Easy Access Fuels ATM AttacksATM 'Eavesdropping' Alert Highlights New Risks
Global ATM manufacturer NCR Corp. issued an alert this week about card reader eavesdropping attacks, which were first identified in Europe last year and are now spreading, potentially posing a risk in the U.S.
These attacks involve accessing or opening the top of an ATM's enclosure, where the card reader is housed, and attaching a so-called wiretapping or eavesdropping device to the reader. The attackers' device captures card data as it is transmitted from the card reader to the ATM.
If merchants, or other off-premises ATM deployers, fail to change default keys or codes, they're leaving themselves open to attack.
Earlier attacks, which were targeting through-the-wall ATMs typically installed right outside a bank branch, involved drilling a hole or cutting into the ATM's enclosure to insert and attach the device to the card reader.
Now, however, NCR says fraudsters have changed their technique by targeting stand-alone, lobby-style ATMs, which are commonly placed in retail locations, and opening ATM enclosures either by picking the physical locks or opening the machines with commonly used electronic access keys or codes.
It's far too common for banks to continue to use the default electronic access keys or codes programmed by the original equipment manufacturer before ATMs are shipped out. And these codes often are universal, such as 1234, especially for certain makes and models.
Thus, if banks and merchants don't change these codes when they install and deploy their ATMs, they leave themselves open to easy attack, because criminals can readily find these default codes on the Internet, in underground forums or even product or repair forums.
NCR says that its Personas ATM line, which is often deployed in merchant locations or vestibules, is the primary target for these latest attacks.
"We sent out the first alert in September, when the access point was through drilling a hole in the fascia or the side of the ATM," says Owen Wild, global marketing director of security and compliance at NCR. "Now we see the attack being done in a different way, with keys to open the top of the box. And there has been regional expansion."
The first attacks in September 2014 cropped up in the United Arab Emirates and then Europe. Today, they've been reported in numerous markets, Wild says. And the company issued a global alert because it expects the attacks to spread.
Lachlan Gunn, executive director of the European ATM Security Team, says eavesdropping attacks waged against NCR ATMs have been common in Europe for the last year. "EAST put out our first related alert in September 2014, and several countries have reported the M.O. [modus operandi] since," he says.
Eavesdropping involves the interception of card data while it's in transit, not skimming data from a magnetic-stripe as the card is inserted into the ATM.
That makes these attacks tricky to detect and thwart, because it bypasses anti-skimming technology ATM manufacturers have for years pushed out to the market, Wild says.
But some anti-skimming solutions that alert banks or merchants when ATM enclosures are opened would at least raise a flag that something is amiss.
Still, eavesdropping attacks are just another example of how fraudsters are constantly perfecting their techniques. "There is never going to be a single solution that stops everything," Wild says.
Weak Access Security
Although this latest eavesdropping technique appears to have emerged less than a year ago, attackers have been taking advantage of weak device access security in other ways for years (see ATM Access: Getting in is Too Easy).
Hackers have exploited similar device access weaknesses in recent remote-access attacks waged against point-of-sale devices at retailers, too (see Breach Exposes POS Vulnerabilities).
Fraudsters' can easily acquire manufacturer-issued default keys or access codes, by accessing them online or by getting them from technicians who routinely work on ATMs and/or POS devices. If merchants, or other off-premises ATM deployers, fail to change these default keys or codes, they're leaving themselves open to attack.
Wild says NCR is now working to enhance ATM access security by offering stronger, pick-resistant physical locks for all NCR ATMs, as well as integrating cryptographic and biometric authentication into all of its electronic locks, so that access codes and electronic keys alone are not enough to open an enclosure.
But deployers have to take some responsibility here, too.
Keys and codes used to access ATMs, gas pumps and even POS devices have to be unique, and changed on a fairly regular basis.
I hear from merchants and banks all the time that changing keys and codes creates new challenges. But it's a step that has to be taken. If not, fraudsters will keep finding easy ways in.