Coverage From Cybersecurity Symposium

CHICAGO—Get ready for crooks to begin blowing up ATMs. Yes, blowing them up.

Mark Solomon, a detective with the Connecticut financial crimes task force, told attendees at the 2016 NASCUS/CUNA Cybersecurity Symposium here that criminals in the coming years will begin blowing open ATMs by igniting propane gas.

“They typically drive up in a car with a propane tank in the back, run a line from the tank to the ATM, pump in the gas and then set off the explosion with a detonation cord,” said Solomon. “It’s crazy. And I can tell you it does not do much for your lobby, either.”

Solomon Mark
Mark Solomon speaking to Cybersecurity Symposium.
Solomon said this crime began occurring in all the other countries that had converted to EMV ahead of the U.S. and that the practice picked up as more of a country’s cards were converted to chip. He said the U.S. won’t likely begin seeing ATMs blown open for four or five years, due largely to the fact the U.S. migration to EMV is still in its early stages and card fraud is still lucrative.

“But we can tell you that this is coming,” said Solomon. “We have a pretty accurate crystal ball.”

Overall, in the sophisticated world of cybercrime, crooks are turning more to old-school techniques as EMV takes hold. That has already show in the rapid return of ATM card skimming, on which has reported.

“I have never seen card skimming at the pace it is happing today,” said Solomon. “The crooks are serious now.”

Other Threats On Their Way

Other types of ATM attacks used overseas that Solomon said are coming to the U.S.:

Card trapping: The crook places a thin piece of metal inside the ATM card slot that traps a person’s card when it is inserted. The crook approaches the person whose card is stuck, says to punch in their PIN and that might eject the card. When that does not work, the cardholder walks away frustrated and then the crook, with PIN in hand, walks away with the card after removing it and the metal “trap” from the ATM with a special tool.
Audio-recording of mag stripe data: Solomon said crooks can insert a device into the card slot that can “listen” to mag stripe data and then reproduce that same data for a counterfeit mag-stripe card.
Tapping or eavesdropping: Tapping into the ATM data transmission lines to steal card information.
“Throat skimmers”: Thin devices that read card data and are inserted into the card slot. They are almost impossible to detect, said Solomon.
Jackpotting: Malware tricks the ATM to spit out cash at specific times. Thieves can insert a circuit board into the card slot that injects malware into the ATM that programs the machine to do their bidding. “Then the fraudsters come by at 2 a.m. on Sunday and pick up their cash.”
With many of these approaches, crooks still need the PIN, said Solomon, so the crook’s camera has to be somewhere. “In the past we trained staff to look for skimming devices. Now it’s best to look for the camera.”

As analysts stated prior to the Oct. 1 liability shift deadline for EMV, chip cards will not eliminate fraud and only turn criminals to different attack routes. ATM theft is just one example, said Solomon, along with the rise of card not present fraud.

And Making A Comeback…

Outside of attacks on ATMs, other crimes making a comeback include “cracking cards” and credit card account opening fraud. Cracking cards is a ruse to fool someone into naively handing over ATM PIN as part of an easy-money scheme. The criminals typically contact the person via social media, ask if they can use the person’s account to cash a check, and then promise the victim a cut of the money they deposit.

Criminals, too, are moving away from stealing card data toward swiping personal information to perpetrate identity theft.

“We have seen a significant increase in identity theft,” said Solomon. “So if I can’t get your chip card data I can get your personal data and open up a chip card in your name or take over your account. What I have talked about is not a guestimate, it is what has happened in all other countries that have converted to EMV.”


. . . . . . . .

Leave a Reply