Cybercriminals Refine ATM Data-Sniffing Software

BobB-nw writes "Cybercriminals are improving a malicious software program that can be installed on ATMs running Microsoft's Windows XP operating system that records sensitive card details, according to security vendor Trustwave. The malware has been found so far on ATMs in Eastern European countries, according to a Trustwave report. The malware records the magnetic stripe information on the back of a card as well as the PIN, which would potentially allow criminals to clone the card in order to withdraw cash. The collected card data, which is encrypted using the DES algorithm, can be printed out by the ATM's receipt printer, Trustwave wrote."

Re:Magnetic strip?

[Spectre]

What is this 1980? What countries are still using magnetic strips for credit and debit cards?

Well, the USA for one. 1 debit card and 2 credit cards in my wallet right now. Everyone is chip-less, the electronically readable information is in the mag stripe on the back, old-fashioned raised numbers and letters for the imprinting machines are on the front.

Granted, they're all issued from the bank, but it is one of the largest in the USA, not some mom-and-pop outfit.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:I call BS, mostly

[Peter Simpson]

From TFR:
"Additionally, the malware harvests what is believed to be key or PIN data, saving the
information in a file C:\WINDOWS\kl."

So, they waffle on whether the PIN is captured. The filename "kl", does imply "KeyLogger", though.

Perhaps Eastern European ATMs are built differently that those in North America...maybe "saving a bit of money" by doing the encryption of the PIN in the PC, instead using an encrypting secure keypad.

Or, since the same keypad is used for PIN entry and regular input, perhaps the control signal that tells the keypad whether to encrypt or pass keypresses through has been tampered with...so the entered PIN comes through as normal keypresses, and is encrypted by the malware and passed on after logging to the file?

Or, maybe it's just a guess on the part of the author.

Withdraw my money?!

[TreyGeek]

"which would potentially allow criminals to clone the card in order to withdraw cash. "

Heh... the joke is on the hacker. I have no money in my bank account to withdraw!

It doesn't matter the software

[Anonymous Coward]

I was talking to someone yesterday that works for a company that deals with card fraud. You wouldn't believe how easy it is to get someone's information; someone can simply put a skimmer on an ATM which will grab your card's track data without you knowing. Many of you have probably heard of it, it's just a piece of hardware that sits on top of the card reader, storing everyone's info. As far as I know it requires absolutely no connection to the ATM software.

The information on magstripe cards is most commonly stored in a two-track format. Track 1 contains your personal information, such as name, address, bank, etc. Track 2 contains the important information, such as card number, expiration, and the CVV/CV2 code.

Once the skimmer has enough information (which can easily be HUNDREDS of cards), they sell "dumps" of the track data which people can either buy and encode onto a card themselves, or buy on a fully-finished card. The latter option is more convenient for most carders (fraudsters), because many of the cards sold by these vendors are indistinguishable from the real thing. Most vendors also have a minimum buy amount, so you have to buy at least $300 worth of dumps, which can be dozens of cards, all with $10k limits.v

Re:DES

[Zaurus]

What you are describing is called a "Lebanese Loop"

http://en.wikipedia.org/wiki/Lebanese_loop [wikipedia.org]

Re:DES

[justinlindh]

This idea already did the rounds in the form of an Internet rumor a couple of years back: http://www.snopes.com/business/bank/pinalert.asp [snopes.com]

The Snopes page mentions why something like this hasn't been implemented:

No one in the banking industry seems to want the technology. The banks argue against its implementation, not only on the basis of cost but also because they doubt such an alert would help anyone being coerced into making an ATM withdrawal. Even if police could be summoned via the keying of a special "alert" or "panic" code, they say, law enforcement would likely arrive long after victim and captor had departed. They have also warned of the very real possibility that victims' fumbling around while trying to trigger silent alarms could cause their captors to realize something was up and take those realizations out on their captives. Finally, there is the problem of ATM customers' quickly conjuring up their accustomed PINs in reverse: Even in situations lacking added stress, mentally reconstructing one's PIN backwards is a difficult task for many people. Add to that difficulty the terror of being in the possession of a violent and armed person, and precious few victims might be able to come up with reversed PINs seamlessly enough to fool their captors into believing that everything was proceeding according to plan. As Chuck Stones of the Kansas Bankers Association said in 2004: "I'm not sure anyone here could remember their PIN numbers backward with a gun to their head."

Re:DES

[mindbomb2323]

I am an ATM repair tech. and I can tell you that you are correct about the duress codes for people admining and there are several different ways that it can be done. I have never seen any type of gps tracker used because you would have to put it somewhere that they couldn't remove it and that would be in the vault but if you put it in there then how could you get reception. As far as using the duress code I don't think i would ever use it for the simple fact that it is a guaranteed way to become a hostage and I'm sorry but 160k of money that isn't even mine is not worth it. I still think skimmers with wifi will be the first choice for crooks because it is easy to do and hard to get cought. There are alot of banks that actually perm lock the desktop out so it makes it very hard to actually get access to it to load the malware. also on newer atms they have plates blocking the drives and the usb ports. The atms I see this stuff being pulled on are non bank atms, the kind you see with no company name in your gas stations and places like that.

Re:Free gas courtesy of Mircosoft!

[ArsenneLupin]

The gas wasn't free, you stole it.

Yeah, the same way as "the pre-installed Windows isn't free, they just stole the license fee from the buyer". But, now go and try to complain about such a shop to the police...

Same way here: you can bet that if this was indeed theft, that the petrol station's operator wouldn't have hesitated to take the surveillance camera's footage to police, with more severe consequences to the poster. Yes, even in 1999-2000, petrol stations already had cameras.

So yes, taking advantage of poor business choices is not theft. After all, the poster didn't hold a gun the station operator's head and said "windows on the pumps or your life!".

Ok, you're right, grand-parent still wasn't completely honest... not guilty of theft, but rather of lying: indeed, even with Detroit's gaz guzzling landyachts, I can hardly imagine having to fill up several times in a same week...

Comment removed

[account_deleted]

Comment removed based on user account deletion