Biometric skimmers are here

October 2016 News & Events, Information Security

Kaspersky Lab experts have investigated how cybercriminals could exploit new ATM authentication technologies planned by banks. While many financial organisations consider biometric-based solutions to be one of the most promising additions to current authentication methods, if not a complete replacement for them, cybercriminals see biometrics as a new opportunity to steal sensitive information.

ATMs have for years been in the sights of fraudsters hunting card data. It all started with primitive skimmers – homemade devices attached to an ATM, capable of stealing information from the card’s magnetic strip and PIN code with help of a fake ATM PIN pad or a web camera. Over time, the design of such devices was improved to make them less visible.

With the implementation of much harder, but not impossible to clone chip-and-PIN payment cards the devices evolved into so-called ‘shimmers’: largely the same, but able to gather information from the card’s chip, giving sufficient information to conduct an online relay attack. The banking industry is responding with new authentication solutions, some of which are based on biometrics.

According to a Kaspersky Lab investigation into underground cybercrime, there are already at least 12 sellers offering skimmers capable of stealing victims’ fingerprints. And at least three underground sellers are already researching devices that could illegally obtain data from palm vein and iris recognition systems.

The first wave of biometric skimmers was observed in 'presale testing' in September 2015. Evidence collected by Kaspersky Lab researchers reveals that during the initial testing, developers discovered several bugs. However, the main problem was the use of GSM modules for biometric data transfer – they were too slow to transfer the large volume of data obtained. As a result, new versions of skimmers will use other, faster data transfer technologies.

There are also signs of ongoing discussions in underground communities regarding the development of mobile applications based on placing masks over a human face. With such an app, attackers can take a person’s photo posted on social media and use it to fool a facial recognition system.

”The problem with biometrics is that, unlike passwords or PIN codes which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image. Thus if your data is compromised once, it won’t be safe to use that authentication method again. That is why it is extremely important to keep such data secure and transmit it in a secure way. Biometric data is also recorded in modern passports – called e-passports – and visas. So, if an attacker steals an e-passport, they don’t just possess the document, but also that person’s biometric data. They have stolen a person’s identity,” said Olga Kochetova, security expert at Kaspersky Lab.

The use of tools capable of compromising biometric data is not the only potential cyberthreat facing ATMs, according to the Kaspersky Lab researchers. Hackers will continue to conduct malware-based attacks, blackbox attacks and network attacks to seize data that can later be used to steal money from banks and its customers.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Pentagon appointed as Milestone distributor
Elvey Security Technologies News & Events Surveillance
Milestone Systems appointed Pentagon Distribution (an Elvey Group company within the Hudaco Group of Companies) as a distributor. XProtect’s open architecture means no lock-in and the ability to customise the connected video solution that will accomplish the job.

Read more...
Data security and privacy in global mobility
Risk Management & Resilience Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Read more...
Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Read more...
Sales basics for security installers
News & Events
Being the best security business in South Africa means little if no one uses your services. Your business success is only partly linked to how good you are at security installations.

Read more...
From security technician to salesperson
News & Events
Being great at security sales starts with having the right mindset. How you think informs what you say and how you act; and how you act informs the results you will achieve in your business.

Read more...
From the Editor's Desk: Something old and something new
Technews Publishing News & Events
      Welcome to the 2024 edition of SMART Security Solutions’ Mining Handbook. Mining is a challenging industry for security professionals, although security is a challenge on this continent, no matter your ...

Read more...
Risk management: There's an app for that
Editor's Choice News & Events Risk Management & Resilience
Zulu Consulting has streamlined the corporate risk management process with the launch of Risk-IO, a web-based app designed to consolidate and guide risk managers through the process, monitoring progress as one proceeds.

Read more...
Integrated information platform for risk management
Editor's Choice News & Events Risk Management & Resilience
Online Intelligence recently launched version 7 of its CiiMS risk and security platform. Speaking to SMART Security Solutions after the launch event, the company’s Arnold van den Bout described the enhancements in version 7.

Read more...
Unlocking Africa's AI potential
Editor's Choice News & Events AI & Data Analytics
Africa's AI market is set to grow exponentially; by investing in AI education, training, and ethical practices, African nations can harness the power of AI to transform the continent and create a brighter future for its people.

Read more...
The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Read more...