Monthly Archives: June 2017

So You Think You Can Spot a Skimmer?

This week marks the 50th anniversary of the automated teller machine — better known to most people as the ATM or cash machine. Thanks to the myriad methods thieves have devised to fleece unsuspecting cash machine users over the years, there are now more ways than ever to get ripped off at the ATM. Think you’re good at spotting the various scams? A newly released ATM fraud inspection guide may help you test your knowledge.

The first cash machine opened for business on June 27, 1967 at a Barclays bank branch in Enfield, north London, but ATM transactions back then didn’t remotely resemble the way ATMs work today.

The first ATM was installed in Enfield, in North London, on June 27, 1967. Image: Barclays Bank.

The first ATM was installed in Enfield, in North London, on June 27, 1967. Image: Barclays Bank.

The cash machines of 1967 relied not on plastic cards but instead on paper checks that the bank would send to customers in the mail. Customers would take those checks — which had little punched-card holes printed across the surface — and feed them into the ATM, which would then validate the checks and dispense a small amount of cash.

This week, Barclay’s turned the ATM at the same location into a gold color to mark its golden anniversary, dressing the machine with velvet ropes and a red carpet leading up to the machine’s PIN pad.

The location of the world's first ATM, turned to gold to commemorate the cash machine's golden anniversary. Image: Barclays Bank.

The location of the world’s first ATM, turned to gold and commemorated with a plaque to mark the cash machine’s golden anniversary. Image: Barclays Bank.

Chances are, the users of that gold ATM have little to worry about from skimmer scammers. But the rest of us practically need a skimming-specific dictionary to keep up with today’s increasingly ingenious thieves.

These days there are an estimated three million ATMs around the globe, and a seemingly endless stream of innovative criminal skimming devices has introduced us over the years to a range of terms specific to cash machine scams like wiretapping, eavesdropping, card-trapping, cash-trapping, false fascias, shimming, black box attacks, bladder bombs (pump skimmers), gas attacks, and deep insert skimmers.

Think you’ve got what it takes to spot the telltale signs of a skimmer? Then have a look at the ATM Fraud Inspection Guide (PDF) from cash machine giant NCR Corp., which briefly touches on the most common forms of ATM skimming and their telltale signs.

For example, below are a few snippets from that guide showing different cash trapping devices made to siphon bills being dispensed from the ATM.

Cash-trapping devices. Source: NCR.

Cash-trapping devices. Source: NCR.

As sophisticated as many modern ATM skimmers may be, most of them can still be foiled by ATM customers simply covering the PIN pad with their hands while entering their PIN (the rare exceptions here involve expensive, complex fraud devices called “PIN pad overlays”).

The proliferation of skimming devices can make a trip to any ATM seem like a stressful experience, but keep in mind that skimmers aren’t the only thing that can go wrong at an ATM. It’s a good idea to visit only ATMs that are in well-lit and public areas, and to be aware of your surroundings as you approach the cash machine. If you visit a cash machine that looks strange, tampered with, or out of place, then try to find another ATM.

You are far more likely to encounter ATM skimmers over the weekend when the bank is closed (skimmer thieves especially favor long holiday weekends when the banks are closed on Monday). Also, if you have the choice between a stand-alone, free-standing ATM and one that is installed at a fixed location (particularly a bank) opt for the fixed-location machine, which is typically more secure against physical tampering.

"Deep insert" skimmers, top. Below, an ATM "shimming" device. Source: NCR.

“Deep insert” skimmers, top. Below, ATM “shimming” devices. Source: NCR.

Tags: , , ,

You can skip to the end and leave a comment. Pinging is currently not allowed.

from Krebs on Security

8 Things Every Security Pro Should Know About GDPR

8 Things Every Security Pro Should Know About GDPR

Organizations that handle personal data on EU citizens will soon need to comply with new privacy rules. Are you ready?


1 of 9


In just under one year, the European Union’s General Data Protection Regulation (GDPR) will formally begin being enforced.

