Biometric identifiers like fingerprints, palm veins, voice, and the iris have long been considered as offering the most secure way to authenticate an individual’s identity. But that may be changing.

Security firm Kaspersky Lab recently investigated how cybercriminals might be planning to defeat new biometric authentication measures that some banks are considering for use in Automated Teller Machines (ATMs). The investigation showed that while banks are bullish on biometric-based technologies, cybercriminals actually are viewing it as yet another opportunity for carrying out attacks against ATMs.

In an report this week, researchers at Kaspersky Lab said they discovered at least 12 underground sellers offering skimming devices capable of stealing fingerprints from ATMs enabled with fingerprint scanners.  

The devices apparently act just like regular skimmers do in stealing payment card data. They are designed to connect physically to a target ATM and to steal fingerprint data that users may be required to input while authenticating their identity with the device. The stolen data can then be used to authorize other fraudulent transactions, the researchers say.

Available evidence suggests that the first wave of biometric skimmer machines, which surfaced last September, were buggy and had to contend with multiple issues during initial tests in the European Union. The biggest hurdle apparently was the fact the GSM modules that the underground sellers used in their skimmers for transferring stolen biometric data, and were too slow to handle large data loads.

But biometric skimming devices with faster data transfer technologies are only a short distance away, the Kaspersky Lab researchers say.

Fingerprint skimmers are apparently not the only devices that the cyberground is preparing to thwart any biometric multi-factor authentication mechanisms that might be incorporated into ATMs over the next several years.

According to the Kaspersky Lab report, at least three criminal outfits have begun testing ATM skimmers designed to steal data from iris recognition and palm vein readers as well.

The concerns do not stop there. Kaspersky researchers also came across chatter in the dark Web and underground communities about new applications being developed to fool facial recognition systems on ATMs. Much of the talk has involved the use of mobile applications capable of taking an individual’s photo and using it to somehow fool a facial recognition system.

The report describes several other potential avenues that criminals could take to overcome biometric authentication devices in ATMs. They include black-box attacks involving the use of malicious devices connected to the cash dispenser or card reader, as well as attacks on NFC-enabled readers of biometric data.

Kaspersky Lab did not have anyone immediately available to comment on its research. But in a statement announcing the results of its investigation, Kaspersky Lab security expert Olga Kochetova said the new data highlights the need for strong controls over biometric data.

"The problem with biometrics is that unlike passwords or pin codes, which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image," Kochetova said. "Thus, if your data is compromised once, it won’t be safe to use that authentication method again."

Interest in biometric technologies for ATMs has grown in recent years amid increasing concerns about the vulnerability of traditional PIN-based authentication mechanisms to "jackpotting" and other malicious attacks.  There have been multiple reports this year of big ATM heists including one involving the theft of nearly $3 millioni from 41 bank ATMs in Taiwan and another involving the theft of $13 million from ATMs at about 1,400, 7-Eleven stories in Japan.

While the Kaspersky Lab report touches on several biometric authenticators for ATMs, most of the early interest within the financial community appears to be focused largely on fingerprint biometrics.

Currently, there are five ways in which biometric authentication is being used at ATM terminals, according to the banking industry body BAI. One approach has been to use fingerprints as a replacement for PINs at ATMs. A growing number of financial institutions have also begun using fingerprint authentication for mobile payments and banking applications for multi-transaction sessions and to authenticate to new applications.

Some are also looking to incorporate a user’s fingerprint biometric directly on the card itself or mobile device as a form of secure authentication, the BAI has noted previously.

Related stories: