Hacked ATMs let criminals steal cash, PINs

Hidden code on Windows XP-based ATMs has given criminals two years to use special cards to steal account data and money from the cash-dispensing machines
Written by Elinor Mills, Contributor

Malicious software has been found on Eastern European ATMs that allows criminals to steal account data and PINs and even empty the machine of its cash, a computer forensics expert said.

About 20 cash machines have been compromised in that manner, mostly in Russia and the Ukraine, but there are "early indications" of compromised ATMs in the US, said Nicholas Percoco of Trustwave, which provides data security and payment-card compliance services.

Percoco, who heads up Trustwave's SpiderLabs, the forensics team that discovered the malware on the ATMs, said he could not elaborate further on where the compromised ATMs were located and how they were used.

Someone had to manually install the malware on the machines, so it is likely that an insider is responsible — either an employee at the bank, the ATM vendor, a company that services the machines or someone close to an insider, Percoco said in a telephone interview late on Wednesday.

The machines, all running Windows XP, had an executable programme on them that was masquerading as a legitimate Windows protected storage service, he said. The malware looks at all the data being processed by the ATM. It records the account information that is stored on the magnetic stripes on cards inserted into the machine and the encrypted PIN blocks that are generated when someone types in their number, Percoco said.

Although the PINs are encrypted, criminals could potentially intercept the encryption keys exchanged with the bank and use them to decrypt the PINs, he added.

Once the malware has been hidden on the ATM for a period of time, the criminal can return to the machine and use a special "trigger" card to control the ATM. The criminal can print out the stolen data directly from the machine, or instruct the the machine to dispense all the cash it has, according to Percoco. Bank cash machines can hold as much as $600,000 [£372,850] at a time, he said.

"There is evidence that [trigger] cards were used," he said, adding that he could not comment on the number of accounts affected or amount of money stolen. The malware was first installed on at least one of the machines in July 2007, he said.

This is not the first time that malware has been discovered on ATMs, Percoco said. "But this is probably the most sophisticated malware found on an ATM," he said. "In all the versions we've looked at [the criminals] are enhancing the application as they go. They must be getting feature requests from someone."

The latest version of the malware code found on some of the machines includes a function for writing the stolen data onto a card with a memory chip on it, which are commonly used in Europe, he said. However, that function does not appear to work, he added.

Although the malware was installed on the ATMs manually, it is possible that future attacks would involve the propagation of the malware through the ATM network, he said.

Michelle Genser, corporate communications manager for Trustwave, told ZDNet UK on Thursday that none of the compromised ATMs conformed to the Payment Card Industry Data Security Standard (PCI-DSS).

"These are non PCI-compliant ATMs, they don't have proper security in place, and they are not running antivirus," said Genser.

While the ATMs are not internet facing, Genser added that Trustwave has evidence the malware is being spread elsewhere. "We believe this is a test bed, and will probably propagate," said Genser.

ZDNet UK's Tom Espiner contributed to this story.

Editorial standards