Rapid7 security firm researchers have shown how a chip and PIN card point-of-sale device can be used to illegally draw money from an ATM.
Presenting at the Def Con security conference, Engadget reported that a POS device can be used to intercept the one-time key and account information used by chip and PIN bank cards when making a transaction.
The information is then transmitted to another device – such as an ATM – which then makes a second transaction. This can include withdrawing cash from your bank account.
The scam works as follows: first, the POS device must be compromised, with a piece of hardware installed in the machine that reads the card’s chip.
The process is known as “shimming”.
Once the data is captured, it is transferred to a legitimate ATM that has been “hijacked”.
The ATM is fitted with a system called La-Cara, that tricks the ATM into thinking the card is being inserted.
A robot hand then enters the PIN at the ATM, and the maximum amount allowed is withdrawn.
The researchers said potential scammers can avoid unwanted attention at the target ATMs by placing large “Out of Order” signs over the front of them.
The cash is then collected by the scammers at a convenient time.
Multiple compromised POS devices can be linked to a single ATM, stated the report.
The researchers said they took a year to develop this attack method, and do not expect to see it “in the wild” in the US until October 2018.