Research released at Black Hat USA last week shows that one of our best defenses for the future of payment card and ATM security isn't infallible. Here's why.

Sara Peters, Senior Editor

August 11, 2016

7 Min Read

The late Barnaby Jack showed us in 2010 how cyberattacks could persuade ATMs to part with their cash, in what he called "jackpotting" attacks. Years later, hackers and their well-organized teams of money mules are indeed having a grand time with jackpotting attacks, encouraged by ATM operators' slow adoption of EMV technology, lax physical security, reluctance to upgrade outdated hardware, poorly maintained embedded systems, middleware that creates a new attack surface, and insufficient motivation to change. 

Trend Micro reported in April that ATM malware is on the rise. Recent attacks have shown with a combination of hacking and large teams, ATM operators, banks, and account holders are collectively getting slammed with millions of dollars in losses over the course of just a few hours.

And just last week, research released at Black Hat by Rapid7's Weston Hecker showed that one of our best defenses for the future of payment card and ATM security isn't infallible, either. 

ATMs Being Robbed Via Smartphone

In July, another coordinated group lifted a large sum of cash from ATMs in a short period of time, but the particularly noteworthy aspect was that instead of inserting payment cards in the machines, they appeared to use smartphones.

According to the South China Morning Post, a coordinated group of two-person teams stole NT$83.27 million (~$2.67 million USD) cash from 41 First Bank ATMs in Taiwan. Police have arrested three individuals in connection with the attack -- citizens of Moldova, Latvia, and Romania -- but believe they were part of a 16-person team, most of whom fled the country. Police have recovered most of the money, according to the Morning Post.

How the attackers carried out their theft, possibly via smartphone, remains unclear. Two years ago, Symantec researchers outlined ATM malware called Ploutus that would cause an ATM to spit out cash after being sent a command via SMS message. The malware first had to be installed by physically opening up the ATM machine and attaching the phone to the hardware via USB. No information has been released saying that Ploutus was used in this attack, but police were quoted as saying that they suspected that malware was installed on the ATMs at an earlier date.

Regardless, a report in ABC News Australia said investigators discovered not just one, but three malware programs on the compromised ATM machines. 

Traditional Organized Crime Getting In On Cybercrime 

In May, a coordinated group of as many as 100 people in Japan stole 1.4 billion yen (about $12.8 million USD) in less than three hours, by simply withdrawing it from 7-Elevens. They used counterfeit credit cards that were created using stolen data on roughly 1,600 account holders from Standard Bank in South Africa; 7-Eleven ATMs were apparently popular for the attack because they accept foreign-issued debit cards.

Japanese police have made multiple arrests in connection with the theft, including a member of a yakuza associated with Japan's largest organized crime syndicate, according to a report in Japan Today.  

New ATM Malware Strains 

In May, Kaspersky Lab discovered evidence that new variants of the ATM malware Skimer were compromising devices across the globe.

The malware can be installed either directly onto the device, or remotely, by first exploiting the network that the ATM connects to. Once Skimer is installed, it sits idly by until the attacker visits the ATM and sets the program into motion with a series of interactions that, to the careless observer, wouldn't look strange at all. 

The attacker inserts a "magic card" into the machine, instead of a regular debit or credit card. Skimer both harvests prior ATM users' magstripe data or dispenses cash, in response to commands issued by the attacker. If it downloads data, that can either be stored on the card or printed out on what appear to be normal receipts.

Skimer exploits CEN/XFS, a technology created to standardize ATM software built on Windows-based machines. So, it affects multiple ATM makes and models, as long as they run Windows.   

"La Cara" -- Exploiting EMV for Cash in Near-Real Time

The EMV technology replacing magnetic stripes is improving payment card and ATM security -- albeit, very slowly in the United States, where adoption has been sluggish. However, when the magstripe trade ceases to turn a profit, adaptable attackers will be able to exploit EMV, too.