The statute requires any company, or entity, that handles personal data belonging to EU residents to comply with a broad set of requirements for protecting the privacy of that data. Significantly, GDPR vests EU residents with considerable control over their personal data, how it is used, and how it is made available to others. Under the statute, data subjects are the ultimate owners of their personal data, not the organizations that collect or use the data.

Companies that fail to comply with GDPR requirements can be fined between 2% and 4% of their annual global revenues or up to €20 million – which at current rates works out to just under $22.4 million USD – whichever is higher. 

Enforcement of GDPR begins May 25, 2018. It replaces Data Protection Directive 95/46 EC, a 1995 statute governing the processing and protection of private data by companies within the EU. One of its biggest benefits for covered entities is that GDPR establishes a common data protection and privacy standard for all member nations within the EU. Organizations within the EU and elsewhere will still need to deal with data protection authorities in each of the 28 member countries. But they will no longer be subject to myriad different requirements from each member nation. 

The statute was written for EU companies. But any organization, anywhere in the world that collects or processes personal data belonging to EU residents is subject to GDPR requirements. 

Surprisingly, given the specific and stringent nature of GDPR, a vast majority of U.S. companies covered under the statute do not appear to be in any particular hurry to comply with its requirements. A Spiceworks survey of 779 IT professionals from the United States, the U.K, and the EU showed that only 5% of entities in the US have started to prepare for it. While nearly one-third of all organizations in the EU are concerned about potential GDPR-related fines, barely 10% of U.S. companies appear worried that they could end up being on the wrong side of the law. 

Here’s what you need to know about GDPR and what to prepare for, according to and others. 


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio


1 of 9


More Insights

from Dark Reading – All Stories

Siemens Patches Critical Intel AMT Flaw in Industrial Products

Siemens patched two critical vulnerabilities that affected its industrial products this week. One, tied to a recently disclosed flaw in Active Management Technology – a function of certain Intel processors – could have allowed an attacker to gain system privileges. Another vulnerability could have let an attacker upload and execute arbitrary code.

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned about both vulnerabilities on Thursday.

Each issue received a CVSS v3 rating of 9.8, something that indicates the vulnerabilities are critical in nature.

The first vulnerability stems from several Intel chipsets – Intel Core i5, Intel Core i7, and Intel XEON – that figure into Siemens products. Equipment commonly found in chemical, energy, and water/wastewater facilities, such as the company’s SIMATIC industrial PCS, SINUMERIK Panel Control Unit, and SIMOTION P320 PC all use the chips. Siemens warned Thursday that chips that have the AMT function enabled could open products up to remote code execution.

According to a security advisory from Siemens an attacker could exploit the vulnerability to gain system privileges to provisioned Intel manageability SKUs, like “Intel Active Management Technology (AMT), Intel Standard Manageability (ISM) and Intel Small Business Technology (SBT).”

ICS-CERT and Siemens’ warning comes almost two months after researchers with Embedi first disclosed the AMT vulnerability (CVE-2017-5689). The Berkeley, Calif.-based firm said at the time it was likely the vulnerability, which can easily let an attacker bypass authentication, was a programmer’s mistake. Attackers in Southeast Asia known as Platinum became the first APT group found abusing the feature earlier this month. Microsoft said the attackers were using a file-transfer tool to take advantage of AMT and run malicious code on targeted machines.

The company pushed updates for most of the SIMATIC IPCs earlier this week but says it’s still working on developing fixes for affected SINUMERIK PCUs.

A full list of affected products and patches can be found at the company’s support portal.

The second vulnerability affects the company’s ViewPort for Web Office Portal. In versions prior to revision number 1453 Siemens said an attacker could send specially crafted network packets to port 443/TCP or port 80/TCP. By doing so an attacker could have the potential to upload and execute arbitrary code. If carried out successfully the code would have the permissions of the operating system user.

The Web Office Portal lets users retrieve data from control centers. The portal is commonly found in energy company setups.

ICS-CERT also warned of equally critical but unpatched vulnerabilities in Schneider-Electric’s U.motion Builder this week. The product is a web-server-based system for automation networks, usually found in commercial, critical manufacturing, and energy facilities.

