You might recall getting a notice from your bank that you’ve been issued a new debit and credit card, one with a chip built into it for enhanced security. There are ATMs out there created specifically for use with these chips, but the same technology created to protect user credentials is now being used to steal them for fraudulent withdrawals.
Weston Hecker, a senior security consultant at the cybersecurity firm Rapid7, spoke at the Black Hat conference in Las Vegas, and demonstrated the technique. It can reportedly steal up to $50,000 out of a single ATM in under 15 minutes. While there had been problems with ATMs running older operating systems, like Windows XP, this is an entirely different problem. The reasoning: these ATMs are brand spanking new, and designed to take advantage of the latest chip-security technology. So, you can understand why there’s such a cause for concern in this case.
The exploit requires a $2,000 kit to install, but compared to the potential gains, this is a small price to pay. Hackers can alter an ATM by adding a device to the terminal. Specifically, it’s placed in between the ATM user’s card chip, and the roof of the area where the card is inserted. This data is then read–including the PIN–and transferred to the criminal, who could be hundreds of miles away. The hacker can download this data to their smartphone and use the card details to withdraw money from any ATM system.
Once this has happened, the hacker can order the machine to constantly withdraw funds to steal an exorbitant sum. Granted, they have to do this near an unattended machine, or one which is remote enough that nobody would notice (or care) that someone was messing with it, but the point stands that the hacker can steal huge amounts of money with relatively little effort.
There are some drawbacks to this method, though. For one, a hacker probably won’t be able to use the spoofed credentials for a very long time; at least, not until the user has caught on to their scheme and thwarted it by contacting their bank. Second of all, the hacker needs to find a way to bypass the security cameras that are inevitably located within each and every ATM they’ll encounter, and that’s not mentioning all of the other security cameras in the area that are monitoring the ATM.
Still, despite the challenges, hackers could have a field day with this vulnerability. Rapid7 has fully disclosed the details of the vulnerability to the manufacturers, but hasn’t made the details public, out of fear that the details could put more people at risk. The idea is to give the manufacturers time to resolve the issue, before hackers find a way around these fixes.
In general, it’s a good practice to always monitor your bank accounts, and to report any suspicious behavior to your bank. Additionally, it’s important that you never hand over your banking credentials to anyone for any reason–particularly a sketchy email from your “bank” asking you to confirm your credentials. These are known as phishing scams, and they try to use your trusting nature against you.
Additionally, never input credentials into unsecured websites. Any websites that you need to use your credit card credentials on should have encryption protocol in place to hide your information from hackers. You need to be very deliberate about avoiding websites that look like they may be trying to steal your data.
For more information about how to keep your financial records secure, reach out to Tektonic at (416) 256-9928.