This article is more than 1 year old
It's 2015 and ATMs don't know when a daughterboard is breaking them
Cash machines pay out after USB module gets a call from a Galaxy S4
Carders have jackpotted an ATM by inserting a circuit board into the USB ports of an ATM, tricking it into spitting out cash.
The technique was thought to have emulated the cash dispenser of the ATM so the brains of the machine thought everything was normal, buying additional time for the brazen crooks to make off with the cash.
A Samsung Galaxy S4 was then used by a remote attacker to issue commands to the dispenser, cybercrime scribe Brian Krebs reported.
NCR global security manager Charlie Harrow said the circuit board gives crime lords control, but the folks who install it are not necessarily the real perps.
"... you have the Mr. Big back at the hideout who's sending the commands, and the mules are the ones at the ATMs," Harrow said.
"So the mule who has the black box is unable to activate the attack unless he gets the command from the Mr. Big, and the mobile phone is the best way to do that.”
The amount of cash stolen was not revealed.
The mobile phone component also made it difficult for investigators to piece together how the attackers pushed commands through to the cash dispenser.
Investigators were unsure what commands were sent to the dispenser only that they were funneled through the phone.
The type of attacks were increasing, NCR said. Most logical USB port attacks involved malware and only one other had used the type of black box equipment used here.
ATM owners have been urged to avoid stand alone machines where possible, as they are more easily attacked. NCR has updated its encryption scheme so that a key is exchanged between the brains and dispenser after a specific authentication sequence, and hardened firmware preventing thieves from downgrading. ®