Black Hat: ATM spits out cash after chip and pin hack

We’ve been told that EMV (Europay, MasterCard and Visa) chip-equipped cards have an added layer of security, making them more secure and harder to clone than cards with only a magnetic stripe. But Rapid7 security research manager Tod Beardsley said, “The state of chip and pin security is that it’s a little oversold.”

Black Hat USA attendees who watched an ATM spit out hundreds of dollars might tend to agree. The demonstration was part of Hacking Next-Gen ATMs: From Capture to Washout, which was presented by Rapid7’s Weston Hecker. The abstract of his talk said the system he devised could “cash out around $20,000/$50,000 in 15 minutes.”

Rapid7 used a “shimmer” to pull off a man-in-the-middle attack against an ATM. When Brian Krebs previously reported on a “shimmer” type of skimmer, he explained that the shimmer “acts a shim that sits between the chip on the card and the chip reader in the ATM—recording the data on the chip as it is read by the ATM.”

Beardsley told The Register that the equipment used to pull this off is tiny, can be installed quickly and does not require access to the internal hardware.

“The modifications on the ATM are on the outside,” he added to the BBC. “I don’t have to open it up. It’s really just a card that is capable of impersonating a chip. It’s not cloning.”

The shimmer reads the data on the chip, records the PIN that was entered and transmits that data to thugs. The criminals use a smartphone to download the data stolen from the card “and then essentially recreate that same card in any ATM.”

If a criminal gets hold of data off a card with a magnetic stripe, it is used until the card is canceled. Chip and pin cards, however, can be spoofed for only a short time. Beardsley said maybe only a few minutes, but he “suggested criminals could have a vast network of modified POS points with a steady rate of unsuspecting victims providing constantly ‘active’ cards.”

“You could shim 20 or 30 POS systems and have a constant stream,” Beardsley said. “You’ll have plenty of time to spit money out of ATMs.”

Although Rapid7 contacted ATM vendors and banks about the research, the team would not name names or share specifics about the attack. The team said it had not yet seen any attempt to rectify the problem.

Don’t enter your PIN more than once

Also at Black Hat, during Breaking Payment Points of Interaction, researchers said to avoid re-entering your PIN number if it isn’t taken the first time when you’re paying via a point-of-sale device. People usually think they entered their PIN wrong when it asks a second time, but NCR Corporation researchers Nir Valtman and Patrick Watson said you “should never re-enter” your PIN, as “it’s a telltale giveaway that a pin pad may have been compromised.”