Black Hat USA 2016 – Researchers have demonstrated how fraudsters can make ATMs spit out tens of thousands of dollars in cash in just a few minutes by using data stolen from EMV cards.
EMV (Europay, MasterCard and Visa) cards, also known as chip-and-PIN cards, are considered more secure than the classic magnetic stripe payment cards and they have been used in Europe for several years. The U.S. has also started implementing the technology following a significant increase in fraud attempts.
However, Rapid7 researchers demonstrated at the Black Hat conference in Las Vegas that even EMV cards and next generation secure ATMs are vulnerable to sophisticated attacks.
In the case of magnetic stripe cards, stealing money from accounts is a straightforward operation. Fraudsters can obtain card data by hacking into point-of-sale (PoS) systems, by installing skimmers on ATMs, or by purchasing it from cybercrime marketplaces. The data is then encoded onto blank cards that can be used to make purchases or withdraw money from cash machines. The data is valid until the issuer cancels the payment card – which could take a long time considering that some data breaches are discovered only after many months.
In the case of EMV cards, important pieces of information from the card are dynamic and they are only valid for a very short period of time (e.g. up to one minute). This means that even if they manage to steal data from an EMV card, fraudsters have a very limited window in which they can use it to make a profit.
Massive fraud cases involving EMV cards are not unheard of. In 2011, a criminal ring stole $680,000 after creating special payment cards that tricked ATMs into thinking that the correct PIN was entered even though it was not.
Over the past year, Rapid7 researcher Weston Hecker has been analyzing the security features in next generation ATM systems and how they process EMV cards. Based on his research, the expert has managed to build a device that can be used to get an ATM to spit out cash from the accounts of EMV cardholders.
Hecker believes that EMV card data will be increasingly sold on underground markets, but the sellers will also have to provide transaction timeframes.
The attack, which Hecker demonstrated on stage at Black Hat by making a nearly unmodified ATM spit out cash, involves a payment blockchain made up of several components. On one end of this chain, the criminal installs a skimming device – or a shimming device as they are called in the case of EMV cards – to capture the card data.
The shimmer is inserted into the card slot of a PoS systems so that it sits between the chip on the card and the card reader in order to intercept transaction data. The harvested data is remotely sent to another device, which researchers have dubbed “La-Cara.”
La-Cara, which costs roughly $2,000 to build, is placed on an ATM machine, with a special card that emulates an EMV card inserted into the card slot. The data stolen from the compromised PoS system is transmitted remotely and in real time to the La-Cara device, which feeds it to the targeted ATM, allowing the attackers to withdraw money from the victim’s card.
Rapid7 researchers have determined that the method can be used to get the ATM to spit out between $20,000 and $50,000 in only 15 minutes.
The security firm has not provided too many technical details on the attack to prevent abuse and claims to have informed affected vendors – which have not been named – about the method they leveraged.
Hecker will be presenting on attacks against Kelly and Top Drive oil rigs at SecurityWeek’s 2016 ICS Cyber Security Conference in Atlanta in October.
