Warning on new kind of ATM attack

Why you may want to check the cables before you use an ATM.

If you want to eat at one of Portland, Oregon’s famous food carts, you may want to bring cash. Many carts take credit cards, but some do not, leaving you to withdraw money from a sometimes sleazy-looking stand-alone ATM nearby that charges $5 or more in fees.

But the fees are not the problem, according to Krebs on Security. Instead, it’s a new kind of ATM attack, where crooks install a device on the cable connecting the ATM to the outside world.

ATM maker NRC put out a security alert, Krebs on Security reported, saying, “These devices are plugged into the ATM network cables and intercept customer card data. Additional devices are attached to the ATM to capture the PIN.”

NRC said criminals are using a fake keyboard that they put on top of the real keyboard to get your PIN, or using a camera to record your PIN as you enter it, according to the article.

“If something doesn’t look right about an ATM, don’t use it and move on to the next one,” Krebs on Security said. “It’s not worth the hassle and risk associated with having your checking account emptied of cash.”

More help for you

Stand-alone ATMs are targets, security experts say. These are the machines you see at gas stations, in hotels, at stores. And you may want to stay far away.

“The physical security of the devices [ATMs] is amazing, though not perfect,” said Patrick Coyle with Chemical Facility Security News. “But there has to be some way for them to communicate with the bank. If the machine is located in a bank, then that communication is probably pretty secure. Outside of a bank, you take your chances.”

“I learned a long time ago not to use stand-alone ATMs,” he added. “There are no guarantees with those machines. If someone can get physical access to the machine then they can break in and get the machine to do whatever they want.”

“The take-away message is to avoid stand-alone machines if at all possible,” said Patrick C. Miller with Archer Security Group. “Add this to the reasons you are leery of using them.”

Why so vulnerable?

The non-bank ATMs are not well-monitored or inspected, said fraud analyst Shirley Inscoe with consulting firm Aite in BankInfoSecurity, and they often do not have protections like anti-skimming devices or software.

“ATMs in gas stations or other retail locations may be tampered with, without people paying much attention,” Inscoe said in the article.

“Unfortunately, many gas stations and retailers look at these ATMs purely as a source of income and fail to recognize the security issues,” she said. “Often, they don’t realize the level of sophistication fraudsters employ in matching the skimming devices (color, material, etc.) to the ATM surround/enclosure.”

Other problems—people from many different banks use the stand-alone ATM’s, making it harder for banks to detect a crime there. Also, location.

“Sometimes the off-premises machines are placed in woefully dark or remote locations within a property,” said John Buzzard with FIS Global in the article. “I have been in some luxurious hotel properties and discovered the ATM down a dark hallway or installed under a set of unused stairs. This can contribute to risk when the placement isn’t physically ideal.”

Take action

The ATM maker, NCR, recommended that ATM operators take action, announced ATM Marketplace.

They should “consider all points where card data may be accessible, in addition to the traditional point of vulnerability at the card entry bezel,” the post said.

They should “conduct frequent visual inspections of the ATMs and external connections, and contact law enforcement immediately to report a fraudulent device.”

“And, most effectively, implement secure encrypted network communications,” according to ATM Marketplace.

Not enough?

Some cybersecurity experts say physical inspections may not be successful.

“Unless you’re the person who installed the ATM—which is unlikely—most bar managers, gas station attendants and shop keepers wouldn’t know an inline skimming attack device from any other legitimate piece of communications equipment,” said Miller.

The solution may lie inside the ATM’s system.

“The fact that they could intercept card data over ethernet or phone connections tells me that they’re either using weak encryption or no encryption at all,” said Miller. “This shouldn’t even be an option for attack. Encryption should be required or the bank simply won’t communicate with the ATM.”

New deadline

Some companies that deal with payments by card may be lacking.

The Payment Card Industry Security Standards Council originally gave companies until June of this year to fix a “ serious” security problem with an encryption protocol called SSL.

In December, the council extended the deadline by two years, until June 2018.

The council’s international director, Jeremy King, told BankInfoSecurity that the council underestimated the business impact of the change.

But he said, companies should not wait to make the upgrades.

“What is absolutely clear is that this is not a signal to organizations to do nothing for two years,” King told eWEEK. “In fact, it is quite the opposite.”