The Future Of ATM Hacking

Research released at Black Hat USA last week shows that one of our best defenses for the future of payment card and ATM security isn't infallible. Here's why.

The main players in the criminal enterprise will still be mostly the same, but there would be some new twists.

  • People at the point-of-sale who've installed shimmers. A "shimmer" is effectively a skimmer, installed on the PoS device, except it lifts EMV card data intstead of magstripe data.
  • Carders, running a marketplace on the Internet. Instead of selling card data to fraudsters, carders now sell them locations, times, and numbers of transactions: where, geographically speaking, would you like to withdraw cash from, when, and how many times? 
  • Fraudsters, at the ATM, using the "La-Cara" automated cash-out machine built by Hecker.

The La-Cara device includes components that are both inserted into where the card goes and lay over the PIN keyboard and flashable EMV card system. However, they won't set off any of the Foreign Object Detect systems that a skimmer would.

When a customer makes a purchase at a PoS compromised by a shimmer, the carding network, as a man-in-the-middle, intercepts the temporary identifier and passes it on to the La Cara device, via a secure channel. There is a trusted relationship between the La Cara device and the shimmer it is associated with for this transaction. The customer's transaction goes ahead normally, and the fraudster is able to withdraw cash before the transaction data expires. According to Hecker's research, the La Cara device costs about $2,000 to construct, and can cash out between $20,000 and $50,000 in 15 minutes.

Geographical proximity to the victim is a benefit for any attacker trying to cash out, because it's less likely to set off fraud alerts (although with a man-in-the-middle in this case, the evidence of fraud could be edited out, Beardsley says). However, proximity is particularly helpful in this attack -- the La Cara device needs to communicate with the shimmer through a secure connection, and the further apart they are, the higher the latency, and when time is so limited, that could foil the attack. 

Right now, attacks on EMV are not "really favored," acknowledges Rapid7 Security Research Manager Tod Beardsley. However, Hecker's research is important now, he says, because EMV "may not be as secure as it's cracked up to be," and eventually it will become the favored technology in the US and attackers will catch up.  

Attackers aren't likely to make a strong move to EMV attacks, Beardsley says, "until your magstripe victim pool dries up." That won't happen right away, he says, because in the US very few ATMs are equipped for chip-and-PIN right now. Further, Mastercard and VISA are not yet holding ATM operators that don't accept EMV liable for counterfeiting or fraudulent activity that result from their outdated equipment. Mastercard is instituting the liability shift for ATM operators in October, and VISA in October 2017. However, "Once the liability shift happens," says Beardsley, "you'll see the magstripe [withdrawal] limits capped." When people are only able to take out $40 of cash with their magstripe cards, upgrades may move more quickly.

Some of the necessary changes to ATM machines might be minor, mechanical additions. 

"[La Cara] would be stopped cold if a door closed behind the card," says Beardsley. (Since the La-Cara device would include components inside the machine that need to connect by cables to components outside the machine, the device would simply fail.) 

Unfortunately, many ATM operators are reluctant to make hardware upgrades, says Beardsley. Instead they merely bolt on "EMV upgrade kits" to their existing gear. This effectively creates more middleware, which adds another attack surface that could be exploited.

Beardsley says that ATM manufacturers and other Internet of Things manufacturers need to recognize that now they're selling software and services, not just hunks of hardware.

Related Content: