09
Feb 16

Skimmers Hijack ATM Network Cables

If you have ever walked up to an ATM to withdraw cash only to decide against it after noticing a telephone or ethernet cord snaking from behind the machine to a jack in the wall, your paranoia may not have been misplaced: ATM maker NCR is warning about skimming attacks that involve keypad overlays, hidden cameras and skimming devices plugged into the ATM network cables to intercept customer card data.

Two network cable card skimming devices, as found attached to this ATM.

Two network cable card skimming devices, as found attached to this ATM.

In an alert sent to customers Feb. 8, NCR said it received reliable reports of NCR and Diebold ATMs being attacked through the use of external skimming devices that hijack the cash machine’s phone or Internet jack.

“These devices are plugged into the ATM network cables and intercept customer card data. Additional devices are attached to the ATM to capture the PIN,” NCR warned. “A keyboard overlay was used to attack an NCR ATM, a concealed camera was used on the Diebold ATM. PIN data is then likely transmitted wirelessly to the skimming device.”

The ATM maker believes these attacks represent a continuation of the trend where criminals are finding alternative methods to skim magnetic strip cards. Such alternative methods avoid placing the skimmer on the ATM card entry bezel, which is where most anti-skimming technology is located.

NCR said cash machine operators must consider all points where card data may be accessible — in addition to the traditional point of vulnerability at the card entry bezel — and that having ATM network communications cables and connections exposed in publicly accessible locations only invites trouble.

A closer look at the two network cable card skimming devices that were attached to the stand-alone ATM pictured at the top of this story.

A closer look at the two network cable card skimming devices that were attached to the stand-alone ATM pictured at the top of this story.

If something doesn’t look right about an ATM, don’t use it and move on to the next one. It’s not worth the hassle and risk associated with having your checking account emptied of cash. Also, it’s best to favor ATMs that are installed inside of a building or wall as opposed to free-standing machines, which may be more vulnerable to tampering.

Tags: , , ,

107 comments

  1. A few weeks ago I was at a gas station in Columbus, OH. There was an ATM that had antenna’s and cables everywhere. Due to my curiosity I looked closer. Network cables everywhere, open ports, this would be very easy to accomplish. Most people wouldn’t even ask what you were doing attaching devices that’d capture this traffic. Hope the data in the lines are encrypted!

  2. Our financial place’s ATMs: All communication is encrypted, the DES keys are changed every 24 hours. The ATM goes off-line if the keys are not in sync.
    We have an active map on the wall and get Email alerts for every issue. Every ATM is visually inspected every day. Remote ATMs have cellular backup alarm systems.
    So far (2 years here) we haven’t had an issue, we constantly research risk/prevention doing our best to stay ahead of the curve.
    So don’t feel that all banking is lacking.
    No exposed wires either 😉

    • hopefully those are AES keys and not DES…

    • ATM’s are visually inspected everyday, that seems like a lot of man hours. But interesting.

      • Not really, the branch staff are very familiar with the equipment, and know what to look for.
        For a company that has ATMs all over the place, yes it would be more involved and likely rely on 3rd party inspection, like when we had one at the airport.

  3. If I remember correctly, ring networks mirror traffic. From one listening point you can tap all the traffic in the network at that time. Like on the internet search, it goes to all corners, looking for your query, and only your port is open to receive the reply to your address. Same with a ring network, an specific port received. But an open ear? Like a radio, the Bluetooth attached to the line? Would not necessarily catch just the local traffic, but what other traffic?

  4. I’m wondering if this can apply to those new fancy soda machines that take credit / debit cards.

    I can think of one right now that has some odd cabling; maybe not actually just incredibly sloppy work – but devious?

    • Probably the easiest of all because it’s not a bank machine!

    • KrebsonSecurityFan

      KGee – That’s the reason that I only use cash or coins in a vending machine. My downtown area switched to parking meters that can accept payments via magnetic cards or apps. I don’t know what company the city uses.

      So, I use gold-colored dollar coins – the U.S. Presidents or Sacagawea – instead. The gold-colored U.S. dollar coins are available at banks. Almost all coin-accepting vending machines made since 2000 take them.

  5. This seems so easy to prevent. Give key employees a walk through of the equipment and make it a daily, or hourly, or what timing makes sense, task like cleaning the front door. A process for handling anomalies, i.e., who to call.

    NECN was talking about these kinds of attacks locally and just telling people who used the locations to be careful. I don’t think that’s a realistic countermeasure.

  6. Odd. ATMs aren’t exactly bandwidth beasts, so I’m wondering what the business case is for not using VPN over 3G/LTE. In fact, I don’t even see how this wouldn’t be a heck of a lot cheaper than wired. Maybe not as reliable in super-dense environments (concert halls, etc), but cellular Internet is generally pretty good these days.

    Plus, at a certain scale (mid- to large-size) you can have a private network over cellular (similar to MPLS) that would give you an additional layer of security.

    • Getting cellular right isn’t much easier.

      See the various tower impersonation attacks.

      I’m not saying I’m a big fan of ethernet, just…

      The right thing is to make sure that all traffic on the wire is encrypted with sufficiently strong+robust encryption and validates both sides (MITM ….)

    • Increasingly stand alone ATMs are moving to precisely this.

  7. KrebsonSecurityFan

    These two devices resemble the bug placed in Hank Schrader’s office by Walter White in the TV series Breaking Bad. In the series, a microphone is placed inside a picture frame inside the office. The microphone transmits wirelessly to a receiver attached to the ethernet plug of the office computer. The ethernet receiver can be logged into over the ethernet and the audio then streamed to anywhere on the internet.

