Shocking Security Failure Uncovered in NCR, Diebold ATMs


Two network cable card skimming devices, as found attached to this ATM. (Photo courtesy of KrebsOnSecurity.)

Traditionally, skimming seems like the most low-brow of security breaches in banking.

Until Monday.

That’s when what can only be described as a shockingly sophisticated skimming scheme was uncovered by KrebsOnSecurity, a leading security blog. What’s more, the scheme exposes what can only be described as an eyepoppingly idiotic security protocol at NCR and Diebold.

On Monday, NCR acknowledged that thieves were hacking into ATMs by plugging into ATM network cables and internet jacks:

“These devices are plugged into the ATM network cables and intercept customer card data. Additional devices are attached to the ATM to capture the PIN,” NCR warned. “A keyboard overlay was used to attack an NCR ATM, a concealed camera was used on the Diebold ATM. PIN data is then likely transmitted wirelessly to the skimming device.”

You might ask, how is this attack even possible? As one comment put it, “There are supposed to be DES keys that encrypt communications between the ATM and its network host. Sniffing network traffic should be futile unless the skimmers are cracking AES256 encryption.”


A closer look at the two network cable card skimming devices that were attached to a stand-alone ATM. (Photo courtesy of KrebsOnSecurity.)

Well, it turns out that PCI DSS Requirement 4.1 seems to require card data to be encrypted in transmission over public networks. But ATM — and EMV networks — are closed and not public, so the ATM networks transmit without encryption. I know, WTF. Or as one person commented, “This is ridiculous. Even my Android smartphone can encrypt a connection.”

It appears at presstime that EMV providers similarly do not encrypt over their private networks.

Apparently, this gaping security flaw likely will not be fixed anytime soon, according to one security professional:

Should be [encrypted], but is not, and won’t be for years. First, you have to look at how credit evolved – security was NEVER baked in to the process for credit, and only marginally for ATMs. Almost all security applied to credit and ATM transactions has been shoehorned in after the fact.

Bank-owned ATMs would be the easiest to encrypt, but past that it gets expensive, and no one wants to absorb that cost. The biggest reason credit transactions aren’t encrypted on the wire (which is the case for most retailers) is because the banks and service providers all charge you an extra fee every time you process a transaction, on top of the existing fees. That equates to millions of dollars per year for most retailers, and that comes straight off the bottom line. It’s a hard sell to get a board to approve taking a few (or more) million out of the profits of the company, just to mitigate a potential threat. And that doesn’t include the costs to implement the encryption. Unfortunately registers / POS systems aren’t easy to just “turn on” encryption – you have to spend a fair amount of money in development to have it baked into your POS, or your card readers, which then still requires POS development.

There are reportedly about 3 million ATMs in circulation worldwide. ATMs were first introduced in the early 1970s.

Learn more about financial services innovation at Bank Innovation 2016 on Feb. 29 and Mar. 1 in Seattle. Request your invitation here.

1 - Reader Likes This Post
Share It:

    Leave a Reply