Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Fraud & Identity Theft

New ATM Hacking Method Uses Stolen EMV Card Data

Black Hat USA 2016 – Researchers have demonstrated how fraudsters can make ATMs spit out tens of thousands of dollars in cash in just a few minutes by using data stolen from EMV cards.

Black Hat USA 2016 – Researchers have demonstrated how fraudsters can make ATMs spit out tens of thousands of dollars in cash in just a few minutes by using data stolen from EMV cards.

EMV (Europay, MasterCard and Visa) cards, also known as chip-and-PIN cards, are considered more secure than the classic magnetic stripe payment cards and they have been used in Europe for several years. The U.S. has also started implementing the technology following a significant increase in fraud attempts.

However, Rapid7 researchers demonstrated at the Black Hat conference in Las Vegas that even EMV cards and next generation secure ATMs are vulnerable to sophisticated attacks.

In the case of magnetic stripe cards, stealing money from accounts is a straightforward operation. Fraudsters can obtain card data by hacking into point-of-sale (PoS) systems, by installing skimmers on ATMs, or by purchasing it from cybercrime marketplaces. The data is then encoded onto blank cards that can be used to make purchases or withdraw money from cash machines. The data is valid until the issuer cancels the payment card – which could take a long time considering that some data breaches are discovered only after many months.

In the case of EMV cards, important pieces of information from the card are dynamic and they are only valid for a very short period of time (e.g. up to one minute). This means that even if they manage to steal data from an EMV card, fraudsters have a very limited window in which they can use it to make a profit.

Massive fraud cases involving EMV cards are not unheard of. In 2011, a criminal ring stole $680,000 after creating special payment cards that tricked ATMs into thinking that the correct PIN was entered even though it was not.

Over the past year, Rapid7 researcher Weston Hecker has been analyzing the security features in next generation ATM systems and how they process EMV cards. Based on his research, the expert has managed to build a device that can be used to get an ATM to spit out cash from the accounts of EMV cardholders.

Hecker believes that EMV card data will be increasingly sold on underground markets, but the sellers will also have to provide transaction timeframes.

Advertisement. Scroll to continue reading.

The attack, which Hecker demonstrated on stage at Black Hat by making a nearly unmodified ATM spit out cash, involves a payment blockchain made up of several components. On one end of this chain, the criminal installs a skimming device – or a shimming device as they are called in the case of EMV cards – to capture the card data.

The shimmer is inserted into the card slot of a PoS systems so that it sits between the chip on the card and the card reader in order to intercept transaction data. The harvested data is remotely sent to another device, which researchers have dubbed “La-Cara.”

La-Cara, which costs roughly $2,000 to build, is placed on an ATM machine, with a special card that emulates an EMV card inserted into the card slot. The data stolen from the compromised PoS system is transmitted remotely and in real time to the La-Cara device, which feeds it to the targeted ATM, allowing the attackers to withdraw money from the victim’s card.

La Cara device components

Rapid7 researchers have determined that the method can be used to get the ATM to spit out between $20,000 and $50,000 in only 15 minutes.

The security firm has not provided too many technical details on the attack to prevent abuse and claims to have informed affected vendors – which have not been named – about the method they leveraged.

Hecker will be presenting on attacks against Kelly and Top Drive oil rigs at SecurityWeek’s 2016 ICS Cyber Security Conference in Atlanta in October.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Cybercrime

Deepfakes, left unchecked, are set to become the cybercriminals’ next big weapon

Cybercrime

A threat actor tracked as ‘Scattered Spider’ is targeting telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Cybercrime

While there are likely many different approaches, here are a few points that are important for enterprises to consider when evaluating bot solutions.