This article was published on August 5, 2016

New ATM hack allows thieves to make off with up to $50k from a single chip-and-pin card


New ATM hack allows thieves to make off with up to $50k from a single chip-and-pin card

Touted as a safer solution to magnetic stripe cards, it seems the chip-and-pin (or EMV) counterpart might not be as secure as we once thought. After retailers around the globe made the switch to the new technology we’re now uncovering vulnerabilities in the cards that make them only marginally superior to their predecessor.

A new ATM hack demonstration shows just how vulnerable they are. In the demonstration, hackers were able to use a common chip-and-pin card to withdraw money from an ATM in under 15 minutes. Rapid7, a small team of security engineers, demonstrated the hack at Black Hat, a hacker conference in Las Vegas.

A 'shimmer' device
Credit: Krebs on Security
A ‘shimmer’ device

The hack involves a ‘shimmer,’ a skimming device that intercepts the signal between the ATM (or POS) machine that facilitates a MiTM (man-in-the-middle) attack once the card is inserted. The device then allows hackers to not just retrieve data from the card, but replicate both the chip and the magnetic stripe in addition to the PIN as the customer enters it. From there, hackers need only download this data to re-create the victim’s card and use it in the same ATM.

If you’re thinking the thieves need elaborate or hard-to-find tools to pull off the hack, think again. All of this was done with around $2,000 and some really common items, such as a Raspberry Pi.

shim-in-situ
Credit: Krebs on Security
A ‘shimmer’ device inside an ATM

It should be noted, however, that the chip-and-pin card does have a security feature that offers some help should this happen to you — the chip creates a unique transaction code for each new transaction. Since hackers can only use the card once, it’s marginally safer than its magnetic stripe predecessor.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

But don’t get too excited; the researchers at Rapid7 say they could acquire up to $50,000 of your funds in a single go.

Get the TNW newsletter

Get the most important tech news in your inbox each week.