A handful of issues, including a SQL injection vulnerability, a path traversal vulnerability, denial of service, and improper access control vulnerability, plague versions 1.2.1 and earlier, ICS-CERT warns.

The most pressing issue, the SQL injection, could let an attacker perform arbitrary SQL statements against the underlying database. The software also comes with a hard-coded password for its system web access account and includes a hard-coded valid session, something which could allow an attacker to bypass authentication.

Schneider-Electric warned of the vulnerabilities on Tuesday but said it doesn’t plan to issue a firmware update to resolve them until the end of August.

“When available, it is highly recommended that U.motion Builder users apply the patch in a timely manner,” a security notification (.PDF) posted to the company’s site reads.

In the meantime the company is urging users to minimize network exposure, isolate networks behind firewalls, and only access systems remotely via VPN.

from Threatpost – English – Global – thr…

News in brief: Germany to levy €50m fines on social media; Facebook drone success; hacker offers Petya help

Your daily round-up of some of the other stories in the news

Berlin passes social media fine laws

German lawmakers have voted in favour of a proposal to levy huge fines on social media providers if they don’t take down “obviously illegal” content in a timely fashion.

Under the new “Netzwerkdurchsetzungsgesetz” law, which comes into effect after Germany’s federal elections which are due in September, Facebook, Twitter, YouTube and other sites with more than 2m users in Germany, will have to take down hate speech or otherwise illegal posts within 24 hours or face a fine of €50m.

Critics have warned that the new law could restrict freedom of speech, and have also raised concerns that the social media platforms will have to act as censors. They’ve also pointed out that issues of jurisdiction apply: what happens, for example, if a user outside Germany posts something that’s visible in Germany that breaks Germany’s strict laws but doesn’t infringe the statutes of other countries?

Justice minister Heiko Mass said that experience had shown that without action from lawmakers, “the large platform operators would not fulfil their obligations”.

Facebook drone success

Facebook has completed a second successful test of a solar-powered drone, called Aquila, which soared over Arizona for an hour and 46 minutes in May. The success of the flight will have come as a relief to Facebook, as the first test last summer ended in a crash and an investigation by the NTSB, the US air safety investigatory board.

Facebook is planning to use its drone fleet to provide internet access to areas of the world that don’t have a reliable network, with the drones constantly in flight and running on solar power.

In a blog post, Facebook said that this flight “was all about data”, measuring things like drag to refine the drone’s aerodynamics and gathering data to predict energy use and “thus optimize for battery and solar array size”.

Petya author offers help with new outbreak

This week has been dominated by news of the Petya (or not-Petya) ransomware outbreak as IT departments around the globe raced to prevent the ransomware crippling their businesses and to contain the damage at organisations that were hit.

Then on Wednesday, about 24 hours after the outbreak surfaced in Ukraine, someone claiming to be the author of the original Petya ransomware, which seems to have been adapted for this week’s attack, popped up online offering to help people who’d been hit.

Janus Cybercrime Solutions, the cybercrime group that claimed to be the author of Petya, tweeted: “we’re back havin a look in “notpetya” maybe it’s crackable with our privkey”.

Janus had been selling the original Petya to other hackers – as ransomware-as-a-service – and said on Wednesday that they were examining the code from the current outbreak, and added that they were not behind this week’s attack.

Catch up with all of today’s stories on Naked Security

from Naked Security – Sophos

8tracks Hit With Breach of 18 Million Accounts

8tracks Hit With Breach of 18 Million Accounts

Hackers attack Internet radio user database, gaining access to email addresses and encrypted passwords.

Hackers broke into Internet radio site 8tracks, resulting in a database breach of 18 million users’ email addresses and encrypted passwords, according to an International Business Times report.

The online music site says in a blog post that only users who signed up for the service using their email got hit. Customers who rely on Google or Facebook to authenticate themselves  did not have their passwords pilfered, 8tracks says.

The company believes an employee’s Github account, which did not have two-factor authentication, served as the attack vector. When Github alerted the 8tracks employee of an unauthorized attempt to change their account password, that is when 8tracks realized a breach had ocurred.

