Criminals will go to all lengths to cheat an ATM out of its cash. But now a team of researchers has discovered that skimmers may be a thing of the past: crooks have been targeting cash machines directly using infected USB sticks instead.
The findings, presented at the Chaos Computing Congress in Hamburg, Germany and reported by the BBC, show that hackers have to physically cut holes into ATMs, then plug in USB drives that install code onto the cash dispenser.
The team of researchers — who have asked to remain anonymous — explain that the hack has been carried carried out on an "unnamed European bank's cash dispensers." First noticed in July, once the code was installed on an ATM the exploit could be run again again. Each time the criminals simply typed a 12-digit code into the ATM to launch a custom interface, allowing them access to the machine.
The software, which was successfully installed on four different ATMs, then allowed the criminals to see how much money was available in the machine, by denomination, along with options to dispense each kind individually. While that might sound needless, the researchers pointed out that it allowed the crooks to focus on the highest value banknotes. Never let it be said that criminals are inefficient.
There was even a built-in security feature to the hackers' code, which meant that the criminal at the cash point had to call another gang member for a numerical code to input before they could grab the bank notes. The researchers suggest that it was a mechanism put in place by the mastermind behind the software, to ensure none of his team went rogue.
Clearly, this is big-time hacking, that cuts right to the core of ATM technology and requires deep insight to work properly. On the plus side, at least you can rest easy that it's not your account getting hacked — just the bank's ATM. [BBC]