BLACK HAT 2016: Rapid7 researchers discover how hackers can steal account details from an ATM by bypassing anti-shimming measures
The vulnerabilities are coming thick and fast at this year’s Black Hat security conference in Las Vegas.
This time researchers from Rapid7 revealed that they had discovered serious vulnerabilities with next generation ATM cash machines.
Rapid7’s researcher Weston Hecker spent the past year analysing and testing new methods that ATM manufacturers are using, and he discovered that attackers could bypass “anti-skimming/anti-shimming methods” introduced with the latest generation ATMs.
The researchers found that modern ATMs can be compromised by the installation of a skimming or shimming device. These devices are often tiny and can be inserted into the card reader slot of the ATM (it sits between the chip in the card and the ATM reader).
It then harvests card and account data (including PINs) when people insert their cards into the machine.
The attacker retrieves the device and can then setup fake accounts or create a cloned card. The attacker can then withdraw money. The firm was also able to use a smartphone to download data wirelessly from the stolen card, and then recreate that same card in any ATM.
“The modifications on the ATM are on the outside,” Tod Beardsley, security research manager for Rapid7 explained to the BBC. “I don’t have to open it up. It’s really just a card that is capable of impersonating a chip. It’s not cloning.”
Rapid7 have not gone into too much detail about the flaw, but said they have notified banks and makers of ATMs.
The security of ATMs have been studied for a while now. Two years ago a Polish banking services provider rolled out Europe’s first cash dispensing machines to use vein pattern recognition to identify clients, using a Hitachi technology called VeinID.
Symantec has previously warned that cyber-attackers had developed a technique for robbing ATMs of cash using a piece of code that can be activated simply by sending a text message.
That technique targetted a particular brand of ATM that Symantec didn’t identify, but the company warned that such techniques are part of a wider problem: the fact that older generations of ATMs run the ancient Windows XP operating system.