“We do not believe this breach involved access to database or production servers, which are secured by public/private SSH-key pairs. However, it did allow access to a system containing a backup of database tables, including this user data. We have secured the account in question, changed passwords for our storage systems, and added access logging to our backup system,” 8tracks states in its blog.

Read more about the breach here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories

Majority of Sites Fail Mozilla’s Comprehensive Security Review

A majority of the top 1 million websites earn an “F” letter grade when it comes to adopting defensive security technology that protect visitors from XSS vulnerabilities, man-in-the-middle attacks, and cookie hijacking.

The failing grades come from a comprehensive analysis published this week by the Mozilla Foundation using its Mozilla Observatory tool. According to a scan of Alexa ranked top 1 million websites, a paltry 0.013 percent of sites received an “A+” grade compared to 93.45 percent earning an “F”.

The Observatory tool, launched last year, tests websites and grades their defensive posture based on 13 security-related features ranging from the use of encryption (HTTPS), exposure to XSS attacks based on the use of X-XSS-Protection (XXSSP) and use of Public Key Pinning which prevents a site’s use of fraudulent certificates.

The silver-lining to the bad grades is that in the year since the Observatory tool began grading sites, security has improved. Compared to scans conducted between April 2016 and June 2017 the percentage of sites earning a “B” have jumped 142 percent and those earning a “C” have increased 90 percent.

“It’s very hard if you’re just someone running a website to make it secure,” said April King, staff security engineer at Mozilla and developer of the Observatory tool. “There are so many different security standards. The documentation for those standards are scattered all over the place. There are not a lot of single resources that are telling you straight-up what you need to do.”

King said she is encouraged at the pace of improvement when it comes to specific defensive tools. For example, the percentage of sites that support HTTPS has grown 36 percent in the past year. “The number might seem small, but it represents over 119,000 top websites,” she told Threatpost.

Other security wins include a 125 percent increase in the number of sites that have adopted Content Security Policy (CSP), a browser feature that fends off Cross Site Scripting (XSS) and data injection attacks. Another win has been a 117 percent increase in adoption of Subresource Integrity (SRI), a verification feature that ensures when a browser fetches resources from third parties, such as a content delivery network, the content is not manipulated in transit.

However, despite triple-digit growth in both CSP and SRI adoption, still less than one percent of sites still have adopted these security features.

King concedes that achieving a secure website configuration, using all the available technologies developed in recent years by browser makers, is not easy.

“I’m extremely optimistic. With tools that are free and easy to use, like Observatory, we can begin to see a common framework for building websites. This type of tool is pushing awareness back into the tool chain and making it very easy for people to implement,” King said.

King likens Observatory to Qualys SSL Labs’ SSL Server Test, a free tool that analyses the configuration of SSL web servers. Observatory goes way beyond checking a website’s TLS implementation and checks for 13 different web security mechanisms. The scoring system is based on a 0 to 100 point scheme. Scores don’t just check for the presence of any given technology, but the correct implementation as well.

Observatory is a tough grader, King said, because it’s designed to be a teaching tool to help administrators across the industry “become aware of the myriad technologies that standard bodies and browser companies have designed and implemented to improve the safety of the internet’s citizens.”

“The fact that so many new sites have started using these technologies recently is a strong sign that we are beginning to succeed in that mission,” she said.

from Threatpost – English – Global – thr…

Happy 50th birthday, hole-in-the-wall cash machines!

Lift a pint to John Shepard-Barron, as we celebrate the 50th anniversary of the ATM (Automated Teller Machine) he devised, or did he? It matters not, ATM #1 was installed by Barclays Bank on June 27 1967, the the user punched in a PIN and lo and behold, the machine paid out £10. There are now well over 3,000,000 ATMs installed across the globe, all able to provide a bit more than ten quid.

And not to disappoint, the criminals (and white hat researchers) have been creating means to get the cash out of the machine, illicitly. We take at look at some of the more interesting, famous and infamous methodologies which have evolved over the 50 years of the ATM.

