Last year the New York Times ran a story about man arrested in Grand Central Terminal for emptying the bank accounts of unsuspecting ATM customers. How? Eagle-eyed and patient, the perp would linger by the station’s bank of ATMs and casually spy on the commuters entering their PINs. If the thief was lucky, the withdrawer, in a rush (as they often are), would take his money and leave, forgetting to answer the ATM’s final question: “Would you like another transaction?” So the crook sauntered up, pressed “Yes,” re-entered the PIN, and cleaned house.
Clever, but now passé. Thieves are upgrading, moving from risky, in-person heists to an all-out electronic trawl of bank customers’ PIN numbers. As Wired has reported, hackers are using malware to steal those vital bank codes, tricking the system into decrypting PINs while you innocently wait for authorization at the ATM.
Here’s how it works: When you enter your PIN, it is automatically encrypted and sent to your bank for authorization. But the PIN makes layovers as it switches bank networks, stopping at devices called hardware security modules (or HSMs). At each HSM, the PIN is decrypted and then re-encrypted for the next leg of the journey. It’s here that a hacker’s software exploits a vulnerability in the HSM, snatching up the unencrypted number or “tricking” the HSM into divulging the PIN’s encryption.
So far, the practice isn’t widespread, giving the financial industry some time to figure out how to protect itself. Meanwhile, it can’t hurt to be secretive whenever entering your PIN, guarding against phony card readers (called skimmers; see video above) by learning how to spot them, and waiting for the ATM to display the welcome screen for the next customer.
[ Photo: thinkpanama/Flickr ]