q!Bang Solutions Inc.‎ > ‎Blog‎ > ‎

Bank security is not really improved

posted Apr 17, 2013, 12:58 PM by John Jones   [ updated Apr 17, 2013, 1:19 PM ]

Stumbled upon an article from New Scientist titled Cash Machines Hacked to Spew out Card Details, which tells about a new type of attack on bank ATM machines.

As the idea of using false fronts on bank card insertion slots to scan the magentic stripes on bank cards has become well known, banks have put in protections against this scheme and begun to thwart criminals.  However, some clever criminals in Russia and Ukraine have devised a new type of attack where they insert a specially formatted bank card which tells the ATM machine to print out a list of all bank cards used during the day along with the cards’ PIN numbers and expiration dates.  This information is then used to create “clone” bank cards and clean out the bank accounts of unsuspecting customers.

Even more shocking is that the criminals’ special bank card can also be used to eject a cash storage cassette from the front of some older model ATM machines.

How do they accomlish this?  It was discovered that the crooks had used a malware program disguised as the lsass.exe file on the Windows operating system of the ATM machines to create a back door which can be triggered with the special bank cards.  You might wonder how the criminals could get the malware onto the ATM machine’s Windows OS in the first place.  According to the security analysts hired by the banks, it looks like the crooks had some inside help from bank or ATM employees bribed or coerced by the criminals.

As bad as all this sounds, the real pants-around-the-ankles fact here is that the ATM machines actually store the customers’ bank card numbers, PINs, and expiration dates without any encryption.  What were they thinking?  I hope that the rest of the banks and ATM manufacturers from around the world are taking note of the situation in Russia and Ukraine.  They need to update their ATM infrastructure immediately to protect against such abuses.  Of course, in my opinion, it’s extreme negligence to not have encrypted any crucial bank card data in the first place.  An ATM machine might be very physically secure against the outside world, but we know that the majority of security breaches in business come from employees, not 15 year old kids in their parents’ basement.