ATM Machines Hacked in Moscow

Event Summary

According to the Moscow Times, hundreds of ATM Pin codes have been stolen in the last few weeks from Moscow's ATM network. These cybercriminals have then used these codes to empty bank accounts down to the last dollar or Deutschemark from other ATMs around the world. Russian and German law-enforcement agencies are in the midst of a joint investigation in what is believed to be a single crime ring. In confirmation to the Moscow Times, Marcel Hoffman, a spokesman for the Federal Association of German Banks, confirmed that hundreds of letters of warning had been sent to expatriates alerting them that their ATM pins had been hacked.

An editorial in the Moscow Times called for the banks to stand up to ATM fraud. Russian bank officials are brushing off the accusations with denials and much verbiage about "first-class security systems." The lack of a concerned response from Russian Banking officials is sure to affect the revenue coming into Moscow.

Methodologies of ATM Hacking

This is not the first case of ATM fraud. In October of '96, a gang of seven businessmen, two from Tel Aviv, and five from Poland, were found guilty of withdrawing a total of 600,000 Israeli Sheqels, equivalent to U.S. $200,000. The businessmen had purchased tens of thousands of blank plastic ATM cards in Greece, and later recorded the magnetic codes on the back of the card. An Israeli computer expert, Daniel Cohen, had obtained the codes and assisted with the magnetic stripe manufacturing. Magnetic stripe writers, and readers, can be purchased for about $300.00.

There are sometimes three, but usually two tracks on a magnetic stripe and many fields within each track. Though most banks typically ignore track one, they sometimes put the card holder's name in the fifth field. The account number is usually stored in the second field of track two. The PIN verification field is usually held in field nine on track one or field six on track two. With a magnetic stripe reader, a stolen card's stripe can be read and recorded, and later put on a new card with a magnetic stripe writer. Or if you know what numbers you want to put in what fields, you can write another person's account number on your own card, and use your own pin to loot their account. Encrypted account numbers can be unencrypted by savvy cryptographers.

There are multiple ways that ATM systems can be compromised. In a paper entitled "Why Cryptosystems Fail," by Nikos Drakos of the Computer Based Learning Unit at the University of Leeds, Drakos describes multiple ways that ATM systems can be hacked. Drakos states that one method for hacking ATM financial networks relies on the fact that many banks do not encrypt or authenticate the authorization response to the ATM. This means that if an attacker finds a way to record a "pay" response from the bank to the machine, a feat that can be accomplished by protocol sniffing on compromised network wires, the attacker could then keep on replaying the "pay" response until the machine is empty. This technique is known as "jackpotting."

Several years ago, ATM fraud occurred at a bank in New York in which a disgruntled ex-employee stole over $80,000. After shoulder surfing for customer PINs, he used discarded bank receipts to associate the PIN with an account number, and was able to later enter these numbers into the ATM, and use his own PIN to withdraw money. Presumably he did this by using a magnetic striper writer.

Some bank ATMs can be hacked by observing a person's PIN number, then inserting a phone card. The ATM machine believes that the previous card has been inserted again, and when the PIN is entered, money is then made available for withdrawal.

The fastest growing modus operandi for hacking ATM terminals is to use false decoy terminals to collect customer card and PIN data. Attacks of this kind were first reported in the United States as early as 1988. With a bit of engineering, criminals can build vending machines which accept any card and PIN, and dispense say a packet of cigarettes. They put their invention in a shopping mall, and harvest PINs and magnetic strip data through a modem built into the vending machine.

There have even been cases of people installing second-hand ATMs purchased from banks. These ATMs are installed in public places such as new shopping malls. Unsuspecting consumers insert their cards, punch in their PINs and get a message saying, "Sorry, unable to dispense cash at this time." In the meantime, criminals have used the ATM log files to get a list of card numbers and PIN codes, which they can then use to create bogus cards and withdraw money.


How prevalent is ATM fraud? If we weren't seeing a significant amount of reports on it, the FBI wouldn't have so many ATM fraud warnings on its website. Here are some ways that ATM fraud can be reduced:

  • ATM fraud is growing. Banks need to be held responsible for any technology risks they put in the hands of consumers.

  • As banks become aware of weaknesses in traditional ATM technologies, new security paradigms need to be put into place. Non reusable authentication systems, such as time based token authentication systems, or non-reuseable passwords would be an improvement over most current ATM systems.

  • The US Federal Reserve requires banks to refund all disputed transactions unless they can prove fraud by the customer. If you believe that your account has been victimized by fraudulent activity, report it to your bank at once.

  • If traveling abroad, don't use your ATM card. Use old-fashioned reliable Traveler's Checks.

  • When using an ATM card, anywhere, do not leave your receipt behind, especially if your bank prints your entire account number on the receipt.

  • Putting shredders in ATM booths would be a good preventative for dumpster divers looking for account numbers on discarded receipts.

  • Don't put your ATM card in a public vending machine.

  • If your ATM card is lost or stolen, report it to your bank ASAP so that they can deactivate it.

  • Reconcile your bank account monthly and report any discrepancies immediately.

comments powered by Disqus