Post by kas on Feb 2, 2011 16:55:44 GMT -5
New Attack: ATM Shimming
BankIT Blog - In the News
Thursday, 15 July 2010 00:00
According to a recent Network World article, ATM vendor Diebold reports an emerging adaption of the classic ATM skimming attacks. Called "shimming", the attacker compromises the ATM card reader by using a dummy "carrier card" to insert a thin, flexible circuit board through the card slot. The shim mechanically locks into place over the electrical contacts of the card reader, effectively functioning as a "man in the middle" splitter device, invisible from outside the machine. The shim's circuit board reads the unencrypted mag stripe data from cards inserted thereafter and either stores or transmits the data back to the attacker.
Though the shims are non-trivial to produce in the U.S., they are being manufactured and widely used in certain parts of Europe. According to Diebold, their anti-skimming measures are not effective at detecting or blocking this attack, as the problem is a mechanical one.
Financial institutions should prepare for this emerging risk by updating their risk assessments, ensuring that all ATM and other card readers are included as "access points" for customer/consumer information. Mitigating controls include more sophisticated surveillance equipment, vigilent security monitoring (possibly with video analytics), and more frequent physical assessments of the card readers (pending cheaper detection technology). That is, until manufacturers find a better solution. Since this attack may present a problem for other industries that use card readers, like pay-at-the-pump fuel stations, I expect vendors aren't far behind. Plus, the PCI Security Standards Council and/or major card vendors may weigh in on this, given Visa's recent revokation of certain older-model card readers.
BankIT Blog - In the News
Thursday, 15 July 2010 00:00
According to a recent Network World article, ATM vendor Diebold reports an emerging adaption of the classic ATM skimming attacks. Called "shimming", the attacker compromises the ATM card reader by using a dummy "carrier card" to insert a thin, flexible circuit board through the card slot. The shim mechanically locks into place over the electrical contacts of the card reader, effectively functioning as a "man in the middle" splitter device, invisible from outside the machine. The shim's circuit board reads the unencrypted mag stripe data from cards inserted thereafter and either stores or transmits the data back to the attacker.
Though the shims are non-trivial to produce in the U.S., they are being manufactured and widely used in certain parts of Europe. According to Diebold, their anti-skimming measures are not effective at detecting or blocking this attack, as the problem is a mechanical one.
Financial institutions should prepare for this emerging risk by updating their risk assessments, ensuring that all ATM and other card readers are included as "access points" for customer/consumer information. Mitigating controls include more sophisticated surveillance equipment, vigilent security monitoring (possibly with video analytics), and more frequent physical assessments of the card readers (pending cheaper detection technology). That is, until manufacturers find a better solution. Since this attack may present a problem for other industries that use card readers, like pay-at-the-pump fuel stations, I expect vendors aren't far behind. Plus, the PCI Security Standards Council and/or major card vendors may weigh in on this, given Visa's recent revokation of certain older-model card readers.
www.bankitprogram.com/news/blog/47-in-the-news/131-atm-shimming