September 26, 2016 -
Researchers at Kaspersky Lab have investigated how cybercriminals could exploit new biometric ATM authentication technologies to steal the fingerprint data of banking customers.
While many financial organizations consider these emerging biometric-based ATM solutions to improve security over current authentication methods, cybercriminals can potentially use biometrics to steal sensitive information.
In its investigation into these underground cybercrime practices, Kaspersky Lab researchers found that there are already at least 12 sellers offering skimmers capable of stealing victims’ fingerprints.
At least three of these underground sellers are currently researching devices that could illegally obtain data from palm vein and iris recognition systems.
The first wave of biometric skimmers was observed in “presale testing” in September 2015, in which the developers of these skimmers discovered several bugs.
Developers found that the main issue related to the use of GSM modules for biometric data transfer, which were too slow to transfer the large volume of data obtained.
As a result, new versions of the biometric skimmers will use different, faster data transfer technologies.
“The problem with biometrics is that unlike passwords or pin codes, which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image,” said Olga Kochetova, security expert, Kaspersky Lab. “Thus, if your data is compromised once, it won’t be safe to use that authentication method again.
“That is why it is extremely important to keep such data secure and transmit it in a secure way. Biometric data is also recorded in modern passports – called e-passports – and visas. So, if an attacker steals an e-passport, they don’t just possess the document, but also that person’s biometric data. They have stolen a person’s identity.”
There have also been ongoing discussions in underground communities regarding the development of mobile applications in which attackers exploit the victim’s photo posted on social media and use it to dupe a facial recognition system.
In addition to these biometric ATM theft tools, Kaspersky Lab researchers reveal that hackers will continue to perform malware-based attacks, blackbox attacks and network attacks to compromise data that can later be used to steal money from banks and its customers.
Securelist.com offers a full threat overview report regarding upcoming cyberthreats to cash machines and safety tactics that can be deployed to protect banks from these threats.
Additionally, there are a number of videos demonstrating the various attack vectors against ATMs.
Previously reported, WISeKey International Holding Ltd released WISeID 6, an updated edition of its personal data and identity protection application that is now integrated with BlockChain technology.