New Sophisticated ATM Attack Could Be Coming To A POS Near You

Written by Evan Schuman
June 18th, 2009

In the history of data breaches, attacks are often first tried on bank ATM machines (because that’s where the money is and the units are often outside 24×7) before migrating down to retail POS. But if the ATM assaults work well, don’t think they won’t migrate. Mention this because of a fiendishly clever series of ATM attacks in Russia and the Ukraine where cyberthieves “insert customized cards into the machine in order to retrieve encrypted PIN and magnetic stripe data,” according to payment newsletter The Nilson Report.

“Once the malware had been installed into the ATM’s transaction-processing application, it was able to respond to cards designed to trigger the appearance of a screen menu listing illicit actions,” the newsletter reported. “These included the ability to write the stolen data onto the trigger card’s magnetic stripe or to print it as hard copy, in an encrypted format, from the receipt printer. A multifunction card also had the ability to eject cash cassettes loaded from the front of the machine.” Imagine what such a breach could do with a retail chain’s full payment and POS databases?


One Comment | Read New Sophisticated ATM Attack Could Be Coming To A POS Near You

  1. A reader Says:

    The way this story is worded makes it sound much worse than it really is. The “customized card” did not attack the ATM. It did not install the malware. And the card certainly did not have some magical ability to eject cash cassettes or print track data – those were all functions of the malware, and were only triggered by the presence of the card. The malware was installed earlier.

    The purpose of the custom cards was to give them to “mules”, low-level criminals whose job is to do the risky work of actually appearing in front of the cameras and dumping the mag stripe data. The mules likely know nothing except that they’ll be paid for following instructions and giving the printed receipts to some other guy, probably waiting in a nearby car. This is the same M.O. that we see used by professional boosters.

    The criminal even encrypted the track data printed on the receipts so that the mules wouldn’t be able to steal them!

    The real question is why the criminal would go to all this trouble if he had network access to the equipment in the first place? If he could hack the machine on-line and install his malware remotely, he wouldn’t have to send a mule to recover the track data – he’d just connect to the machine at a later time and dump it. To me, this implies he never had network access to the ATMs, so he developed the software to be physically installed by an accomplice, either working for the bank or working for an ATM maintenance company.

    On its face, this seems an unlikely threat to a PCI compliant retailer’s POS systems. I have to believe most past instances of retail card theft took place on-line; the vast bulk of stolen data was certainly retrieved via networks. However, with retailers following PCI advice to segment and isolate their POS systems, the equipment becomes less vulnerable to network attacks. Physical Trojan horse attacks (such as this type of malware loaded onto a USB key and surreptitiously plugged into the back of an unattended POS register, or installed by an insider, and later triggered by a special credit card) might become a novel attack vector. But for some reason I doubt that we will see it as a generic widespread attack.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.