ATM Malware Attacks Rise in EuropeCriminals Often Use Stolen Card Data for Fraud in U.S.
Criminals have begun targeting ATMs in Western Europe using malware, as well as a new generation of smaller, stealthier and more long-lived skimmers designed to capture card data and PIN codes, according to a new report.
Four European countries have reported seeing ATM malware attacks for the first time, according to the European Fraud Update, which was released this month by the European ATM Security Team. While none of those four countries were named, three reportedly have significant numbers of ATMs. The report draws on information from 19 EU countries, as well as Canada, Russia and the Ukraine.
Multiple types of malware have been seen. "Some of these were ATM 'cash out' attacks, also known as 'jackpotting,' and some were directed at the internal compromise of card and PIN data," the EAST report notes. "Such attacks are new to Western Europe, although they have been seen [before] in parts of Eastern Europe and Latin America."
The danger with ATM malware is that it's tough to spot. "The guys who blow up safes or pull up in a pickup truck and throw the ATM in the back? Those are the amateurs," says Mike Park, managing consultant at Trustwave. "The real danger is in the more sophisticated attacks, where someone has penetrated your ATM, and you don't know it." These malware infections could persist for months or years before being detected.
Would-be hackers of ATMs - or any other type of payment device, for example at gas stations or inside retail stores - have plenty of bugs they can exploit to seize control of devices. "There are just a boatload of software vulnerabilities that are just waiting to be exploited on these types of systems, and it's just a matter of people figuring out what they are," says Kevin Finisterre, a senior research consultant with Accuvant.
Skimmers: Lighter, Stealthier
To date, however, many ATM attackers haven't yet gone the malware route. Of the 22 countries that contributed data to the EAST report, 19 say they're still seeing physical devices - known as card skimmers - being installed on ATMs and other devices to steal card data. These skimmers are growing smaller, better camouflaged and left in place for longer periods of time.
European ATM operators have also found a "new form of mini-skimmer" for capturing card data that's being paired with a "new style of video camera," which watches the PIN code entered by a customer - provided they haven't shielded the PIN pad, according to the report. Some video cameras are mounted above the PIN pad, while others are placed inside fake fascia, fitted over the shutter for dispensing cash. More translucent mini-skimmers have been found, as well as new versions of "insert skimmers," which get jammed inside an ATM "card reader throat." Some attackers also cut holes in the ATM fascia and hide skimmers inside the device.
"The major thing is they're getting smaller, but [attackers are] also working to embed them inside the system more," says Matthew Jakubowski, a senior security consultant at Trustwave SpiderLabs, who's reverse-engineered numerous ATM and point-of-sale skimmers. "With some gas pumps and ATMs they're also able to install them in the device so that you don't even see them - it's inside." That approach prevents eagle-eyed consumers from spotting the device and then ripping it off or alerting authorities, who may lie in wait for the attacker to return. Likewise, some skimming devices have Bluetooth built in, so attackers can remotely - from a short distance away - download stolen data.
But returning to anywhere near the scene of the crime still poses risks for skimmer operators. "The physical-access angle is it's a really big opportunity to get caught while you're putting it in, or while you're going back to collect your stuff. On the miniaturization end, there's no benefit to be gained if you still have to go and install it," says Accuvant's Finisterre. "That's an old-school style of skimming," and why he thinks malware attacks are set to spike.
Criminals continue to employ even more low-tech approaches to stealing cash, with 12 countries reporting cash-claw attacks, which involve using a prepaid card to open the cash-dispensing shutter, and then jamming a metal device inside that gives attackers access to the ATM's safe. Some attackers also physically capture users' cards, using a razor-edged spring trap that stores the card behind a fake card-insert face plate. One such attack was combined with an old iPod Nano, which was used to record the PIN data for the card, according to the report.
Other criminals employ "ram raids" - literally ramming a heavy object, such as a car, through a wall to access the back of an ATM machine. One-third of countries also saw attacks involving pumping explosive gas - such as a combination of acetylene and oxygen - into the ATM. "The safe is where all the security precautions on ATMs have been for years - protect the money, protect the money, protect the money - and so they fill the safe with gas and blow it open," says Trustwave's Park.
Beyond ATMs, attackers continue to target payment terminals, for example at retailers. One country also reported seeing "ghost terminals," which are real point-of-sale terminals that have been stolen and rebuilt by attackers. Almost half of the European countries also saw skimmers installed at gas stations, while others reported seeing skimmers attached to railway ticket machines, parking meters and even car washes' payment terminals.
Fraud Leaves Europe
Once attackers steal card data, European card issuers say most resulting fraud occurs outside of Europe. According to the EAST report, 83 percent of European payment providers have seen resulting fraud in the United States, followed by Thailand, Indonesia, the Dominican Republic, Cambodia and Brazil (See How Fraudsters Conceal ATM Fraud).
European ATM Skimming: Where Fraud Results
Source: EAST (June 2014)
To stem these types of attacks, card issuers continue to improve their fraud-monitoring and detection capabilities. In 12 European countries, some card issuers now also use the cross-border fraud countermeasure known as "geo-blocking," which blocks the card data from being used in countries, such as the United States, that don't fully comply with the EMV standard.