You are here: Home » News-ANI » Technology

Kaspersky Lab to examine future threats to ATMs with 'Biometric skimmers'

Kaspersky Lab experts have investigated how cybercriminals could exploit new ATM authentication technologies planned by banks.

While many financial organizations consider biometric-based solutions to be one of the most promising additions to current authentication methods, if not a complete replacement for them cyber criminals see biometrics as a new opportunity to steal sensitive information.

ATMs have for years been in the sights of fraudsters hunting credit card data. It all started with primitive skimmers homemade devices attached to an ATM, capable of stealing information from the card's magnetic strip and pin-code with help of a fake ATM pin pad or a web camera.

Over time, the design of such devices was improved to make them less visible. With the implementation of much harder but not impossible to clone chip-and-pin payment cards the devices evolved into so-called 'shimmers': largely the same, but able to gather information from the card's chip, giving sufficient information to conduct an online relay attack.

The banking industry is responding with new authentication solutions, some of which are based on biometrics.

According to a Kaspersky Lab investigation into underground cybercrime, there are already at least twelve sellers offering skimmers capable of stealing victims' fingerprints. And at least three underground sellers are already researching devices that could illegally obtain data from palm vein and iris recognition systems.

The first wave of biometric skimmers was observed in 'presale testing' in September 2015. Evidence collected by Kaspersky Lab researchers reveals that during the initial testing, developers discovered several bugs.

However, the main problem was the use of GSM modules for biometric data transfer - they were too slow to transfer the large volume of data obtained. As a result, new versions of skimmers will use other, faster data transfer technologies.

There are also signs of ongoing discussions in underground communities regarding the development of mobile applications based on placing masks over a human face.

With such an app, attackers can take a person's photo posted on social media and use it to fool a facial recognition system.

The problem with biometrics is that, unlike passwords or pin codes which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image. Thus if your data is compromised once, it won't be safe to use that authentication method again.

That is why it is extremely important to keep such data secure and transmit it in a secure way. Biometric data is also recorded in modern passports called e-passports and visas. So, if an attacker steals an e-passport, they don't just possess the document, but also that person's biometric data. They have stolen a person's identity, said Olga Kochetova, security expert at Kaspersky Lab.

The use of tools capable of compromising biometric data is not the only potential cyber threat facing ATMs, according to the Kaspersky Lab researchers. Hackers will continue to conduct malware-based attacks, black-box attacks and network attacks to seize data that can later be used to steal money from banks and its customers.

Read the full threat overview report about upcoming cyber threats to cash machines, and measures that can be implemented in order to protect banks from these threats on Securelist.com.

(This story has not been edited by Business Standard staff and is auto-generated from a syndicated feed.)

image
Business Standard
177 22
Business Standard

Kaspersky Lab to examine future threats to ATMs with 'Biometric skimmers'

ANI  |  New Delhi [India] 

Kaspersky Lab experts have investigated how cybercriminals could exploit new ATM authentication technologies planned by banks.

While many financial organizations consider biometric-based solutions to be one of the most promising additions to current authentication methods, if not a complete replacement for them cyber criminals see biometrics as a new opportunity to steal sensitive information.

ATMs have for years been in the sights of fraudsters hunting credit card data. It all started with primitive skimmers homemade devices attached to an ATM, capable of stealing information from the card's magnetic strip and pin-code with help of a fake ATM pin pad or a web camera.

Over time, the design of such devices was improved to make them less visible. With the implementation of much harder but not impossible to clone chip-and-pin payment cards the devices evolved into so-called 'shimmers': largely the same, but able to gather information from the card's chip, giving sufficient information to conduct an online relay attack.

The banking industry is responding with new authentication solutions, some of which are based on biometrics.

According to a Kaspersky Lab investigation into underground cybercrime, there are already at least twelve sellers offering skimmers capable of stealing victims' fingerprints. And at least three underground sellers are already researching devices that could illegally obtain data from palm vein and iris recognition systems.

The first wave of biometric skimmers was observed in 'presale testing' in September 2015. Evidence collected by Kaspersky Lab researchers reveals that during the initial testing, developers discovered several bugs.

However, the main problem was the use of GSM modules for biometric data transfer - they were too slow to transfer the large volume of data obtained. As a result, new versions of skimmers will use other, faster data transfer technologies.

There are also signs of ongoing discussions in underground communities regarding the development of mobile applications based on placing masks over a human face.

With such an app, attackers can take a person's photo posted on social media and use it to fool a facial recognition system.

The problem with biometrics is that, unlike passwords or pin codes which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image. Thus if your data is compromised once, it won't be safe to use that authentication method again.

That is why it is extremely important to keep such data secure and transmit it in a secure way. Biometric data is also recorded in modern passports called e-passports and visas. So, if an attacker steals an e-passport, they don't just possess the document, but also that person's biometric data. They have stolen a person's identity, said Olga Kochetova, security expert at Kaspersky Lab.

