ATM hacking and skimming were often in the news a few years back, but since the banks ramped up the security on ATM machines – including anti-skimming devices – ATM fraud activities seemed to drop off. Remember the Pro ATM Hacker ‘Chao’ Gives Out ATM Hacking Tips and a bunch of people getting busted not long after that.
Well it seems ATM skimming has resurfaced with the clever criminals finally gaining the ability to remove the anti-skimming devices and modify them to their own nefarious ends.
Banks in Europe are seeing innovative skimming attacks against ATMs, where fraudsters rig special devices to the cash machines to record payment card details.
Many banks have fitted ATMs with devices that are designed to thwart criminals from attaching skimmers to the machines. But it now appears in some areas that those devices are being successfully removed and then modified for skimming, according to the latest report from the European ATM Security Team (EAST), which collects data on ATM fraud throughout Europe.
Skimming devices are designed to record the account details from the magnetic stripe on the back of a payment card. The data can then be encoded onto a dummy card. A person’s PIN (personal identification number) is often captured with a micro-camera, which was done with the illicitly modified anti-skimming devices, according to the report.
Banks in five countries also reported seeing a new type of skimming device, which uses a modified MP3 player to record card details. It also has a micro-camera to record PINs, according to a photo seen by IDG News Service
The advantage of ATM skimming rather than just plain old hacking the data online is that with the placement of a small camera you can also record the PIN number associated with each card – so after cloning it you can actually use it to withdraw money from the ATM.
It seems like the new skimming devices are much more high tech and also use off the shelf components, such as an MP3 player.
EAST doesn’t reveal which banks noticed the fraud or the country in which it occurred. EAST only notes whether the attack occurred in a country that is a “major deployer” of ATMs — where there are more than 40,000 machines in the country. Those countries include France, Germany, Spain, Russia and the U.K.
Installing malicious software on an ATM is a more sophisticated way to execute fraud. One country of the five major deployers saw this style of attack, which was first seen in Eastern Europe in 2007.
ATMs often run operating systems such as Microsoft’s Windows CE and are vulnerable to attacks executed remotely and by people who break into the machines to install malware. Both kinds of attacks were demonstrated by security researcher Barnaby Jack at the Black Hat conference in Las Vegas in July.
European banks haven’t seen a new kind of attack called “shimming.” This attack involved inserting an extremely thin plastic circuit board into a point-of-sale device or ATM. It then can record data either on the card itself or transmit the data using a wireless transmitter. Due to the design of ATM machines in Europe, “we don’t think shimming is an ATM threat,” said Lachlan Gunn, EAST’s coordinator.
They haven’t really released any details such as which banks were effected or even which countries the skimming attacks took place in. There has actually been a record number of skimming attempts this year but the losses have dropped.
I’d guess that would be due to the new security-measures built into the EMV (Europay, Mastercard, Visa) ATM cards which have a chip built in that EMV compliant ATM machines can scan and verify.
Source: Network World