This week at Black Hat, a prominent hacker and security conference, a team of engineers showed how a Man-in-the-Middle (MitM) attack could succeed at compromising an ATM machine. The attack does require a shim to be on the ATM which then reads a victim’s card during a legitimate transaction then duplicates the authentication a short time later for the cybercriminals. This allows them to withdraw cash from the victim’s accounts.
The research paper “Breaking Payment Points of Interaction” is available.
Shimmers (or sometimes referred to as a skimmer), for the legacy types of cards, have become popular for credit card and debit fraud. Security researchers are finding them at all sorts of locations, including ATM’s, gas stations, and retail registers. It would just take an upgrade to these shimmers to enable chip-and-pin cards to be targeted.
Here is a video of a researcher finding a Skimmer in Vienna:
The EMV (Europay, MasterCard and Visa) chip-equipped cards are a standard in Europe and are rolling out in the US. The transition is expensive, as retailers must replace their current card scanners for ones which can leverage the embedded chip on the customer’s credit or debit card. The main reason to improve the security and reduce fraud. Some companies are not happy about the push. Home Depot filed a lawsuit claiming anti-trust violations against Visa and MasterCard this year. Home Depot states the new chip-based cars are not secure enough and should require the customer to enter a PIN.
These new vulnerabilities discovered by researchers reveal that banks and retailers can’t expect all their fraud problems to disappear just because they upgrade to the newer EMV standard. Criminals are motivated and will work to find a way and cybersecurity professionals must continue to counter their new tactics.