Hoist and Heist  

The first ATM thefts were accomplished by members of the “Hoist and Heist” club of thieves. This methodology of stealing the entire machine and then cracking it open at their leisure remains viable today. Just a few days ago a cashpoint ATM machine was stolen from the Lloyds bank in Suffolk, East Anglia – it was ripped out of the wall using a JCB telehandler.


Who can forget when the late Barnaby Jack lit up the stage at the 2010 Black Hat conference showing how to “Jackpot” ATMs. The fits of laughter from the audience were evident as the ATM spewed cash out on to the stage.

Years later, we see jackpotting still in vogue, with ATMs across Europe spitting out cash, as evidence by the late 2016 simultaneous jackpotting attack which took place in more than ten countries.

And then, Russian and eastern European crooks demonstrated the move toward cardless manipulation of ATMs in Thailand and Taiwan. The thieves in Thailand hit 21 machines, and made off with $350,000, while the thieves in Taiwan hit an undisclosed number of ATMs, collecting approximately $2m.

While many criminals remain at large, law enforcement does have some wins. In May 2017 Europol had success with the arrest of 27 people  across a number of countries in connection with black box attacks on ATMs.

Steal your credentials

We associate credential theft to the more modern epoch of skullduggery, yet, according to the Smithsonian, it was a simply a matter of months after ATMs first appeared in our walls that “proto-hackers in Sweden exploited [the inability to authenticate the user was the owner] to great advantage in 1968 when they used a stolen ATM token to withdraw huge amounts of money from different machines”.

Fill those debit cards and empty those ATMs

As if to define “organized crime”, in late 2012 and early 2013 we saw the draining of $45m from ATMs as teams of runners hit thousands of ATMs in a matter of hours in two separate attacks.

On December 21 2012, the criminals demonstrated they were no slouches when it comes to hacking skills. They infiltrated a credit-card processing company in India handling pre-paid credit cards. Once in, they then raised the withdrawal limits on five prepaid MasterCard debit accounts, and by using the prepaid cards, distributed to runners in 20 countries, the money flowed. The global take on that day was $5m.

A couple of months later, the same modus operandi was used, this time when a credit-card processing company in the United States was infiltrated. First, they raised the withdrawal limits on 12 cards issued by the Bank of Muscat in Oman. Then, at 3pm 19 February 19 2013, teams of runners hit the streets across the world: in a matter of hours, 36,000 transactions netted the criminals $40m.

Were lessons learned? Apparently not, as in late 2016 the Yakuza in Japan using phony cards hit thousands of ATMs at once and drained approximately $16m in two hours.

Pupil power

Then in 2014 we saw two Canadian schoolboys who had studied an ATM operations manual visit a Bank of Montreal ATM, where, using the instructions they had found in the manual, gave themselves admin rights and took over an ATM. Surprised that the technique had worked, they promptly went in to a branch and alerted the bank.

ATM, let me diagnose you

London police arrested three individuals in late 2014, who figured out that if you put the ATM in diagnostic mode, you could induce it to share the money within as part of a test. The three hit 50 ATMs over the course of a May Day holiday weekend, and collected $2.58m.


Whither ATMs?

Are ATMs here to stay? We think so, at least for the time being – as will the continued attention to cracking ATMs by criminals, whether remotely or literally.

The Accenture-ATMIA 2016 ATM Benchmarking Study reckons that the “ATM will retain its importance for banks and consumers alike in the foreseeable future”.

Banks and ATMs now offer services other than simply dispensing cash, including paying bills and cardless withdrawal among them. And with the increased number of ways in which crooks can get access to ATMs, the level of investment by operators in defensive measures can also be expected to increase. The following diagram, from the study, shows the level of adoption of the various defensive measures, with humans – security guards at ATM lobbies – being the least adopted practice and adding alarms to ATMs the most popular.

ATM DefensesATM Defenses – ATMIA ATM Benchmarking study 2016

The study concludes the criminals are well resourced, and the challenge to protect ATMs remains a struggle as “ever more sophisticated attacks to which the channel [ATM] is subject”.  We agree.

from Naked Security – Sophos