Kaspersky Lab experts have explored how digital criminals can take advantage of the new bank ATM identification technologies. While many economic organizations regard biometric solutions as the most promising additions to existing identification methods, or even a choice to replace the latter, digital criminals see the use of biometrics as a new opportunity for the theft of sensitive information.
ATMs have been the target of fraudsters for years data credit cards. It all started with the primitive “skimmers” – self-made devices placed in an ATM, which were able to intercept information from the card's magnetic stripe, as well as the corresponding PIN code with the help of a fake ATM keyboard or a webcam.
Με τον καιρό, ο σχεδιασμός αυτών των συσκευών βελτιώθηκε ώστε να τις κάνει λιγότερο ορατές. Με την εισαγωγή της τεχνολογίας “chip-and-pin” στις κάρτες πληρωμών, η οποία καθιστούσε την «κλωνοποίησή» τους πολύ δύσκολη αλλά όχι ακατόρθωτη, οι σχετικές συσκευές εξελίχθηκαν από “skimmers” σε “shimmers”: σε μεγάλο βαθμό ίδιες, αλλά με τη δυνατότητα να συλλέγουν πληροφορίες από το μικροτσίπ της κάρτας, παρέχοντας επαρκείς πληροφορίες για την πραγματοποίηση μίας διαδικτυακής attacks. The banking sector is responding with new identification solutions, some of which are based on biometrics.
According to Kaspersky Lab's survey of "underground" digital crime, there are already at least twelve vendors providing skimmers able to intercept fingerprints of victims as well as at least three vendors who are already developing devices that could illegally retrieve data from palm or iris recognition systems.
The first "wave" of biometric skimmers was studied during "testing" in September of 2015. Data collected by Kaspersky Lab researchers reveal that during the initial testing, developers discovered several bugs. However, the main problem was the use of GSM data for the transfer of biometric data - it was too late to transport the large volume of data being collected. As a result, new versions of skimmers will use other, faster data transfer technologies.
There are also indications of ongoing discussions between "underground" communities about the development of mobile apps based on masking over the human face. With such an application, attackers can take a photo of a person who has been published on social media and use it to trick the face recognition system.
“The problem with using biometrics is that, unlike passwords or PINs that can be easily changed if compromised, it's impossible to change your fingerprints or your iris image. So, even if your data is compromised once, it won't be safe to use this authentication method again. For this reason, it is extremely important to keep your data safe and transmit it in a secure manner. Biometric data is also recorded in modern passports – called e-passports – visa etc. So if an attacker steals an e-passport, he not only owns the document, but also the person's biometric data. Essentially, his very identity has been stolen!” said Olga Kochetova, an expert on issues Kaspersky Lab security.
The use of tools capable of compromising biometric data is not the only potential digital threat facing ATMs, according to Kaspersky Lab researchers. Hackers will continue to conduct attacks που βασίζονται σε κακόβουλα λογισμικά, επιθέσεις blackbox και επιθέσεις δικτύου για να αξιοποιήσουν τα δεδομένα που μπορούν να χρησιμοποιηθούν αργότερα για να κλέψουν money by banks and their customers.
For full exposure to the upcoming digital threats to ATMs and the measures that can protect banks from these threats, you can visit the dedicated website Securelist.com.
