Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cybercriminals Developing Biometric Skimmers for ATM Attacks

Banks are improving ATM authentication mechanisms in an effort to prevent fraud, but cybercriminals have already started developing the tools and techniques they need to bypass these modern security systems.

Banks are improving ATM authentication mechanisms in an effort to prevent fraud, but cybercriminals have already started developing the tools and techniques they need to bypass these modern security systems.

In a report published on Thursday, Kaspersky Lab researchers analyze current and future ATM authentication systems and how they can be targeted by malicious actors.

One increasingly popular authentication method involves biometrics, which includes voice, fingerprint, iris pattern, palm geometry and facial recognition. Some major banks have already started rolling out such systems, including HSBC, which recently announced selfie-based identification, and Barclays, which introduced voice-based authentication. A survey commissioned by Visa shows that two-thirds of European consumers are ready to use biometrics for making payments.

However, cybercriminals are already working on ways to bypass biometric authentication and experts warn that there are certain disadvantages to this new system.

Biometric authentication can rely on information stored on a card or provided directly. In both cases, the information is first stored in a biometric database for comparison. One problem, according to Kaspersky, is that the more this biometric data is used, the more likely that it will get stolen and, unlike passwords, fingerprints and iris patterns cannot be changed easily if they are compromised.

Cybercriminals are also working on developing biometric skimmers that can be used to obtain the valuable data directly from individuals or from cards. Fraudsters could create special devices that can extract biometric data from stolen bank cards.

Another attack method involves mounting special skimmers on top of the ATM’s biometric reader to collect fingerprints or other data. Kaspersky said it’s aware of 12 manufacturers of fake fingerprint readers and three manufacturers of palm and iris recognition equipment.

According to the security firm, the first biometrical skimmers were made available for testing in September 2015 and a second wave is expected to hit the European Union at any moment. The first series of tests led to the discovery of various bugs, including the inefficiency of GSM modules for transferring the stolen data due to its size. Newer skimmers use other technologies for retrieving the stolen information.

Advertisement. Scroll to continue reading.

Another way for cybercrooks to obtain biometric data is to steal it directly from the financial organization’s database. As shown by recent incidents, the networks of banks are often not as secure as they should be.

As in classic skimming operations, the stolen biometric data can be used directly or sold for a profit on the black market.

“In general, network-based attacks against ATMs will be a headache for the security personnel of financial organizations in the coming years simply because, based on our penetration testing experience, the network infrastructure of a bank is very often built in a way that a hacker can exploit to gain access and take control of some critical parts of the network, including the network of ATMs,” Kaspersky researchers explained in their report.

“And this situation is not going to change any time soon, due to many reasons, one of which is the sheer size of financial organizations’ networks and the time-consuming and expensive task of upgrading them,” they added.

Related Reading: Is Passive Authentication the Future for User Authentication?

Related Reading: Passive Behavioral Authentication Startup UnifyID Emerges from Stealth

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.