Vulnerabilities / Threats //

Advanced Threats

9/22/2016
07:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Biometric Skimmers Pose Emerging Threat To ATMs

Even as financial institutions move to shore up ATM security with biometric mechanisms, cybercrooks are busy figuring out ways to beat them.

Biometric identifiers like fingerprints, palm veins, voice, and the iris have long been considered as offering the most secure way to authenticate an individual’s identity. But that may be changing.

Security firm Kaspersky Lab recently investigated how cybercriminals might be planning to defeat new biometric authentication measures that some banks are considering for use in Automated Teller Machines (ATMs). The investigation showed that while banks are bullish on biometric-based technologies, cybercriminals actually are viewing it as yet another opportunity for carrying out attacks against ATMs.

In an report this week, researchers at Kaspersky Lab said they discovered at least 12 underground sellers offering skimming devices capable of stealing fingerprints from ATMs enabled with fingerprint scanners.  

The devices apparently act just like regular skimmers do in stealing payment card data. They are designed to connect physically to a target ATM and to steal fingerprint data that users may be required to input while authenticating their identity with the device. The stolen data can then be used to authorize other fraudulent transactions, the researchers say.

Available evidence suggests that the first wave of biometric skimmer machines, which surfaced last September, were buggy and had to contend with multiple issues during initial tests in the European Union. The biggest hurdle apparently was the fact the GSM modules that the underground sellers used in their skimmers for transferring stolen biometric data, and were too slow to handle large data loads.

But biometric skimming devices with faster data transfer technologies are only a short distance away, the Kaspersky Lab researchers say.

Fingerprint skimmers are apparently not the only devices that the cyberground is preparing to thwart any biometric multi-factor authentication mechanisms that might be incorporated into ATMs over the next several years.

According to the Kaspersky Lab report, at least three criminal outfits have begun testing ATM skimmers designed to steal data from iris recognition and palm vein readers as well.

The concerns do not stop there. Kaspersky researchers also came across chatter in the dark Web and underground communities about new applications being developed to fool facial recognition systems on ATMs. Much of the talk has involved the use of mobile applications capable of taking an individual’s photo and using it to somehow fool a facial recognition system.

The report describes several other potential avenues that criminals could take to overcome biometric authentication devices in ATMs. They include black-box attacks involving the use of malicious devices connected to the cash dispenser or card reader, as well as attacks on NFC-enabled readers of biometric data.

Kaspersky Lab did not have anyone immediately available to comment on its research. But in a statement announcing the results of its investigation, Kaspersky Lab security expert Olga Kochetova said the new data highlights the need for strong controls over biometric data.

"The problem with biometrics is that unlike passwords or pin codes, which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image," Kochetova said. "Thus, if your data is compromised once, it won’t be safe to use that authentication method again."

Interest in biometric technologies for ATMs has grown in recent years amid increasing concerns about the vulnerability of traditional PIN-based authentication mechanisms to "jackpotting" and other malicious attacks.  There have been multiple reports this year of big ATM heists including one involving the theft of nearly $3 millioni from 41 bank ATMs in Taiwan and another involving the theft of $13 million from ATMs at about 1,400, 7-Eleven stories in Japan.

While the Kaspersky Lab report touches on several biometric authenticators for ATMs, most of the early interest within the financial community appears to be focused largely on fingerprint biometrics.

Currently, there are five ways in which biometric authentication is being used at ATM terminals, according to the banking industry body BAI. One approach has been to use fingerprints as a replacement for PINs at ATMs. A growing number of financial institutions have also begun using fingerprint authentication for mobile payments and banking applications for multi-transaction sessions and to authenticate to new applications.

Some are also looking to incorporate a user’s fingerprint biometric directly on the card itself or mobile device as a form of secure authentication, the BAI has noted previously.

Related stories:

 

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sillieabbe
50%
50%
sillieabbe,
User Rank: Apprentice
9/23/2016 | 11:09:27 PM
Biometrics is not a good idea for security
It's really worrying that so many people are so tragically misinformed.  Biometrics should not be activated where you need to be security-conscious.

 

It is known that the authentication by biometrics comes with poorer security than PIN/password-only authentication.  The following video explains how biomerics makes a backdoor to password-protected information.

https://youtu.be/5e2oHZccMe4
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Be a unicorn, not a donkey...
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.