Announcement

Collapse
No announcement yet.

Skimmer Innovation: Wiretapping ATM's

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Skimmer Innovation: Wiretapping ATM's

    By Brian Krebs

    Banks in Europe are warning about the emergence of a rare, virtually
    invisible form of ATM skimmer involving a so-called “wiretapping” device that is
    inserted through a tiny hole cut in the cash machine’s front. The hole is
    covered up by a fake decal, and the thieves then use custom-made equipment to
    attach the device to ATM’s internal card reader.

    According to the European ATM Security
    Team
    (EAST), a nonprofit that represents banks in 29 countries, financial
    institutions in two countries recently reported ATM attacks in which the card
    data was compromised internally by “wire-tapping” or “eavesdropping” on the
    customer transaction. The image below shows some criminal equipment used to
    perpetrate these eavesdropping attacks.


    Equipment used by crooks to conduct “eavesdropping” or
    “wiretapping” attacks on ATM's. Source: EAST.

    “The criminals cut a hole in the fascia around the card reader where the
    decal is situated,” EAST described in a recent, non-public report. “A device is
    then inserted and connected internally onto the card reader, and the hole
    covered with a fake decal”
    [pictured, bottom right].

    Pictured above are what appear to be wires that are fed into the machine with
    some custom-made rods. It looks like the data is collected by removing the
    decal, fishing out the wire attached to the ATM's card reader, and connecting it
    to a handheld data storage device.

    I sought clarification from EAST about how the device works. Most skimmers
    are card slot overlay devices work by using a built-in component that reads the
    account data off of the magnetic stripe when the customer inserts the card.
    But Lachlan Gunn, EAST’s executive director, suggested that
    this device intercepts the card data from the legitimate card reader on the
    inside of the ATM. He described the wiretapping device this way:

    “It’s where a tap is attached to the pre-read head or read head of the card
    reader,” Lachlan said. “The card data is then read through the tap. We still
    classify it as skimming, but technically the magnetic stripe [on the
    customer/victim’s card] is not directly skimmed as the data is intercepted.”

    The
    last report in my ATM skimming series
    showcased some major innovations in so-called
    “insert skimmers,” card-skimming devices made to fix
    snugly and invisibly inside the throat of the card acceptance slot. EAST’s new
    report includes another, slightly more advanced, insert skimmer that’s being
    called an “insert transmitter skimmer.”

    Like the one pictured below, an insert transmitter skimmer is made up of two
    steel plates and an internal battery that lasts approximately one to two weeks.
    “They do not store data, but transmit it directly to a receiving device —
    probably placed less than 1 meter from the ATM.


    An insert transmitter skimmer. Source: EAST.

    Both of these card skimming technologies rely on hidden cameras to steal
    customer PIN codes. In a typical skimming attack involving devices that lay
    directly on top of the card acceptance slot, the hidden camera is a pinhole spy
    cam that is embedded inside the card slot overlay and angled toward the PIN pad.
    Just as often, the camera is hidden in a false panel affixed directly above the
    PIN pan with the pinhole pointed downward.

    According to East, the use of false sidebar panels is becoming more prevalent
    (see image below for an example). It is not unusual for hidden cameras to be

    obscured inside of phony brochure racks as well
    .



    As this and
    other insert skimmer attacks
    show, it’s getting tougher to spot ATM skimming devices.
    It’s best to focus instead on protecting your own
    physical security while at the cash machine. If you visit an ATM that looks
    strange, tampered with, or out of place, try to find another ATM. Use only
    machines in public, well-lit areas, and avoid ATM's in secluded spots.

    Last, but certainly not least, cover the PIN pad with your hand when entering
    your PIN: That way, if even if the thieves somehow skim your card, there is less
    chance that they will be able to snag your PIN as well. You’d be amazed at

    how many people fail to take this basic precaution
    . Yes, there
    is still a chance that thieves could use a PIN-pad overlay device to capture
    your PIN, but in my experience these are far less common than hidden cameras
    (and quite a bit more costly for thieves who aren’t making their own
    skimmers).

    Are you as fascinated by ATM skimmers as I am? Check out my series on this topic,
    All About Skimmers.
    The Hackmaster

  • #2
    More on Wiretapping ATM Skimmers

    By Brian Krebs

    Last month, this blog featured a story about an innovation in ATM skimming known as wiretapping, which I said involves a “tiny” hole cut in the ATM’s front through which thieves insert devices capable of eavesdropping on and recording the ATM user’s card data. Turns out, the holes the crooks make to insert their gear tend to be anything but tiny.

    Not long after that post went live, I heard from the folks at NCR, one of the world’s largest cash machine manufacturers. NCR had put out a bulletin on the emergence of this very threat in Sept. 2014, saying the activity had first been spotted in the United Kingdom against NCR 5877 and 5887 models.

    As I noted in my original story, the attackers use a plastic decal to cover up the hole, but NCR's photos of one ATM compromised by this method offer a better look at what’s going on here. Take a look at the size of that hole:


    A hole left by crooks who added “wiretapping” or “eavesdropping” theft devices to a compromised ATM. Image: NCR.

    “In this attack, the ATM fascia is penetrated close to the card reader to create a hole large enough for the attacker to reach inside the ATM and place a tap directly onto the card reader in order to skim card data as it is read by the ATM,” NCR said in an advisory it produced on the increasingly common attacks.

    According to NCR, the emergence of this type of skimming attack is a response to the widespread availability of third party anti-skimming technology which is successful at preventing the operation of a traditional skimmer, placed on the outside of the ATM.

    “Card reader eavesdropping skimmers are placed in a location that third party anti-skimming technology necessarily cannot protect, since the ATM must be capable of reading the card,” the advisory notes. “This technique has previously been seen in Ireland and the Netherlands, and can be expected to grow as traditional skimming is prevented.”

    NCR observed that crooks employing this attack are using a variety of methods to create the hole in the front of the ATM. Modern ATMs often now include sensors that can detect vibrations consistent with drilling or cutting tools, so some thieves have taken to melting the ATM fascia in some cases.

    “Melting techniques have been observed which can circumvent seismic anti-drilling sensors,” NCR said.

    If the idea of ATM bandits taking a blowtorch to the cash machine sounds extreme, at least they’re not trying to blow the ATM to smithereens. According to quarterly reports from the European ATM Security Team (EAST), ATM attacks in which the fraudsters attempt to blast open the machine with explosive gas are on the rise.


    A gas cylinder and pipe fitted at a compromised ATM. Source: EAST.

    EAST reports that explosive gas attacks were reported by eight countries in Europe this year. Why would thieves risk their lives and that of innocent passers-by on such a brute-force attack? EAST says the attacks are generally successful at busting open the ATM about 40 percent of the time.

    “Two of the countries also reported attacks using solid explosives,” EAST warned. “Collateral damage for solid explosive attacks is a major concern. In one country, the average overall frequency of ATM related physical attacks is five incidents per week. Three countries reported significant collateral damage from physical attacks, in addition to cash losses suffered.”

    Fortunately, many countries in Europe are fighting back against these incredibly dangerous skimming attacks, both with improved ATM technology and stiffer sentences for crooks caught in the act.

    “In one country no such attacks have been reported since the introduction of ink staining technology,” EAST noted. “In another, significant sentences have been given to criminals convicted of such attacks (the longest was 18 years in prison and the shortest 14 years!). This is an important step for Europe as, overall, sentences for such attacks are deemed by the industry to be too lenient.”
    The Hackmaster

    Comment

    Working...
    X