New ATM Hack Allows Crooks to Steal Money From Chip-and-Pin Cards
The claim that Chip-and-PIN cards are as susceptible to cloning as magnetic stripe cards raises concerns about the perceived security of EMV (Europay, MasterCard, and Visa) chip-equipped cards.
Despite the common belief that these cards provide an extra layer of security, researchers at the Black Hat USA 2016 conference in Las Vegas demonstrated a chip-and-PIN hack that allowed them to withdraw up to $50,000 in cash from an ATM in the U.S. in under 15 minutes.
The security engineers from Rapid7 showcased how simple modifications to equipment could potentially bypass Chip-and-PIN protections, enabling unauthorized transactions. This revelation challenges the widely held notion that chip-equipped cards are more secure and harder to clone than their magnetic stripe counterparts.
The presentation, titled “Hacking Next-Gen ATMs: From Capture to Washout,” [PDF] included a live demonstration in which the researchers manipulated the ATM to dispense hundreds of dollars in cash. The implications of such vulnerabilities in the supposedly secure Chip-and-PIN technology raise questions about the overall effectiveness of these security measures.
It’s important to note that this information was reported in the context of a security conference, and the goal is often to highlight potential vulnerabilities to encourage improvements in security protocols. Financial institutions and card issuers continually work to enhance security measures, and advancements are made to address potential weaknesses as they arise.
How the Hack Works
The reported hack involving Chip-and-PIN cards involves a two-step process. First, the attackers use a small device known as a Shimmer, which is added to a point-of-sale (POS) machine or an ATM’s card reader. This device enables a man-in-the-middle (MITM) attack against the ATM.
The Shimmer is positioned between the victim’s chip and the card reader in the ATM, capturing data from the chip, including the PIN, as the ATM reads it. The stolen data is then transmitted to the criminals. Subsequently, the attackers use a smartphone to download the stolen data and recreate the victim’s card. The manipulated card is then inserted into an ATM, with instructions to continuously eject cash.
Tod Beardsley, a security research manager for Rapid7, described the Shimmer as a tiny, Raspberry Pi-powered device that can be quickly installed on the exterior of the ATM without requiring access to the internal components of the machine. This method allows criminals to surreptitiously capture card data and PINs during legitimate transactions, facilitating unauthorized access to the victim’s funds.
It’s essential for financial institutions, card issuers, and ATM manufacturers to be aware of these potential vulnerabilities and work proactively to enhance security measures to protect users from such sophisticated attacks.
The outlined hack, involving the use of Shimmer devices to compromise Chip-and-PIN ATMs, has a time-limited capability. The perpetrators can replicate each card for a brief duration, typically a few minutes, during which they can fraudulently withdraw money.
This time constraint limits the potential financial gain for each compromised card to a maximum of $50,000. However, security researchers, including Tod Beardsley from Rapid7, suggest that a network of hacked chip-and-pin machines could create a continuous and substantial stream of victims.
The researchers have responsibly disclosed the full details of the issue to banks and major ATM manufacturers. The hope is that these institutions, which are currently unnamed, are actively examining and addressing the identified vulnerabilities to enhance the security of Chip-and-PIN ATMs.
Timely collaboration between researchers, financial institutions, and manufacturers is crucial to stay ahead of potential threats and protect users from unauthorized access and financial losses.
