The U.S. Secret Service is investigating a series of crimes involving advanced automated teller machine (ATM) skimmers.

In mid-August, the FBI warned global banks about ATM “cash-out” attacks. According to Krebs on Security, the U.S. Secret Service is investigating a new series of crimes that use advanced, custom-built ATM skimmers.

Skimmers, which have been around for years, allow criminals to steal magnetic stripe data when a card is inserted into a compromised card reader.

Not Your Father’s ATM Attack

The latest attack is particularly sophisticated because the skimmer doesn’t sit inside the card reader slot; it sits on top of it and is undetectable from the outside. The installation can only be performed from the inside the ATM, so the criminals drill a hole in the ATM fascia to insert the skimmer.

Using an endoscope, they align the skimmer with specific parts of the card reader and secure it with magnets. They also discretely plant video surveillance cameras inside the ATM, which capture customers typing in their personal identification number (PIN). Finally, the hole is covered with something that will blend into the ATM, such as a metal plate, sign or some other kind of labeling.

This is not a generic attack. The skimmer was clearly designed to fit the physical and electronic specifications of a specific card reader model. Most likely, the criminals obtained an ATM in the product line they were targeting. This would allow them to perfect the skimmer design and practice installing it in private.

How Penetration Testing Can Help Protect ATMs From Advanced Skimmers

X-Force Red, IBM Security’s team of veteran hackers, is aware of other incidents in which criminals have stolen entire ATMs to reverse engineer the software and hardware and develop sophisticated attacks.

Unfortunately, there is no single solution to protect against skimmers. Field staff can be trained to identify compromised machines, but some ATMs may be infrequently visited. Remote monitoring, including video and tamper sensors, is obviously critical.

For this specific attack, placing an internal barrier around the card reader will make the skimmer installation significantly more complicated, if not impossible. If it is properly implemented, upgrading to a card reader that uses on-head encryption will prevent a skimmer from retrieving data through circuit monitoring.

To proactively protect ATMs and connected infrastructure, X-Force Red recommends performing comprehensive ATM penetration testing. It entails testing the ATM hardware, software, network and backend infrastructure. The test will uncover critical vulnerabilities that companies should remediate quickly before attackers find them. In the case of this latest attack, a penetration test would uncover hardware vulnerabilities that could enable criminals to plant the skimmer and camera.

X-Force Red has an ATM testing team that performs comprehensive testing for banks and independent ATM operators around the world. The team has yet to perform a test that does not uncover at least one critical vulnerability.

Source: Krebs on Security

More from

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…