It took researchers just a simple chip and pin hack to withdraw up to $50,000 in cash from an ATM in America in under 15 minutes.
We have been told that EMV (Europay, MasterCard and Visa) chip-equipped cards provides an extra layer of security which makes these cards more secure and harder to clone than the old magnetic stripe cards.
But, it turns out to be just a myth.
A team of security engineers from Rapid7 at Black Hat USA 2016 conference in Las Vegas demonstrated how a small and simple modifications to equipment would be enough for attackers to bypass the Chip-and-PIN protections and enable unauthorized transactions.
The demonstration was part of their presentation titled, "Hacking Next-Gen ATMs: From Capture to Washout," [PDF]. The team of researchers was able to show the audience an ATM spitting out hundreds of dollars in cash.
Here's How the Hack Work
The hack requires two processes to be performed.
First, the criminals need to add a small device known as a Shimmer to a point-of-sale (POS) machine (here, ATM's card reader) in order to pull off a man-in-the-middle (MITM) attack against an ATM.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
The shimmer sits between the victim's chip and the card reader in the ATM and can record the data on the chip, including PIN, as the ATM reads it. It then transmits this data to the criminals.
The criminals then use a smartphone to download this stolen data and recreate the victim's card in an ATM, instructing it to eject cash constantly.
Tod Beardsley, a security research manager for Rapid7, told the BBC that shimmer is basically a tiny RaspBerry-Pi-powered device that could be installed quickly to the outside of the ATM without access to the internals of the cash machine.
"It's really just a card that is capable of impersonating a chip," Beardsley said. "It's not cloning."The perpetrators would only be able to replicate each card for a few minutes and use it to fraudulently withdraw money, enabling them to make between up to $50,000, but Beardsley suggests that a network of hacked chip-and-pin machines could create a constant stream of victims.
Researchers have disclosed full details about the issue in Chip-and-PIN ATMs to banks and major ATM manufacturers and said they hope the institutions (currently unnamed) are examining the issue.