    Question: Can a VOIP phone – which many banks now have – be a vector in the bank telecommunications attack? Edward Snowden in Citizen Four said this.

  8. Nice fear mongering

    The payment card industry is requiring all communication of card information to be encrypted. If a vendor is dumb enough to still send credit card or bank card information in clear text they deserve to pay every cent that is reported as fraud from any card used in their machine.

    Think about this, do you go into your bank and yell your bank account number to everyone inside….. “MY ACCOUNT NUMBER IS 12448844 AND MY NAME IS ALAN IDIOT; I LIVE AT 944 RIP MEOFF LANE…”

    Go ahead and scan all the traffic you want. Like a commenter said before the better companies change their encryption keys constantly. Oh and new services like Android pay anonymize your credit card number so if a rogue purchase is made, ding! The number changes. Cracked it again? Ding another new number.

    I expected a little more from Krebsonsecurity than click bait. Hope it pays your bills in the short term.

  9. It is the attempts of skimming is one of the reasons that three of the banks (BOA, Chase & WF) are installing cardless ATMs that will use AP & Apple Pay or soon to be AW) in order to withdraw cash.
    Chase is doing a different approach utilizing passcode sent to your phone which you have to enter it. From my understanding, there’s a time frame before it expires.

  10. Local police found one skimmer inserted inside the faceplate of a gas pump recently; so there was no external tampering visible. Wasn’t caught until an attendant inspected it.

    So hard to know what’s safe – that’s why the best card security is at bank level, not card level.

  11. Delilah the Drunk

    This is the good news about being a BofA customer. They charge such outrageous service fees to customers who use non-bank ATMs that in all the years I’ve been a customer, I have never even once pulled money from an ATM that didn’t belong to Bank of America. However, the bank does have ATM only locations, but I don’t think I’ve ever seen one that was freestanding. They’re always built into a wall.

  12. So what if an ATM were just a thin client terminal with the actual ATM being a virtual instance in the banks physically secured private cloud. Strong encryption over communications links. No local processing open to compromise.
    Use of multi-factor authentication with biometrics to make a withdrawal, tamper activated cameras and alerts to local enforcement. None of these things are beyond the realm of current technology.

  13. KrebsonSecuityFan

    I was in a restaurant recently with an ATM similar to the one pictured. A telephone wire was connected to its back which ran for a few feet along the wall before being connected to a box that is square-shaped which had another telephone cord attached to it. This second cord had a long run by going in to the ceiling.

    What is this box for? Why is it even necessary since a longer cord could be found to reach the ATM?

    A security site that mentions the alert from NCR states that the black-colored device in the gray box with the USB cable and 2 ethernet cables connected to it might be a Bluetooth (or other wireless transceiver).

  14. Why not install anti-tamper protection which could send an alert message when the rogue skimming device is attached to the ATM network cables.

    • There’s many ways they could fix or protect from the issue. The problem is, there are thousands of ATM’s around the world and they would all need to be fixed at the same time.

      These companies are in it to make money not lose it. They aren’t the ones (for the most part) that have to pay for the fraud that takes place with their machines (the banks do).

      Until our entire banking infrastructure is rebuilt, fraud will never go away. Hackers have all the free time in the world to figure out exploits, and by the time the company figures one out, the “fraudsters” have 3 more already waiting in the pipeline.

      Not to mention, the technique this article was written about is old news. It’s been around for years (I would say at least 5). Same with skimming, it was being done back in 1999~.

      Again, it comes back to bad infrastructure, and the lack of will or actual care to fix it.

      This is the sad reality.

  15. ATM have some hidden cameras.If I looking around for something inside ATM maybe they mark as a suspect ?

  16. If companies hired hackers to begin with, things like this would never be possible. Then again, most companies don’t really care about security and keeping their customers information safe – it’s all about profits, and if that means cutting corners on security, so be it.

    Give it another ~5 years and most of this outdated technology will no longer exist. If these companies don’t innovate they will be put out of business my generation.

    We laugh at their greed and stupidity.

  17. I have been a victim of too many scammers out there trying to get this blank card,which made every one of us who seek this blank card is fake and doesn’t exist but not when i meet with ATM HACKERS WORLDWIDE {atmhackersworldwide.creditcard@gmail.com}. I told him that i wasn’t ready to send any fee to him but he made it clear to me that will be difficult to get it without the fee but when he gave me reasons, i decided to try him for the last time and he gave me 5 working days to get the blank card. I doubted and believe i ve lost it all, but to my great shock i heard my bell ringing and i went to open the door and behold it was a parcel dispatcher and i look into the parcel when he left there was my blank card enclosed, i did used the card has instructed and today i am a living testimony to this magic blank card. Stay away from scammers and contact email for your real and existing blank card. {atmhackersworldwide.creditcard@gmail.com}

  18. JERRY FLETCHER

    Jerry Fletcher the blank card superhero is coming to town in the morning. He is going to grape you in the face then eat kix for breakfast. He is a serial grapist. So watch out and you have been warned alas.

  19. I’ve seen some very sloppy cabling setups on ATMs in convenience stores where I live in Asia. Typically there’s the ATM, a big networking appliance and a cellular modem or perhaps an ADSL modem. Oh, and a UPS. This may be in a little rack but may also be piled up on top of the machine. I would guess that the VPN occurs in the networking appliance so the cable between the ATM and it is vulnerable to interception.

    I also notice that that’s a Logitec unified receiver on the recording device. I guess they cannibalised a Logitec keyboard to make the keypad overlay.