Chip and PIN cards and readers are finally rolling out in the United States. Unlike traditional magnetic cards, which use static information to make a transaction, these pieces of plastic create a new key with each purchase, based on a standard by Europay, MasterCard and Visa. That should make purchases or withdrawals more secure, since the information is only valid for 60 seconds. As it turns out, according to Rapid7 security firm researcher Weston Hecker, a lot can happen in that minute.
At last week's Def Con security conference, Hecker demonstrated how an ATM machine or point-of-sale (POS) terminal can be used to intercept that onetime-use key and other information about the card. That data is then transmitted to another device (in this case another cash machine) that makes a second transaction, such as withdrawing money from your account.
It's an ingenious proof of concept. But it requires that at least two devices be compromised. First the target POS or ATM needs a piece of hardware installed that reads the card's chip. This process is called "shimming." (Doing the same hack with a magnetic card is called "skimming.") Once the data has been captured, its transmitted to a legitimate ATM that's been hijacked.
This payout cash machine would be outfitted with a system Hecker calls La-Cara. It tricks the ATM into believing the physical card is being dipped, after which a robot hand enters the PIN. The machine withdraws the maximum amount allowed by the card and -- for a while at least -- the victim is none the wiser.
Of course, an ATM with a robot hand would arouse suspicion. But Hecker realized that if you put a facade and "out of order" sign on a machine, no one gives it a second look. In fact, there was a cash machine near his house with an "out of order" sign that sat undisturbed for days. When he called the bank, they were unaware the machine wasn't working.
The big payout would be when shimmers are installed on multiple machines that all transmit to a single hijacked ATM. That hijacked machine will collect and dispense all the cash so that whenever the thieves are ready to collect, they simply roll up, grab the La-Cara system and cash, and leave. If that ATM is compromised, they put the facade on another machine in another location and start collecting data (and cash) again.
Hecker spent a year analyzing ATM machines and banking systems to come up with this attack. While the thieves (also called "carders") are currently still using skimmers to fill their pockets, it's unlikely they'll turn away from a life of crime once chip and PIN cards are the only way to get to your cash.
The presentation was meant to be a wake-up call for the banking and ATM systems. There's a window between now and when a majority of the cash machines become EMV compliant. In that time he hopes that the privately owned ATMs are upgraded with foreign-device detection and that the time it takes to complete a transaction is reduced from 60 seconds. "That's one of the biggest defenses," he told Engadget.
This type of attack probably won't happen in the next few months. Hecker said he doesn't expect to see this type of system in the wild until about Oct. 2018. But unless that 60-second gap is closed or made more secure, in the future this will be a problem that affects us all.