Friday, August 5, 2016
ATM hack using new EMV cards
The new credit cards in the US now have the EMV chips that have been common elsewhere. They make transactions more secure than the old mag-stripe cards which were easier to duplicate. However, they are not perfect. In this attack the point-of-sale (POS) terminal has a "shimmer" installed inside it which sits between the credit card and the POS hardware -- the classic "man-in-the-middle" attack. At some distant location is an ATM machine with an "out-of-order" sign on it. The ATM has a smartphone that the "shimmer" communicates with to share the information that it is snooping while the credit card's EMV chip at the POS terminal is communicating with the banking system. The "out-of-order" ATM has a device to emulate the EMV's communication as well as mechanical servos to push buttons. Using the information from the "shimmer" a transaction is approved, the servos push buttons, and ATM throws out cash. The link (http://www.eweek.com/) includes a brief video of a demonstration.