Your Debit Card Chip and PIN Won’t Save You From This ATM Scam

Do you remember how your bank issued you a new debit or credit card with a built-in, security-enhancing chip? There are now ATMs specially designed for use with these chips. Unfortunately, the same technology that was originally meant to secure your finances can also be used against you in the form of fraudulent cash withdrawals.

At the Black Hat conference in Las Vegas, Weston Hecker, a senior security consultant at Rapid7, demonstrated the attack in detail. It’s believed that this method can allow someone to steal up to $50,000 out of a single ATM in under 15 minutes. In the past, hackers could exploit ATMs running older operating systems, like Windows XP, but this is a different problem altogether. These aren’t vulnerabilities that are the result of being out of date; in fact, these systems are brand new, and shouldn’t contain these problems at all.

The exploit uses a $2,000 kit to install a device into the terminal itself, and allows the user to reap immense gains for their investment. The device must be placed in the card slot, right where the ATM user’s card chip would be. The device then steals the chip’s data, including the PIN, and transfers it to the criminal, who could be several hundred miles away from the site of the hack. They can then download this data and use the card details to withdraw cash from any ATM system.

The hacker can use this data to constantly withdraw funds from an ATM, amounting to a major loss for the victim. Of course, hackers still have to find an inconspicuous or unattended machine to steal from, or locate one which is remote enough that nobody would know or care about what they’re doing. Either way, this exploit allows hackers to steal a significant amount of money without much effort.

With any method, there are drawbacks that can keep the hacker from making the most out of their acquisitions. For example, a hacker has a limited window to exploit the credentials they’ve obtained. Once the user catches on and reports the suspicious activity, the hacker’s fun will come to an end. Additionally, most ATMs are monitored through either internal security cameras, or external hidden cameras that are positioned all around the terminal.

In spite of these challenges, hackers could very well take advantage of this vulnerability. Rapid7 has fully disclosed the details of the vulnerability to the manufacturers, but hasn’t made the details public out of fear that this information could put more people at risk. Basically, Rapid7 wants to give the manufacturers an opportunity to one-up the hackers before they find a way around this fix, too.

Even if you don’t suspect that a hacker has made off with your credit card credentials, it’s still a best practice to monitor your bank statements for consistency, and to ensure that no suspicious activity is targeting them. It’s also good to know that your bank will never contact you via email or phone number asking you to change your PIN or confirm other credentials. Some hackers may try to get you to hand over credentials through phishing scams, which are specifically designed to harvest your sensitive information and use it against you.

Bonus tip: don’t input credentials into unsecured websites. Any website that wants your credit card number, security code, or otherwise, should be protected by encryption to hide your information from hackers. You should be mindful of where you plug in any sensitive information on the Internet, as some websites might look legitimate, but be designed to steal your data.

For more information about how to keep your financial records secure, reach out to L7 Solutions at (954) 573-1300.