The use of tools capable of compromising biometric data is not the only potential cyber threat facing ATMs, according to the Kaspersky Lab researchers. Hackers will continue to conduct malware-based attacks, black-box attacks and network attacks to seize data that can later be used to steal money from banks and its customers.

Read the full threat overview report about upcoming cyber threats to cash machines, and measures that can be implemented in order to protect banks from these threats on Securelist.com.

(This story has not been edited by Business Standard staff and is auto-generated from a syndicated feed.)

RECOMMENDED FOR YOU

Kaspersky Lab to examine future threats to ATMs with 'Biometric skimmers'

Kaspersky Lab experts have investigated how cybercriminals could exploit new ATM authentication technologies planned by banks.While many financial organizations consider biometric-based solutions to be one of the most promising additions to current authentication methods, if not a complete replacement for them cyber criminals see biometrics as a new opportunity to steal sensitive information.ATMs have for years been in the sights of fraudsters hunting credit card data. It all started with primitive skimmers homemade devices attached to an ATM, capable of stealing information from the card's magnetic strip and pin-code with help of a fake ATM pin pad or a web camera.Over time, the design of such devices was improved to make them less visible. With the implementation of much harder but not impossible to clone chip-and-pin payment cards the devices evolved into so-called 'shimmers': largely the same, but able to gather information from the card's chip, giving sufficient information to ...

Kaspersky Lab experts have investigated how cybercriminals could exploit new ATM authentication technologies planned by banks.

While many financial organizations consider biometric-based solutions to be one of the most promising additions to current authentication methods, if not a complete replacement for them cyber criminals see biometrics as a new opportunity to steal sensitive information.

ATMs have for years been in the sights of fraudsters hunting credit card data. It all started with primitive skimmers homemade devices attached to an ATM, capable of stealing information from the card's magnetic strip and pin-code with help of a fake ATM pin pad or a web camera.

Over time, the design of such devices was improved to make them less visible. With the implementation of much harder but not impossible to clone chip-and-pin payment cards the devices evolved into so-called 'shimmers': largely the same, but able to gather information from the card's chip, giving sufficient information to conduct an online relay attack.

The banking industry is responding with new authentication solutions, some of which are based on biometrics.

According to a Kaspersky Lab investigation into underground cybercrime, there are already at least twelve sellers offering skimmers capable of stealing victims' fingerprints. And at least three underground sellers are already researching devices that could illegally obtain data from palm vein and iris recognition systems.

The first wave of biometric skimmers was observed in 'presale testing' in September 2015. Evidence collected by Kaspersky Lab researchers reveals that during the initial testing, developers discovered several bugs.

However, the main problem was the use of GSM modules for biometric data transfer - they were too slow to transfer the large volume of data obtained. As a result, new versions of skimmers will use other, faster data transfer technologies.

There are also signs of ongoing discussions in underground communities regarding the development of mobile applications based on placing masks over a human face.

With such an app, attackers can take a person's photo posted on social media and use it to fool a facial recognition system.

The problem with biometrics is that, unlike passwords or pin codes which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image. Thus if your data is compromised once, it won't be safe to use that authentication method again.

That is why it is extremely important to keep such data secure and transmit it in a secure way. Biometric data is also recorded in modern passports called e-passports and visas. So, if an attacker steals an e-passport, they don't just possess the document, but also that person's biometric data. They have stolen a person's identity, said Olga Kochetova, security expert at Kaspersky Lab.

The use of tools capable of compromising biometric data is not the only potential cyber threat facing ATMs, according to the Kaspersky Lab researchers. Hackers will continue to conduct malware-based attacks, black-box attacks and network attacks to seize data that can later be used to steal money from banks and its customers.

Read the full threat overview report about upcoming cyber threats to cash machines, and measures that can be implemented in order to protect banks from these threats on Securelist.com.

(This story has not been edited by Business Standard staff and is auto-generated from a syndicated feed.)

image
Business Standard
177 22

Upgrade To Premium Services

Welcome User

Business Standard is happy to inform you of the launch of "Business Standard Premium Services"

As a premium subscriber you get an across device unfettered access to a range of services which include:

  • Access Exclusive content - articles, features & opinion pieces
  • Weekly Industry/Genre specific newsletters - Choose multiple industries/genres
  • Access to 17 plus years of content archives
  • Set Stock price alerts for your portfolio and watch list and get them delivered to your e-mail box
  • End of day news alerts on 5 companies (via email)
  • NEW: Get seamless access to WSJ.com at a great price. No additional sign-up required.
 

Premium Services

In Partnership with

 

Dear Guest,

 

Welcome to the premium services of Business Standard brought to you courtesy FIS.
Kindly visit the Manage my subscription page to discover the benefits of this programme.

Enjoy Reading!
Team Business Standard