A security vulnerability in the newest generation of ATMs can be exploited to make them give away tens of thousands of dollars in cash, despite chip and PIN systems being designed to prevent criminals from carrying out exactly this sort of activity.
Speaking at the Black Hat conference in Las Vegas, Weston Hecker, a senior security consultant at cybersecurity firm Rapid7, demonstrated how the ATMs' security could be bypassed to allow criminals to make off with up to $50,000 from a machine in under 15 minutes.
The technique -- achieved with a $2,000 kit -- sees criminals alter a point-of-sale machine by placing a device in the gap between where the ATM user's card chip will be and the roof of the area where the card is inserted.
This 'shimmer device' then reads data from the chip -- including the pin number being entered by the card user -- allowing criminals to read that information in real-time at a distance of up to 400 miles.
Wherever the hacker is, they're able to download the data onto a smartphone and use the card details to tell an ATM to allow the constant withdrawal of funds, enabling the perpetrators to make between $20,000 and $50,000 in the case of an unattended machine.
While it's unlikely that a hacker would be able to use a spoofed card for a significant period of time -- there's only a limited window in which they could use it at an ATM and the victim will eventually realize they've been targeted -- the relative ease with which criminals can deploy this method of attack means it could be a very lucrative outlet for them.
Security researchers at Rapid7 have disclosed full details about the vulnerability in chip-and-PIN ATMs to the major machine makers and banks, although they haven't detailed which these are in order not to put additional people at risk of the fraud.