Security Experts:

Cybercriminals Developing Biometric Skimmers for ATM Attacks

Banks are improving ATM authentication mechanisms in an effort to prevent fraud, but cybercriminals have already started developing the tools and techniques they need to bypass these modern security systems.

In a report published on Thursday, Kaspersky Lab researchers analyze current and future ATM authentication systems and how they can be targeted by malicious actors.

One increasingly popular authentication method involves biometrics, which includes voice, fingerprint, iris pattern, palm geometry and facial recognition. Some major banks have already started rolling out such systems, including HSBC, which recently announced selfie-based identification, and Barclays, which introduced voice-based authentication. A survey commissioned by Visa shows that two-thirds of European consumers are ready to use biometrics for making payments.

However, cybercriminals are already working on ways to bypass biometric authentication and experts warn that there are certain disadvantages to this new system.

Biometric authentication can rely on information stored on a card or provided directly. In both cases, the information is first stored in a biometric database for comparison. One problem, according to Kaspersky, is that the more this biometric data is used, the more likely that it will get stolen and, unlike passwords, fingerprints and iris patterns cannot be changed easily if they are compromised.

Cybercriminals are also working on developing biometric skimmers that can be used to obtain the valuable data directly from individuals or from cards. Fraudsters could create special devices that can extract biometric data from stolen bank cards.

Another attack method involves mounting special skimmers on top of the ATM’s biometric reader to collect fingerprints or other data. Kaspersky said it’s aware of 12 manufacturers of fake fingerprint readers and three manufacturers of palm and iris recognition equipment.

According to the security firm, the first biometrical skimmers were made available for testing in September 2015 and a second wave is expected to hit the European Union at any moment. The first series of tests led to the discovery of various bugs, including the inefficiency of GSM modules for transferring the stolen data due to its size. Newer skimmers use other technologies for retrieving the stolen information.

Another way for cybercrooks to obtain biometric data is to steal it directly from the financial organization’s database. As shown by recent incidents, the networks of banks are often not as secure as they should be.

As in classic skimming operations, the stolen biometric data can be used directly or sold for a profit on the black market.

“In general, network-based attacks against ATMs will be a headache for the security personnel of financial organizations in the coming years simply because, based on our penetration testing experience, the network infrastructure of a bank is very often built in a way that a hacker can exploit to gain access and take control of some critical parts of the network, including the network of ATMs,” Kaspersky researchers explained in their report.

“And this situation is not going to change any time soon, due to many reasons, one of which is the sheer size of financial organizations’ networks and the time-consuming and expensive task of upgrading them,” they added.

Related Reading: Is Passive Authentication the Future for User Authentication?

Related Reading: Passive Behavioral Authentication Startup UnifyID Emerges from Stealth

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.