ATM Security

Here in India, everyone has an ATM card. But most are not aware of the security that is being implemented in these cards and so is often scammed out of money. Card skimmers or carders as they are known in the hacker community are purely motivated by money and will stop at nothing to get yours. The technological sophistication of similar criminals range from the local ruffian who will snatch your wallet and extort the pin out of you to the techno-crooks who will fit skimming machines to the Point of Sale devices in most retail shops. Let’s first go over what protections,if any, your ATM card offers against such attackers. Your account data is stored in your ATM card along with a PIN verification number. Most banks in India today store this in the form of magnetic stripes. These are the black stripes you see along the top end of the back side of your card. If the PIN you enter does not match the one indirectly stored on the card, then the transaction won’t go through. Once the ATM makes sure the PIN and the card matches, it usually contacts the Bank via a dial up connection. It then goes through with the transaction if the account has sufficient balance. Some banks issue a card with electronic chip technology to further improve the security.

Seems like a pretty secure mechanism overall doesn’t it?
Unfortunately no.
There are various ways in which the carders can get money from you and in some cases just “jackpot” the entire ATM.
Most successful cases of ATM fraud comes from skimming machines. These are little devices attached to the ATMs as unobtrusively as possible. The thing about magnetic stripes on the back of the ATM cards is that the data can be read off these using openly available machines. From there it’s a short jump to creating readers that will fit over the ATM card receptacle. The look of the skimming machine will vary from case to case. The advent of 3d printers have made it very simple to create look alikes. But in most cases these will be flimsy and fitted loosely to the original machine. Here are a few pictures courtesy of  www.krebsonsecurity.com:
ATM skimmer removed.
Pin Hole Camera in an ATM skimmer

These machines will grab Track 1 and Track 2 information off a magnetic stripe. These are the information that identifies a card and contains the PIN verification key. To get the PIN most skimmers usually use either a pin hole camera or an overlay keypad. The camera will record the PIN visually and

is pretty easy to foil. Just cover the PIN pad with your hands as you type it in. The second is more advanced and requires careful examination to detect. Once the crooks have your magnetic stripe data as well as your PIN, your account is at their mercy. Also be wary of the classic shoulder surfing attack. So how do we detect and prevent such attacks?
  • Always use ATMs you are familiar with.
  • Check the ATM for any signs of tampering.
  • See if there is anything flimsy over  the receptacle.
  • Cover the keypad with your hands as you type in the password.
  • Do not accept help from anyone while conducting a transaction.
  • Be wary of anyone attempting to glance at the keypad while you type in the PIN.
  • Keep an eye on your bill statements to check for any missing funds.

Of course, such attacks are not limited to ATMs. They are also used in POS or Point of Sale devices. The information gathered from all such devices are either stored on onboard memory or sent via wireless connection to nearby receivers. There are even cases of  waiters being paid by criminal organisations to steal credit card data from the diners. So what about these electronic chip ATM cards that are supposed to be pretty secure. The electronic chip itself is very secure. Data can’t be read off it easily. But most cards with chips also have a magnetic strip that is there for backward compatibility. The only thing a skimmer has to do is obtain the track data from the magnetic card, copy it to a similar card and break the chip in the card. When the system can’t process the chip, it will automatically revert to the stripe information. Also there are only a few banks that give out cards containing electronic chips.

There have also been widely publicized reports of merchants storing track data along with PINs that allowed criminals to break into the computers and steal enough information to clone their customers ATM/Debit Cards.
These carders use this stolen track data plus PIN numbers to clear out your bank account or in some cases sell them to the highest bidder. There are various forums and chat rooms dedicated to this form of activity. It is indeed a very lucrative field for criminals.
There have also been reports of ATM cards being trapped inside the machine by another class of malicious devices called trappers. These will trap the ATM card inside the machine, allowing people to steal the card physically. Here’s a picture of trapping device:
Trapper
Removed trapper
Coming to the other side, there are various ways crooks can outright rob an ATM. Most are attacks showcased at DEFCON or BlackHat which are security conferences for hackers. The most alarming one would most probably be the one by Barnaby Jack. He demonstrated a way to make an ATM literally spit out money using a key and a USB! He also discovered that he could find the ATMs that were connected to the Internet, hack them using a tool he wrote (“Dillinger”) and make it issue money endlessly. Brian Krebs reported about a person arrested for successfully hacking into an ATM machine using nothing more than a USB keyboard connected to the port uncovered by removing a camera.
There is also another unconventional attack on ATMs. In a Defcon presentation by Andrea Barisani, it was shown that it is possible to capture keyboard input by plugging specialized instruments in to a power plug in the same building. He pointed out that the PIN pads used in most ATMs are actually just keyboards and so can be monitored in this fashion.
It is also becoming quite common to see projects on freelancer.com asking for custom made banking trojans designed to work on ATMs.
These incidents demonstrate that ATM skimming, like any other crime, is evolving and if we don’t catch up with it we might soon wake up one day without a single penny to our name.
Here are a few links that might help you be prepared against such high tech crimes:
  • www.krebsonsecurity.com (Might be down currently. Due to the nature of his work Kreb’s website is constantly under attack by carders).
  • http://usa.visa.com/personal/security/learn-the-facts/protection-tips/atms-and-retail-store-protection.html
  • http://www.visa.co.in/personal/atm/security.shtml
  • http://www.mastercard.us/atm-safety-tips.html


Yashin Mehaboobe
Security Researcher
CSPF

Leave a Reply

Your email address will not be published. Required fields are marked *