I get a lot of email feeds and news from financial websites, but often spot real banking news in more unlikely places … like New Scientist magazine.
On the front cover
of last week's mag was a story about Gaia's evil twin.
I thought that was going to be about the social networking world of Gaia Online
, but it was actually an interesting article about how Earth really works and that Mother Earth is nothing like the Greek Goddess Gaia, who nurtures. Instead it's more like the murderous wife of Jason of the Argonauts, Medea, who killed her own children.
Anyways, flicking through the pages, the tech section was headlined by a story called:
This relates the following news:
"A devious piece of criminal coding has been quietly at work in a clutch of cash machines at banks in Russia and Ukraine. It allows a gang member to walk up to an ATM, insert a "trigger" card, and use the machine's receipt printer to produce a list of all the debit card numbers used that day, including their start and expiry dates – and their PINs. Everything needed, in fact, to clone those cards and start emptying bank accounts."
Not so nice.
Apparently the shysters intall a 50kb malware on ATMs as part of a legitimate Windows program called 1sass.exe. This program looks OK to techies and would normally go overlooked because it is part of a normal Windows system that drive most modern ATMs, except that it has no useful function on an ATM as all it is used for is to cache session data so that users don't have to re-enter passwords every time they get a new email or enter a website.
And that's the scheme in a nutshell.
Install the malware and then 1sass.exe collects all the card data and spews it out on demand.
Result: criminals walk along to any ATM, enter the magic code and get an ATM receipt with all the card numbers and PINs.
No wonder the European ATM Security Team (EAST) reckon that ATM fraud is now running at €484 million a year across Europe:
That's just ATM fraud, not card fraud.
Here's the Spiderlabs full briefing presentation:
Now then, which ATM shall I try out first?