CERT-In Advisory
CIAD-2018-0026
"Wiretapping" attacks in ATMs
Original Issue Date: October 03, 2018
Systems Affected
Description
Each day there are new reports of attacks on ATMs around the world and criminals continue to vary and modify their attacks and attempt to bypass the protections in place.
A card skimming attack is defined as "the unauthorized capture of magnetic stripe information by modifying the hardware or software of a payment device, or through the use of a separate card reader". Skimming is often accompanied with the covert capture of customer PIN data.
Wiretapping
Emergence of a rare, virtually invisible form of ATM skimmer involving a "wiretapping" device that is inserted through a hole cut in the cash machine's front. The hole is covered up by a fake decal, and the thieves then use custom-made equipment to attach the device to ATM's internal card reader.
Very often the fraudsters will be assisted in the skimmer installation by an endoscope, and by connecting a USB-based endoscope to his smart phone, the intruder can then peek inside the ATM and ensure that his skimmer is correctly attached to the card reader. In other cases, the thieves may replace the PIN pad security shield on the ATM with a replica that includes a hidden pinhole camera.
Best Practices for Users
- If you visit an ATM that looks strange, tampered with, or out of place, try to find another ATM. Use only ATMs in public, well-lit areas, and avoid those in secluded spots.
- Before using ATM, please ensure that there are no strange objects in the insertion panel of the ATM(to avoid skimming)
- Cover the PIN pad while entering PIN. You can protect against the vast majority of ATM card skimmers simply by physically obscuring your hand when entering your PIN.
- Destroy the transaction receipts securely after reviewing.
- Change ATM PIN on a regular basis.
- Keep a close eye on bank statements, and dispute any unauthorized charges or withdrawals immediately.
- Shred anything that contains credit card number written on it
- Notify credit/debit card issuers in advance for change of address
- Do not accept the card received directly from bank in case if it is damaged or seal is open.
- Do not write PIN number on credit/debit card.
- Do not disclose Credit Card Number/ATM PIN to anyone.
- Do not hand over the card to anyone, even if he/she claims to represent the Bank.
- Do not get carried away by strangers who try to help you use the ATM machine.
- Do not transfer or share account details with unknown/non validated source.
- In case of any suspected transactions or loss of cards, contact the service provider / bank immediately.
Best Practices for Service Providers
- Keep all the ATM software, application, antivirus regularly updated.
- Educate the customer about basic functionalities and security best practices.
References
https://krebsonsecurity.com/2018/09/secret-service-warns-of-surge-in-atm-wiretapping-attacks/
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|