In the latest twist in hacking ATMs, hackers in Russia and Ukraine are using ATMs to obtain all the details necessary to clone a card and use it in criminal activity.
It allows a gang member to walk up to an ATM, insert a “trigger” card, and use the machine’s receipt printer to produce a list of all the debit card numbers used that day, including their start and expiry dates – and their PINs. Everything needed, in fact, to clone those cards and start emptying bank accounts. In some cases, the malicious software even allows the criminal to eject the machine’s banknote storage cassette into the street.
Once installed, the malware implements a “card data harvesting” routine, SpiderLabs said in an alert to banks issued at the end of May. When a customer inserts their card, the malware records to hard disc its account number, start date, expiry date and three-digit security code, as well as the PIN entered.
“That PIN data gets encrypted when it is transmitted through to the bank,” explains Henwood, “but inside the machine it’s in the clear. So this little bugger just sits there stealing all the card data.”
The hardest bit for the criminals is installing the malware in the first place, as it requires physical access to the machine. That most likely means an inside job within a bank, or using bribes or threats to encourage shop staff to provide access to a standalone ATM in a shop or mall.
SpiderLabs’ analysts studied lsass.exe malware on 20 ATMs. They found multiple variants, and warn that it is almost certainly programmed to evolve further. One big concern is that it will become network capable – able to spread from machine to machine over the closed networks used by banks.
They need to move fast; SpiderLabs expects the technology to spread from eastern Europe to the US and Asia. European countries using chip-and-PIN cards will initially be immune because these ATMs encrypt PINs as they are typed, but it probably won’t take hackers long to get around this too.
The biggest problem is that ATMs should not be using any type of OS at all. All that’s required for an ATM is a microcontroller and a small amount of RAM (a few K is enough). Furthermore, the fact that these “professionals” were astonished that lsass.exe can be used for nefarious reasons proves they haven’t a clue about malware and virii that have been using this for at least ten years.
The fact is, this was an inside job, so do a proper investigation and solve the problem. You also know what the malware is, so scan that and clean out the problem.