According to a report by TrustWave, new malware has been spotted that specifically attacks ATM machines. The malware can be used to perform various functions including copying magnetic cards and PIN numbers. Trustwave calls upon banks to inspect their ATM machines for malicious software:
Given the impact this malware can have on an infected ATM environment, Trustwave highly recommends ALL financial institutions with ATMs under management perform analysis of their environment to identify if this malware or similar malware is present.
Trustwave just happens to offer several services that might help banks with that, which is always a trigger for me to take these kinds of announcements with a grain of salt. I’m not saying ATM machines can’t be hacked; this malware is probably real, but that doesn’t mean this sample is a sign that all banks need to check their ATMs immediately.
For starters, how are criminals supposed to install this? I’m sure someone would notice you opening up a machine and plugging in a USB stick. Most ATM’s are monitored by camera’s, and a simple intrusion sensor would notify the owner immediately. Even if you manage to open an ATM machine, it’s much easier to simply swap the card reader and/or the keypad with ones that record the card data and your PIN. It’s much less obvious, since this is much harder to detect remotely. And if you are willing to spend a little more time and money, you don’t even need to be at the ATM itself; you can decrypt PIN numbers anytime they pass through a HSM on their way to the customers bank.
Second, if you have access to the machine, why don’t you just Google for the master password and reprogram it using the built-in control software instead of writing your own? And if you don’t have that password, it is more valuable to write your malware to record the master password the next time an operator enters it than to capture PIN numbers from people that use the machine. The master password is likely to be used for multiple machines, and switching money cassettes is a much easier “hack” than copying bank cards:
So while this malware might pose a real threat, and using Windows on such sensitive devices isn’t my idea of good security practices, I doubt we’ll see a lot of cases where “a virus copied my PIN” anytime soon. Meanwhile there are other things to worry about; such as the case in which a bank in the UK supposedly deleted crucial evidence that might prove whether or not a transaction was made with a copied card, and was given the benefit of the doubt by a judge.