October 1, 2018 By David Byrne 2 min read


The U.S. Secret Service is investigating a series of crimes involving advanced automated teller machine (ATM) skimmers.

In mid-August, the FBI warned global banks about ATM “cash-out” attacks. According to Krebs on Security, the U.S. Secret Service is investigating a new series of crimes that use advanced, custom-built ATM skimmers.

Skimmers, which have been around for years, allow criminals to steal magnetic stripe data when a card is inserted into a compromised card reader.

Not Your Father’s ATM Attack

The latest attack is particularly sophisticated because the skimmer doesn’t sit inside the card reader slot; it sits on top of it and is undetectable from the outside. The installation can only be performed from the inside the ATM, so the criminals drill a hole in the ATM fascia to insert the skimmer.

Using an endoscope, they align the skimmer with specific parts of the card reader and secure it with magnets. They also discretely plant video surveillance cameras inside the ATM, which capture customers typing in their personal identification number (PIN). Finally, the hole is covered with something that will blend into the ATM, such as a metal plate, sign or some other kind of labeling.

This is not a generic attack. The skimmer was clearly designed to fit the physical and electronic specifications of a specific card reader model. Most likely, the criminals obtained an ATM in the product line they were targeting. This would allow them to perfect the skimmer design and practice installing it in private.

How Penetration Testing Can Help Protect ATMs From Advanced Skimmers

X-Force Red, IBM Security’s team of veteran hackers, is aware of other incidents in which criminals have stolen entire ATMs to reverse engineer the software and hardware and develop sophisticated attacks.

Unfortunately, there is no single solution to protect against skimmers. Field staff can be trained to identify compromised machines, but some ATMs may be infrequently visited. Remote monitoring, including video and tamper sensors, is obviously critical.

For this specific attack, placing an internal barrier around the card reader will make the skimmer installation significantly more complicated, if not impossible. If it is properly implemented, upgrading to a card reader that uses on-head encryption will prevent a skimmer from retrieving data through circuit monitoring.

To proactively protect ATMs and connected infrastructure, X-Force Red recommends performing comprehensive ATM penetration testing. It entails testing the ATM hardware, software, network and backend infrastructure. The test will uncover critical vulnerabilities that companies should remediate quickly before attackers find them. In the case of this latest attack, a penetration test would uncover hardware vulnerabilities that could enable criminals to plant the skimmer and camera.

X-Force Red has an ATM testing team that performs comprehensive testing for banks and independent ATM operators around the world. The team has yet to perform a test that does not uncover at least one critical vulnerability.

Source: Krebs on Security

More from

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

Pentesting vs. Pentesting as a Service: Which is better?

5 min read - In today's quickly evolving cybersecurity landscape, organizations constantly seek the most effective ways to secure their digital assets. Penetration testing (pentesting) has emerged as a leading solution for identifying potential system vulnerabilities while closing security gaps that can lead to an attack. At the same time, a newer entrant into the security arena is Pentesting as a Service (PTaaS). Although PTaaS shares some similarities with pentesting, distinct differences make them two separate solutions. This article will discuss how these methodologies…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today