Related Information and Posts

WCAG Overview by Deque – 2.1

How Your Company To Prevent ADA Website Accessibility Lawsuits

Regulatory Affairs – FDA Defines Correct Operation of Fever Cameras

The US FDA has now defined the correct operation of “Thermal Imaging Systems”, colloquially known as “fever cameras”.

 

 

 

 

 

 

 

 

 

Many in video surveillance have interpreted the FDA’s decision to temporarily lift 510(k) clearance requirements for fever cameras to mean that ‘anything goes’, ignoring well-established global standards.

However, this latest FDA guidance show that even amid a fever camera Gold Rush, the agency believes such systems need to be set up and operated “correctly”.

In this we post, we examine this new FDA document, including:

  • Background: FDA Studies Show Fever Cam Operation Importance
  • FDA Statement to IPVM
  • Fever Cameras “Only Effective” Under These Conditions
  • “Careful” Setup Needed
  • What Is A Right Environment?
  • Secondary Confirmation A Must
  • Remove Hats, Glasses, Hair Obstructions/ Wait 15 Minutes
  • Process People One At A Time, No “Mass Fever Screening”
  • Locations Recommended: Airports, Offices, Supermarkets, Concerts, Hospital ERs
  • No Distance Recommendation, But Clearly Close
  • Blackbody Only Required If Manufacturer Recommends

Full post on IPVM

Danger of ATM Cash-Outs – PCI SSC Blog

ATM Cashout

Beware of ATM Cash-Outs

PCI Participating Organization Logo

The Kiosk Association (KMA) is a participating organization with the PCI Security Standards Council. Initiatives include suggesting SIG group for unattended self-service transactions as well as beginning to note considerations for ADA and accessibility as well as unattended transactions.

PCI SSC and ATMIA share guidance and information on protecting against ATM Cash-outs.

Why are you issuing this industry threat bulletin?

Troy Leach: We have heard from many of our stakeholders in the payment community that ATM “cash-outs” are a growing concern across the globe. We felt, as a leader in payment security, now was the time to issue a bulletin with our friends and colleagues from the ATMIA who’s industry is well aware of these daily threats.

What are ATM Cash-outs? How do they work?

Mike Lee: Basically an ATM “cash-out” attack is an elaborate and choreographed attack in which criminals breach a bank or payment card processor and manipulate fraud detection controls as well as alter customer accounts so there are no limits to withdraw money from numerous ATMs in a short period of time. Criminals often manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.

So how exactly do these attacks work?

Mike Lee: An ATM cash-out attack requires careful planning and execution. Often, the criminal enterprise gains remote access to a card management system to alter the fraud prevention controls such as withdrawal limits or PIN number of compromised cardholder accounts. This is commonly done by inserting malware via phishing or social engineering methods into a financial institution or payment processor’s systems. The criminal enterprise then can create new accounts or use compromised existing accounts and/or distribute compromised debit/credit cards to a group of people who make withdrawals at ATMs in a coordinated manner. With control of the card management system, criminals can manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash. These attacks usually do not exploit vulnerabilities in the ATM itself. The ATM is used to withdraw cash after vulnerabilities in the card issuers authorization system have been exploited.

What businesses are at risk of this devious attack?

Troy Leach: Financial institutions, and payment processors are most at financial risk and likely to be the target of these large-scale, coordinated attacks. These institutions stand to potentially lose millions of dollars in a very short time period and can have exposure in multiple regions around the world as the result of this highly organized, well-orchestrated criminal attack.

What are some detection best practices to detect these threats before they can cause damage?

Troy Leach: Since ATM “cash-out” attacks can happen quickly and drain millions of dollars in a short period of time, the ability to detect these threats before they can cause damage is critical. Some ways to detect this type of attack are:

Velocity monitoring of underlying accounts and volume
24/7 monitoring capabilities including File Integrity Monitoring Systems (FIMs)
Reporting system that sounds the alarm immediately when suspicious activity is identified
Development and practice of an incident response management system
Check for unexpected traffic sources (e.g. IP addresses)
Look for unauthorized execution of network tools

What are some prevention best practices to stop this attack from happening in the first place?

Troy Leach: The best protection to mitigate against ATM “cash-outs” is to adopt a layered defense that includes people, processes, and technology. Some recommendations to prevent ATM “cash-outs” include:

Strong access controls to your systems and identification of third-party risks
Employee monitoring systems to guard against an “inside job”
Continuous phishing training for employees
Multi-factor authentication
Strong password management
Require layers of authentication/approval for remote changes to account balances and transaction limits
Implementation of required security patches in a timely manner (ASAP)
Regular penetration testing
Frequent reviews of access control mechanisms and access privileges
Strict separation of roles that have privileged access to ensure no one user ID can perform sensitive functions
Installation of file integrity monitoring software that can also serve as a detection mechanism
Strict adherence to the entire PCI DSS
For more information about best practices for detection and prevention, people should review our full bulletin.

How can people learn more about these type of attacks?

