This ATM hack could allow thieves to make off with thousands

Chip and PIN ATMs are supposed to be more secure than older models, but Rapid7 researchers have demonstrated that this may not be the case.
Written by Danny Palmer, Senior Writer

Chip-and-PIN might not be as secure as you think...

Image: iStock

A security vulnerability in the newest generation of ATMs can be exploited to make them give away tens of thousands of dollars in cash, despite chip and PIN systems being designed to prevent criminals from carrying out exactly this sort of activity.

Speaking at the Black Hat conference in Las Vegas, Weston Hecker, a senior security consultant at cybersecurity firm Rapid7, demonstrated how the ATMs' security could be bypassed to allow criminals to make off with up to $50,000 from a machine in under 15 minutes.

Researchers have previously warned our old ATMs are an easy target for cybercriminals, but Hecker's demonstration appears to show that even the latest machines are vulnerable.

The technique -- achieved with a $2,000 kit -- sees criminals alter a point-of-sale machine by placing a device in the gap between where the ATM user's card chip will be and the roof of the area where the card is inserted.

This 'shimmer device' then reads data from the chip -- including the pin number being entered by the card user -- allowing criminals to read that information in real-time at a distance of up to 400 miles.

Wherever the hacker is, they're able to download the data onto a smartphone and use the card details to tell an ATM to allow the constant withdrawal of funds, enabling the perpetrators to make between $20,000 and $50,000 in the case of an unattended machine.

While it's unlikely that a hacker would be able to use a spoofed card for a significant period of time -- there's only a limited window in which they could use it at an ATM and the victim will eventually realize they've been targeted -- the relative ease with which criminals can deploy this method of attack means it could be a very lucrative outlet for them.

Security researchers at Rapid7 have disclosed full details about the vulnerability in chip-and-PIN ATMs to the major machine makers and banks, although they haven't detailed which these are in order not to put additional people at risk of the fraud.


Editorial standards