The U.S. Secret Service is investigating a series of crimes involving advanced automated teller machine (ATM) skimmers.

In mid-August, the FBI warned global banks about ATM “cash-out” attacks. According to Krebs on Security, the U.S. Secret Service is investigating a new series of crimes that use advanced, custom-built ATM skimmers.

Skimmers, which have been around for years, allow criminals to steal magnetic stripe data when a card is inserted into a compromised card reader.

Not Your Father’s ATM Attack

The latest attack is particularly sophisticated because the skimmer doesn’t sit inside the card reader slot; it sits on top of it and is undetectable from the outside. The installation can only be performed from the inside the ATM, so the criminals drill a hole in the ATM fascia to insert the skimmer.

Using an endoscope, they align the skimmer with specific parts of the card reader and secure it with magnets. They also discretely plant video surveillance cameras inside the ATM, which capture customers typing in their personal identification number (PIN). Finally, the hole is covered with something that will blend into the ATM, such as a metal plate, sign or some other kind of labeling.

This is not a generic attack. The skimmer was clearly designed to fit the physical and electronic specifications of a specific card reader model. Most likely, the criminals obtained an ATM in the product line they were targeting. This would allow them to perfect the skimmer design and practice installing it in private.

How Penetration Testing Can Help Protect ATMs From Advanced Skimmers

X-Force Red, IBM Security’s team of veteran hackers, is aware of other incidents in which criminals have stolen entire ATMs to reverse engineer the software and hardware and develop sophisticated attacks.

Unfortunately, there is no single solution to protect against skimmers. Field staff can be trained to identify compromised machines, but some ATMs may be infrequently visited. Remote monitoring, including video and tamper sensors, is obviously critical.

For this specific attack, placing an internal barrier around the card reader will make the skimmer installation significantly more complicated, if not impossible. If it is properly implemented, upgrading to a card reader that uses on-head encryption will prevent a skimmer from retrieving data through circuit monitoring.

To proactively protect ATMs and connected infrastructure, X-Force Red recommends performing comprehensive ATM penetration testing. It entails testing the ATM hardware, software, network and backend infrastructure. The test will uncover critical vulnerabilities that companies should remediate quickly before attackers find them. In the case of this latest attack, a penetration test would uncover hardware vulnerabilities that could enable criminals to plant the skimmer and camera.

X-Force Red has an ATM testing team that performs comprehensive testing for banks and independent ATM operators around the world. The team has yet to perform a test that does not uncover at least one critical vulnerability.

Source: Krebs on Security

More from

Is It Time to Start Hiding Your Work Emails?

In this digital age, it is increasingly important for businesses to be aware of their online presence and data security. Many companies have already implemented measures such as two-factor authentication and strong password policies – but there is still a great deal of exposure regarding email visibility. It should come as no surprise that cyber criminals are always looking for ways to gain access to sensitive information. Unfortunately, emails are a particularly easy target as many businesses do not encrypt…

2022 Industry Threat Recap: Finance and Insurance

The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

X-Force Prevents Zero Day from Going Anywhere

This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

And Stay Out! Blocking Backdoor Break-Ins

Backdoor access was the most common threat vector in 2022. According to the 2023 IBM Security X-Force Threat Intelligence Index, 21% of incidents saw the use of backdoors, outpacing perennial compromise favorite ransomware, which came in at just 17%. The good news? In 67% of backdoor attacks, defenders were able to disrupt attacker efforts and lock digital doorways before ransomware payloads were deployed. The not-so-great news? With backdoor access now available at a bargain price on the dark web, businesses…