Vulnerabilities / Threats //

Advanced Threats

9/22/2016
07:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Biometric Skimmers Pose Emerging Threat To ATMs

Even as financial institutions move to shore up ATM security with biometric mechanisms, cybercrooks are busy figuring out ways to beat them.

Biometric identifiers like fingerprints, palm veins, voice, and the iris have long been considered as offering the most secure way to authenticate an individual’s identity. But that may be changing.

Security firm Kaspersky Lab recently investigated how cybercriminals might be planning to defeat new biometric authentication measures that some banks are considering for use in Automated Teller Machines (ATMs). The investigation showed that while banks are bullish on biometric-based technologies, cybercriminals actually are viewing it as yet another opportunity for carrying out attacks against ATMs.

In an report this week, researchers at Kaspersky Lab said they discovered at least 12 underground sellers offering skimming devices capable of stealing fingerprints from ATMs enabled with fingerprint scanners.  

The devices apparently act just like regular skimmers do in stealing payment card data. They are designed to connect physically to a target ATM and to steal fingerprint data that users may be required to input while authenticating their identity with the device. The stolen data can then be used to authorize other fraudulent transactions, the researchers say.

Available evidence suggests that the first wave of biometric skimmer machines, which surfaced last September, were buggy and had to contend with multiple issues during initial tests in the European Union. The biggest hurdle apparently was the fact the GSM modules that the underground sellers used in their skimmers for transferring stolen biometric data, and were too slow to handle large data loads.

But biometric skimming devices with faster data transfer technologies are only a short distance away, the Kaspersky Lab researchers say.

Fingerprint skimmers are apparently not the only devices that the cyberground is preparing to thwart any biometric multi-factor authentication mechanisms that might be incorporated into ATMs over the next several years.

According to the Kaspersky Lab report, at least three criminal outfits have begun testing ATM skimmers designed to steal data from iris recognition and palm vein readers as well.

The concerns do not stop there. Kaspersky researchers also came across chatter in the dark Web and underground communities about new applications being developed to fool facial recognition systems on ATMs. Much of the talk has involved the use of mobile applications capable of taking an individual’s photo and using it to somehow fool a facial recognition system.

The report describes several other potential avenues that criminals could take to overcome biometric authentication devices in ATMs. They include black-box attacks involving the use of malicious devices connected to the cash dispenser or card reader, as well as attacks on NFC-enabled readers of biometric data.

Kaspersky Lab did not have anyone immediately available to comment on its research. But in a statement announcing the results of its investigation, Kaspersky Lab security expert Olga Kochetova said the new data highlights the need for strong controls over biometric data.

"The problem with biometrics is that unlike passwords or pin codes, which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image," Kochetova said. "Thus, if your data is compromised once, it won’t be safe to use that authentication method again."

Interest in biometric technologies for ATMs has grown in recent years amid increasing concerns about the vulnerability of traditional PIN-based authentication mechanisms to "jackpotting" and other malicious attacks.  There have been multiple reports this year of big ATM heists including one involving the theft of nearly $3 millioni from 41 bank ATMs in Taiwan and another involving the theft of $13 million from ATMs at about 1,400, 7-Eleven stories in Japan.

While the Kaspersky Lab report touches on several biometric authenticators for ATMs, most of the early interest within the financial community appears to be focused largely on fingerprint biometrics.

Currently, there are five ways in which biometric authentication is being used at ATM terminals, according to the banking industry body BAI. One approach has been to use fingerprints as a replacement for PINs at ATMs. A growing number of financial institutions have also begun using fingerprint authentication for mobile payments and banking applications for multi-transaction sessions and to authenticate to new applications.

Some are also looking to incorporate a user’s fingerprint biometric directly on the card itself or mobile device as a form of secure authentication, the BAI has noted previously.

Related stories:

 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sillieabbe
50%
50%
sillieabbe,
User Rank: Apprentice
9/23/2016 | 11:09:27 PM
Biometrics is not a good idea for security
It's really worrying that so many people are so tragically misinformed.  Biometrics should not be activated where you need to be security-conscious.

 

It is known that the authentication by biometrics comes with poorer security than PIN/password-only authentication.  The following video explains how biomerics makes a backdoor to password-protected information.

https://youtu.be/5e2oHZccMe4
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
10 Ways to Protect Protocols That Aren't DNS
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10869
PUBLISHED: 2018-07-19
redhat-certification does not properly restrict files that can be download through the /download page. A remote attacker may download any file accessible by the user running httpd.
CVE-2018-10870
PUBLISHED: 2018-07-19
redhat-certification does not properly sanitize paths in rhcertStore.py:__saveResultsFile. A remote attacker could use this flaw to overwrite any file, potentially gaining remote code execution.
CVE-2018-12959
PUBLISHED: 2018-07-19
The approveAndCall function of a smart contract implementation for Aditus (ADI), an Ethereum ERC20 token, allows attackers to steal assets (e.g., transfer all contract balances into their account).
CVE-2018-14336
PUBLISHED: 2018-07-19
TP-Link WR840N devices allow remote attackers to cause a denial of service (connectivity loss) via a series of packets with random MAC addresses.
CVE-2018-10620
PUBLISHED: 2018-07-19
AVEVA InduSoft Web Studio v8.1 and v8.1SP1, and InTouch Machine Edition v2017 8.1 and v2017 8.1 SP1 a remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code t...