Cracking ATMs the malware way

June 29, 2009 by Chris Skinner

I get a lot of email feeds and news from financial websites, but often spot real banking news in more unlikely places ... like New Scientist magazine.

On the front cover of last week's mag was a story about Gaia's evil twin.

I thought that was going to be about the social networking world of Gaia Online, but it was actually an interesting article about how Earth really works and that Mother Earth is nothing like the Greek Goddess Gaia, who nurtures. Instead it's more like the murderous wife of Jason of the Argonauts, Medea, who killed her own children.

Nice.

Anyways, flicking through the pages, the tech section was headlined by a story called:

"Want to clone bank cards? Just press print!"

This relates the following news:

"A devious piece of criminal coding has been quietly at work in a clutch of cash machines at banks in Russia and Ukraine. It allows a gang member to walk up to an ATM, insert a "trigger" card, and use the machine's receipt printer to produce a list of all the debit card numbers used that day, including their start and expiry dates - and their PINs. Everything needed, in fact, to clone those cards and start emptying bank accounts."

Not so nice.

Apparently the shysters intall a 50kb malware on ATMs as part of a legitimate Windows program called 1sass.exe. This program looks OK to techies and would normally go overlooked because it is part of a normal Windows system that drive most modern ATMs, except that it has no useful function on an ATM as all it is used for is to cache session data so that users don't have to re-enter passwords every time they get a new email or enter a website.

And that's the scheme in a nutshell.

Install the malware and then 1sass.exe collects all the card data and spews it out on demand.

Result: criminals walk along to any ATM, enter the magic code and get an ATM receipt with all the card numbers and PINs.

No wonder the European ATM Security Team (EAST) reckon that ATM fraud is now running at €484 million a year across Europe:

That's just ATM fraud, not card fraud.

Here's the Spiderlabs full briefing presentation:

Download Trustwave-Security-Alert-ATM-Malware-Analysis-Briefing

Now then, which ATM shall I try out first?

The Finanser is sponsored by Vocalink
VocaLink_rgb_250x120

For details of sponsorship email us.

Technology Payments CrimeCategories

Chris M Skinner

Chris Skinner is best known as an independent commentator on the financial markets through his blog, TheFinanser.com, as author of the bestselling book Digital Bank, and Chair of the European networking forum the Financial Services Club. He has been voted one of the most influential people in banking by The Financial Brand (as well as one of the best blogs), a FinTech Titan (Next Bank), one of the Fintech Leaders you need to follow (City AM, Deluxe and Jax Finance), as well as one of the Top 40 most influential people in financial technology by the Wall Street Journal's Financial News. To learn more click here...