Security Experts:

Connect with us

Hi, what are you looking for?


Fraud & Identity Theft

New ATM Hacking Method Uses Stolen EMV Card Data

Black Hat USA 2016 – Researchers have demonstrated how fraudsters can make ATMs spit out tens of thousands of dollars in cash in just a few minutes by using data stolen from EMV cards.

Black Hat USA 2016 – Researchers have demonstrated how fraudsters can make ATMs spit out tens of thousands of dollars in cash in just a few minutes by using data stolen from EMV cards.

EMV (Europay, MasterCard and Visa) cards, also known as chip-and-PIN cards, are considered more secure than the classic magnetic stripe payment cards and they have been used in Europe for several years. The U.S. has also started implementing the technology following a significant increase in fraud attempts.

However, Rapid7 researchers demonstrated at the Black Hat conference in Las Vegas that even EMV cards and next generation secure ATMs are vulnerable to sophisticated attacks.

In the case of magnetic stripe cards, stealing money from accounts is a straightforward operation. Fraudsters can obtain card data by hacking into point-of-sale (PoS) systems, by installing skimmers on ATMs, or by purchasing it from cybercrime marketplaces. The data is then encoded onto blank cards that can be used to make purchases or withdraw money from cash machines. The data is valid until the issuer cancels the payment card – which could take a long time considering that some data breaches are discovered only after many months.

In the case of EMV cards, important pieces of information from the card are dynamic and they are only valid for a very short period of time (e.g. up to one minute). This means that even if they manage to steal data from an EMV card, fraudsters have a very limited window in which they can use it to make a profit.

Massive fraud cases involving EMV cards are not unheard of. In 2011, a criminal ring stole $680,000 after creating special payment cards that tricked ATMs into thinking that the correct PIN was entered even though it was not.

Over the past year, Rapid7 researcher Weston Hecker has been analyzing the security features in next generation ATM systems and how they process EMV cards. Based on his research, the expert has managed to build a device that can be used to get an ATM to spit out cash from the accounts of EMV cardholders.

Hecker believes that EMV card data will be increasingly sold on underground markets, but the sellers will also have to provide transaction timeframes.

The attack, which Hecker demonstrated on stage at Black Hat by making a nearly unmodified ATM spit out cash, involves a payment blockchain made up of several components. On one end of this chain, the criminal installs a skimming device – or a shimming device as they are called in the case of EMV cards – to capture the card data.

The shimmer is inserted into the card slot of a PoS systems so that it sits between the chip on the card and the card reader in order to intercept transaction data. The harvested data is remotely sent to another device, which researchers have dubbed “La-Cara.”

La-Cara, which costs roughly $2,000 to build, is placed on an ATM machine, with a special card that emulates an EMV card inserted into the card slot. The data stolen from the compromised PoS system is transmitted remotely and in real time to the La-Cara device, which feeds it to the targeted ATM, allowing the attackers to withdraw money from the victim’s card.

La Cara device components

Rapid7 researchers have determined that the method can be used to get the ATM to spit out between $20,000 and $50,000 in only 15 minutes.

The security firm has not provided too many technical details on the attack to prevent abuse and claims to have informed affected vendors – which have not been named – about the method they leveraged.

Hecker will be presenting on attacks against Kelly and Top Drive oil rigs at SecurityWeek’s 2016 ICS Cyber Security Conference in Atlanta in October.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


Spanish and US authorities have dismantled a cybercrime ring that defrauded victims of more than $5.3 million.


Australian authorities sentence Sydney man for using leaked data stolen from wireless carrier Optus to conduct SMS scams.

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...