Consumers have been warned that using debit cards is inherently more dangerous than credit cards. If thieves manage to steal your debit card information, they can clean out your bank account.
There have been numerous accounts of identity thieves planting “skimmer” devices on ATMs and gasoline pumps. These fake keypads usually fit over the real key pad and record PINs as they steal account information.
But these skimmers are now old fashioned, and consumers have been cautioned to inspect key pads before they punch in their PINs. So some thieves have become more clever and diabolical. They hijack the ATM itself, turning it into one big skimmer.
Security company Kaspersky Lab says one of its teams recently made the discovery while investigating an incident report at an unnamed bank. The team found traces of Skimer malware on one of the bank's ATMs. The cybercriminals had planted it sometime earlier, but had not activated it.
The Kaspersky team believes the thieves gained access to the bank's ATM system, either physically or by hacking into the bank's network. After that, they installed Backdoor.Win32.Skimer, malware that infects the core of the ATM, which controls the ATM's interaction with the banking infrastructure, including cash processing and credit cards.
Even though the cybercriminals have full control over the compromised ATMs, Kaspersky says they move slowly and deliberately, not wanting to raise suspicions. They no longer need the fake card readers that are getting easier to spot. Instead, when they throw the switch, they turn the entire ATM into a skimmer.
The malware allows the thieves to withdraw all the money in the ATM, or to intercept data from all debit cards used at the machine, which will continue to work perfectly.
The problem is fairly obvious. There is no way for a consumer to tell whether the machine they're using to withdraw money is stealing their card's data.
The security firm says most cybercriminals successfully breaching an ATM won't steal money directly. Rather, they'll use the software to steal debit card data, because they can do it for months before their scheme is uncovered.
They make duplicate cards using the stolen data and use those cards in uninfected ATMs to withdraw large amounts of cash.
Countering the threat isn't easy, but Kaspersky recommends banks undertake regular AV scans and upgrade security systems and policies. The company said its investigation is ongoing, and that it is sharing intelligence with the banking industry.
Financial losses due to skimming continue to mount. A year ago FICO Card Alert Service reported a 173% year-over-year increase in card and PIN skimming points at bank-owned ATMs. At the same time, it said compromised merchant debit card transaction points had declined sharply.