Previously, the big ATM fraud was to use a fake ATM fascia. This fascia would contain a card reader to skim the card details, and a pinhole camera to capture the user’s PIN. Banks have invested heavily in anti-skimming technology and can now detect fake overlays and disable the ATM accordingly. In 2008, it is estimated by the European ATM Security Team (EAST) that ATM fraud grew by 11 percent to 484 million Euro.

Because of this new technology, criminals have had to find new ways to get hold of customer debit card details through ATMs.

So how does it work? The criminals have managed to get a 50kb piece of malware disguised as a Windows process called lsass.exe into the ATMs. This is an excellent choice of name as a PC will legitimately have lsass.exe running on their systems. Lsass.exe helps cache session data so users don’t have to do things such as re-enter their passwords every time an e-mail comes in. However it has no use in an ATM machine.

Once an ATM machine is infected, the malware reads any card which is inserted into the machine and records the account number, start date, expiry date, three digit security code and PIN entered onto the hard drive. PIN data is encrypted before it is sent to the bank, however the malware catches the data before it has been encrypted.

To gain access to the data, the criminal needs to insert a ‘trigger’ card. Once this trigger card is inserted, the malware recognises the card and launches a window on the ATM’s screen with non-standard options. One of these options uses the receipt printer on the ATM to print out all the card data captured. This data is encrypted itself so low-level lackeys can be sent to grab the data without the worry that they will be able to use the data themselves.

The most difficult part of this process is getting the malware onto the ATM in the first place. The criminals must have an insider accomplice to achieve this – and it is believed this is either by coercing shop or bank workers, through bribes or threats, or by using an insider ATM engineer. Once the criminals have access to the ATM itself, installing the malware is said to be fairly easy.

At the moment, the malware is standalone – that is, the malware only affects the ATM is it installed onto. However it is likely that now the proof-of-concept works – and works well – criminals may extend the functionality of the malware to give it network access. And this means that the malware may be able to spread across the banks’ entire networks of ATMs relatively easily by utilising the closed network already in used by the banking system.

At present, chip-and-PIN cards are also immune to the problem as the ATM encrypts the user’s PIN as it is entered, however it is believed that it is only a matter of time before the criminals either work out how to decrypt this encryption, or work out a way around the encrypted PIN.

1. Some moolah for ya sky rocket? – Cockney ATMs Londoners have a new ATM to contend with – a...
2. Chip and Pin – the lowdown The chances are if you have any debit or credit...
3. A map for the credit card maze The Office of Fair Trading (OFT) has stepped in an...

MoneyTowers.com takes a look at the different mobile phone banking services on offer and explains how much risk is associated with each one.

Text Services
Many banks offer text services – sometimes free, sometimes with a small monthly fee. This mobile banking service sends out SMS alerts to a mobile phone – for example some might send a weekly update of the your bank balance, or will send you an alert when you are getting close to your maximum overdraft limit, or maybe will send an SMS whenever a large payment is made from your bank account.

This mobile banking service is pretty much risk-free as no bank account data is stored on the phone and there is little anyone can do if your mobile is lost or stolen.

Money Transfers
Some banks allow their customers to make basic transactions in their bank account from their mobile phones. For example customers may be able to transfer money between accounts held at the bank, view their current balance and view a mini-statement. Some banks charge for this service, whilst with others, the service comes as part of the bank account package.

More often than not, this service is built on software by Monilink, a company which is half-owned by the banking industry. Several layers of security have been built into the system including a check on the mobile phone that is being used and a passcode must be entered before the customer is logged in. This ensures that if the phone is stolen, the thief is unable to log into the user’s account (unless they also have the passcode).

Similar to your debit and credit cards, never write your passcode down and especially don’t carry it around with you. Never put the passcode into your mobile phone because if your phone does get stolen, thieves may be able to get into your bank account.

However, depending on the services available to you, even if a thief does get into your account, the damage they can do may be minimal. If your mobile banking service is restricted to things such as viewing your balance and viewing a mini-statement, there is little harm that can be done here.

Wifi
Many mobile phones now come with wi-fi. Wi-fi allows users to connect to the internet through ‘hotspots’. There are normally plenty of hotspots in an around town and many are provided by coffee shops, pubs and railway stations.

This is probably the most risk and insecure of the three mobile banking options as mobile phones are open to the same risks that a computer user would be open to when using the hotspot, for example virus attacks and man-in-the-middle attacks.

At the moment, there are few viruses for phones however there is an increase in the number of attacks aimed at phones so users are advised to get anti-virus software for their phone if they are planning to use the phone’s Wi-fi capabilities.

1. Make Money from your old Mobile Phone Aside from eBay, there is a rapidly growing market for...
2. Controversy Over New Banking Act Proposals Officials have confirmed that Chancellor Alistair Darling is planning to...
3. Ten ways to help keep your identity safe Six million people in the UK have already had their...