Mike Lee: ATMIA has published a detailed alert report on the topic of ATM Cash-outs. I would also encourage stakeholders interested in this topic to read our joint bulletin in its entirety. A link to those helpful resources is included in this blog.

Resources to help you:

Read our bulletin
View the press release
See the ATMIA Study

Out-of-state law firm blitzes companies in Colorado with “drive-by” ADA lawsuits

ADA FAQ Kiosks

From the Denver Post Oct 2020 — Douglas County man represented by New Jersey firm has filed 52 nearly identical lawsuits since December

James Blanchard had just reopened his Denver winery this summer after being shut down for months because of COVID-19 when he got hit with a different kind of challenge — a surprise lawsuit alleging the website for his family business violated the Americans with Disabilities Act.

The lawsuit said David Katt, a resident of Douglas County who is blind, couldn’t use the downtown winery’s website because it was not compatible with screen-reading programs that allow people who are visually impaired to navigate online.

“We were caught out of the blue by this lawsuit,” Blanchard said. “There was no advanced warning, no contact, no communication from the plaintiff or their attorneys, it was just served on the front door of my apartment.”

Now he’s facing a potentially expensive legal fight at a time when sales at his 2-year-old Denver winery are down 30% because of the coronavirus — and he’s not the only one. The same Douglas County man, represented by a New Jersey law firm, has filed 52 nearly identical lawsuits against companies operating in Colorado since December.

From banks to mattress manufacturers to marijuana dispensaries, all sorts of businesses are facing lawsuits from Katt over their websites’ ADA compliance in what some attorneys say is a predatory pattern designed to push businesses into agreeing to quick cash settlements in order to close cases without racking up big legal bills.

“Plaintiff is not a bona fide patron, but a serial plaintiff who filed this lawsuit to try and extort a monetary settlement,” attorney Alice Conway Powers wrote in response to one of Katt’s lawsuits, in defense of an eyeglass shop.

Katt could not be located by The Denver Post, and his attorney, Ari Marcus of the law firm Marcus and Zelman, did not return multiple requests for comment.

“A black eye”

Such “drive-by” or “click-by” lawsuits over the ADA are a growing trend, disability advocates say, and while the lawsuits can highlight real problems — it is difficult for visually-impaired people to navigate many websites — they’re often ineffective at generating widespread change and create backlash against people with disabilities who are bringing more legitimate ADA claims.

“It gives a black eye to those of us who have been working in this profession for many years and who have gained and garnered the respect of the court because they know we don’t do that sort of thing,” said Kevin Williams, legal director at Colorado Cross-Disability Coalition, an organization that advocates for disability rights.

Lawsuits are a critical tool for people with disabilities to force companies to comply with the ADA, said Scott LaBarre, a Denver attorney who is blind and serves as the Colorado president of the National Federation of the Blind.

Read full article From the Denver Post Oct 2020

Public Service Announcement – Chinese Software – the new danger?

opinion article logo

Reference link for opinion piece on Chinese technology

opinion article logoFor the longest time American industry has had a very contradictory relationship with Asia.

Back in the late 70s, we had our own experience with semiconductors (RAM) and Japan and American manufacturers. Needing to collect more seismic data do we purchase 100 devices from a US company or do we purchase 1000 devices from Japan?  The outcome was not good for the US semiconductor industry.

In the kiosk industry past it was common at shows to have the Chinese with high-resolution cameras take photos of kiosk units designed by US manufacturers.  These photos were later transformed into CAD files and then subsequently offered on Chinese sites, sometimes at 25% the cost.  They would break down more often but then you could buy 2 spares at the same cost.

The software application side of things though was and is non-China-provisioned. That has changed.

Currently, there is a “hot market” for temperature screening kiosks.  Devices from Belgium and Germany are predominantly used as the temperature sensors and they are integrated into tablets typically running Android on a Rockchip.

The claim is they include AI module and facial recognition along with the temperature measurement.  All the sweet spots.

Problem is now that this software is Chinese in origin.  Its not just hardware anymore.  That brings into play regulations such as HIPAA as well as Federal laws regarding technology (blacklists). Deployments by marquee companies such as Amazon are common, and have included blacklisted technology.

In the temperature kiosk market, we see literally thousands of Chinese units being deployed at schools, state agencies, and federal agencies which employ Chinese software.  Software that uses algorithms of blacklisted companies with data that passes thru their servers.

TikTok is an entertainment platform and it has been deemed sufficient national interest to require changes.

Given these “surveillance” platforms for scanning the general population, is it reasonable to suggest they might require changes?

Maybe injecting Chinese software into Smart City technology gets peoples attention. Not sure.

Tablets in general — It can be argued that the closest thing to a U.S. made tablet is an iPad.  There are zero Android/Rockchip hardware options in the U.S. and the origin of hardware is now giving Asia and edge in software.   It used to be a Dell or HP pc.


Additional Context from legal authority for consideration

For reference HIPAA, the federal statute, only covers those who are deemed to be health care providers under its terms.

Sharing or improperly releasing medical information, or taking biometrics without consent are both potential violations of the law, and could be actionable.