Biometric methods are vulnerable
Numerous financial organizations see biometric approaches as one of the most promising authentication methods for ATMs in the future. However, biometrics also offers cybercriminals new ways to steal sensitive information.
ATMs have been targeted by criminals for years. Initially, simple Skimmer-These devices were able to steal information from the magnetic stripe of the bank card as well as the PIN code with the help of a fake input field or camera. With the introduction of chip-and-pin bank cards, which are harder to copy, so-called shimmer devices emerged: they are largely similar to the previous skimmer devices, but can read information from the card chip to create a Online relay attack to be carried out. For example, contactless authentication methods - for example, via NFC (Near Field Communication) - can also be leveraged.
To defend against such attacks, the banking industry is working with new authentication solutions, some of which are based on biometrics.
Darknet: biometric data theft devices
According to Kaspersky Lab experts, at least twelve providers of skimmer devices capable of stealing fingerprints can currently be identified in the cyber underground. In addition, there are at least three providers of devices that can illegally collect data from palm vein and iris recognition systems.
Kaspersky's experts observed the first pre-sales tests of biometric skimmers back in September 2015, which revealed a number of weaknesses. The biggest problem was that the biometric data was to be sent via GSM modules, but the connection was too slow for the size of the data transfer. New skimmer versions therefore already rely on other and faster data transfer methods.
In addition, the development of mobile apps that can be used to place masks over human faces is being discussed in the underground. With such an app, attackers could, for example, trick facial recognition software via photos posted on social media.
"With biometrics, it is impossible to change one's fingerprint or iris pattern - unlike passwords and PIN codes, which can be changed in the event of a threat," said Olga Kochetova, security expert at Kaspersky. "Once one's biometric data is stolen, it is useless for authentication processes. Therefore, it is extremely important to protect such data and transfer it in a secure way. Biometric data is also stored in modern passports and ID cards. So if such a document falls into the hands of criminals, for example, not only has the ID card been stolen, but also the biometric data it contains on the owner's identity."
The full Kaspersky report on future cyberthreats to ATMs and ways banks can protect themselves can be here can be viewed.