At the Black Hat USA conference last week, Hecker, Rapid7's senior security consultant, showed how EMV could be exploited and what this next-generation carding network would look like. 

Nowadays, carders and fraudsters can happily buy and sell magstripe card data with a relatively high degree of confidence that it will be usable, because magstripe data is all static. EMV card transactions, however, include dynamic data. Banks generate one-time codes for each transaction, so any stolen transaction data may only be valid for one minute or less. If carders want to continue to have a business once EMV becomes the norm, they'll need a way to not only transmit that dynamic data to their buyers in real-time, but enable their buyers to monetize it in real- or near-real time.

Hecker created a way: 

The main players in the criminal enterprise will still be mostly the same, but there would be some new twists.

  • People at the point-of-sale who've installed shimmers. A "shimmer" is effectively a skimmer, installed on the PoS device, except it lifts EMV card data intstead of magstripe data.

  • Carders, running a marketplace on the Internet. Instead of selling card data to fraudsters, carders now sell them locations, times, and numbers of transactions: where, geographically speaking, would you like to withdraw cash from, when, and how many times? 

  • Fraudsters, at the ATM, using the "La-Cara" automated cash-out machine built by Hecker.

The La-Cara device includes components that are both inserted into where the card goes and lay over the PIN keyboard and flashable EMV card system. However, they won't set off any of the Foreign Object Detect systems that a skimmer would.

When a customer makes a purchase at a PoS compromised by a shimmer, the carding network, as a man-in-the-middle, intercepts the temporary identifier and passes it on to the La Cara device, via a secure channel. There is a trusted relationship between the La Cara device and the shimmer it is associated with for this transaction. The customer's transaction goes ahead normally, and the fraudster is able to withdraw cash before the transaction data expires. According to Hecker's research, the La Cara device costs about $2,000 to construct, and can cash out between $20,000 and $50,000 in 15 minutes.

Geographical proximity to the victim is a benefit for any attacker trying to cash out, because it's less likely to set off fraud alerts (although with a man-in-the-middle in this case, the evidence of fraud could be edited out, Beardsley says). However, proximity is particularly helpful in this attack -- the La Cara device needs to communicate with the shimmer through a secure connection, and the further apart they are, the higher the latency, and when time is so limited, that could foil the attack. 

Right now, attacks on EMV are not "really favored," acknowledges Rapid7 Security Research Manager Tod Beardsley. However, Hecker's research is important now, he says, because EMV "may not be as secure as it's cracked up to be," and eventually it will become the favored technology in the US and attackers will catch up.  

Attackers aren't likely to make a strong move to EMV attacks, Beardsley says, "until your magstripe victim pool dries up." That won't happen right away, he says, because in the US very few ATMs are equipped for chip-and-PIN right now. Further, Mastercard and VISA are not yet holding ATM operators that don't accept EMV liable for counterfeiting or fraudulent activity that result from their outdated equipment. Mastercard is instituting the liability shift for ATM operators in October, and VISA in October 2017. However, "Once the liability shift happens," says Beardsley, "you'll see the magstripe [withdrawal] limits capped." When people are only able to take out $40 of cash with their magstripe cards, upgrades may move more quickly.

Some of the necessary changes to ATM machines might be minor, mechanical additions. 

"[La Cara] would be stopped cold if a door closed behind the card," says Beardsley. (Since the La-Cara device would include components inside the machine that need to connect by cables to components outside the machine, the device would simply fail.) 

Unfortunately, many ATM operators are reluctant to make hardware upgrades, says Beardsley. Instead they merely bolt on "EMV upgrade kits" to their existing gear. This effectively creates more middleware, which adds another attack surface that could be exploited.

Beardsley says that ATM manufacturers and other Internet of Things manufacturers need to recognize that now they're selling software and services, not just hunks of hardware.

Read more about:

Black Hat News

About the Author(s)

Sara Peters

Senior Editor

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights