Security Experts:

Connect with us

Hi, what are you looking for?



Cybercriminals Developing Biometric Skimmers for ATM Attacks

Banks are improving ATM authentication mechanisms in an effort to prevent fraud, but cybercriminals have already started developing the tools and techniques they need to bypass these modern security systems.

Banks are improving ATM authentication mechanisms in an effort to prevent fraud, but cybercriminals have already started developing the tools and techniques they need to bypass these modern security systems.

In a report published on Thursday, Kaspersky Lab researchers analyze current and future ATM authentication systems and how they can be targeted by malicious actors.

One increasingly popular authentication method involves biometrics, which includes voice, fingerprint, iris pattern, palm geometry and facial recognition. Some major banks have already started rolling out such systems, including HSBC, which recently announced selfie-based identification, and Barclays, which introduced voice-based authentication. A survey commissioned by Visa shows that two-thirds of European consumers are ready to use biometrics for making payments.

However, cybercriminals are already working on ways to bypass biometric authentication and experts warn that there are certain disadvantages to this new system.

Biometric authentication can rely on information stored on a card or provided directly. In both cases, the information is first stored in a biometric database for comparison. One problem, according to Kaspersky, is that the more this biometric data is used, the more likely that it will get stolen and, unlike passwords, fingerprints and iris patterns cannot be changed easily if they are compromised.

Cybercriminals are also working on developing biometric skimmers that can be used to obtain the valuable data directly from individuals or from cards. Fraudsters could create special devices that can extract biometric data from stolen bank cards.

Another attack method involves mounting special skimmers on top of the ATM’s biometric reader to collect fingerprints or other data. Kaspersky said it’s aware of 12 manufacturers of fake fingerprint readers and three manufacturers of palm and iris recognition equipment.

According to the security firm, the first biometrical skimmers were made available for testing in September 2015 and a second wave is expected to hit the European Union at any moment. The first series of tests led to the discovery of various bugs, including the inefficiency of GSM modules for transferring the stolen data due to its size. Newer skimmers use other technologies for retrieving the stolen information.

Another way for cybercrooks to obtain biometric data is to steal it directly from the financial organization’s database. As shown by recent incidents, the networks of banks are often not as secure as they should be.

As in classic skimming operations, the stolen biometric data can be used directly or sold for a profit on the black market.

“In general, network-based attacks against ATMs will be a headache for the security personnel of financial organizations in the coming years simply because, based on our penetration testing experience, the network infrastructure of a bank is very often built in a way that a hacker can exploit to gain access and take control of some critical parts of the network, including the network of ATMs,” Kaspersky researchers explained in their report.

“And this situation is not going to change any time soon, due to many reasons, one of which is the sheer size of financial organizations’ networks and the time-consuming and expensive task of upgrading them,” they added.

Related Reading: Is Passive Authentication the Future for User Authentication?

Related Reading: Passive Behavioral Authentication Startup UnifyID Emerges from Stealth

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.