In Russia and the Ukraine, devious criminals have discovered a way to get ATMs to print out a list of all the debit cards used recently in the machine, including start and expiry dates and the PIN associated with the card. This information can then be used to clone debit cards by the gangs.

Previously, the big ATM fraud was to use a fake ATM fascia. This fascia would contain a card reader to skim the card details, and a pinhole camera to capture the user’s PIN. Banks have invested heavily in anti-skimming technology and can now detect fake overlays and disable the ATM accordingly. In 2008, it is estimated by the European ATM Security Team (EAST) that ATM fraud grew by 11 percent to 484 million Euro.

Because of this new technology, criminals have had to find new ways to get hold of customer debit card details through ATMs.

So how does it work? The criminals have managed to get a 50kb piece of malware disguised as a Windows process called lsass.exe into the ATMs. This is an excellent choice of name as a PC will legitimately have lsass.exe running on their systems. Lsass.exe helps cache session data so users don’t have to do things such as re-enter their passwords every time an e-mail comes in. However it has no use in an ATM machine.

Once an ATM machine is infected, the malware reads any card which is inserted into the machine and records the account number, start date, expiry date, three digit security code and PIN entered onto the hard drive. PIN data is encrypted before it is sent to the bank, however the malware catches the data before it has been encrypted.

To gain access to the data, the criminal needs to insert a ‘trigger’ card. Once this trigger card is inserted, the malware recognises the card and launches a window on the ATM’s screen with non-standard options. One of these options uses the receipt printer on the ATM to print out all the card data captured. This data is encrypted itself so low-level lackeys can be sent to grab the data without the worry that they will be able to use the data themselves.

The most difficult part of this process is getting the malware onto the ATM in the first place. The criminals must have an insider accomplice to achieve this – and it is believed this is either by coercing shop or bank workers, through bribes or threats, or by using an insider ATM engineer. Once the criminals have access to the ATM itself, installing the malware is said to be fairly easy.

At the moment, the malware is standalone – that is, the malware only affects the ATM is it installed onto. However it is likely that now the proof-of-concept works – and works well – criminals may extend the functionality of the malware to give it network access. And this means that the malware may be able to spread across the banks’ entire networks of ATMs relatively easily by utilising the closed network already in used by the banking system.

At present, chip-and-PIN cards are also immune to the problem as the ATM encrypts the user’s PIN as it is entered, however it is believed that it is only a matter of time before the criminals either work out how to decrypt this encryption, or work out a way around the encrypted PIN.

Popularity: 1% [?]