Chip and PIN cards and readers are finally rolling out in the United States. Unlike traditional magnetic cards that use static information to make a transaction, pieces of plastic, based on a standard by Europay, MasterCard and Visa, create a new key with each purchase. That should make purchases or withdrawals more secure since the information is only valid for 60 seconds. As it turns out, according to Rapid7 security firm researcher Weston Hecker, a lot can happen in that minute.
At last week’s Def Con security conference, Hecker onstrated how an ATM machine or point-of-sale (POS) terminal can be used to intercept that one-time-use key and other information about the card. That data is then transmitted to another device (in this case another cash machine), which makes a second transaction, such as withdrawing money from your account.
It’s an ingenious proof of concept. But, it requires that at least two devices be compromised. First the target POS or ATM need a piece of hardware installed that reads the card’s chip. This process is called “shimming.” (Doing the same hack with a magnetic card is called “skimming.”) Once the data has been captured, its transmitted to a legitimate ATM that’s been hijacked.
This payout cash machine would be outfitted with a system Hecker calls La-Cara. What it does is trick the ATM into believing the physical card is being dipped then a robot hand enters the PIN. The machine withdraws the maximum amount allowed by the card and — for a while at least — the victim is none the wiser.
Of course an ATM with a robot hand would arouse suspicion. But Hecker realized that if you just put a facade and “out of order” sign on a machine, no one gives it a second look. In fact, there was a cash machine near his house with an “out of order” sign that sat undisturbed for days. When he called the bank, they were unaware the machine wasn’t working.
The big payout would be when shimmers are installed on multiple machines that all transmit to a single hijacked ATM. That hijacked machine will collect and dispense all the cash so whenever the thieves are ready to collect, they just roll up, grab the La-Cara system and cash, and leave. If that ATM is compromised, they just put the facade on another machine in another location and start collecting data (and cash) again.
Hecker spent a year analyzing ATM machines and banking systems to come up with this attack. While the thieves (also called “carders”) are currently still using skimmers to fill their pockets, it’s unlikely they’ll turn away from a life of crime once Chip and PIN cards are the only way to get to your cash.
The presentation was meant to be a wake up call for the banking and ATM systems. There’s a window between now and when a majority of the cash machined become EMV compliant. In that time he hopes that the private owned ATMs are upgraded with foreign device detection and that the time it takes to complete a transaction is reduced from 60 seconds. “That’s one of the biggest defenses,” he told Engadget.
This type of attack probably won’t happen in the next few months, Hecker said he doesn’t expect to see this type of system in the wild until about October 2018. But unless that 60-second gap is closed or made more secure, in the future this will be a problem that affects us all.