Archive

Go to:

August 2017
SMTWTFS
12345
6789101112
13141516171819
20212223242526
2728293031
< Jul Sep >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

Cybersecurity Concerns at a New Level May Include Biometrics
Wednesday, October 12, 2016 6:25 AM

In September, Kaspersky Lab reported that there are already at least 12 sellers offering skimmers capable of stealing victims’ fingerprints from ATMs. This news and reports speculating that it is possible for hackers to steal information stored on EMV chip cards are creating an uproar in cybersecurity conversations. 

For years, ATMs have been in the sights of fraudsters hunting financial data. It all started with primitive skimmers, homemade devices attached to an ATM, capable of stealing information from the card’s magnetic strip and pin-code with help of a fake ATM pin pad or a web camera. Over time, the design of such devices was improved to make them less visible. With the implementation of clone chip-and-pin payment cards cybercriminals devices evolved into so-called "shimmers." These are largely the same, but these devices are able to gather information from the card’s chip, giving sufficient information to conduct an online relay attack. The banking industry is responding with new authentication solutions, including some that are based on biometrics.

The investigation into underground cybercrime by Kaspersky Lab researchers concluded there are already at least 12 sellers offering skimmers capable of stealing victims’ fingerprints. In addition, at least three underground sellers are already researching devices that could illegally obtain data from palm vein and iris recognition systems.

The first wave of biometric skimmers was observed in “presale testing” in September 2015. The evidence collected reveals that during the initial testing, developers discovered several bugs; however, the main problem was the use of GSM modules for biometric data transfer – they were too slow to transfer the large volume of data obtained. As a result, new versions of skimmers will use different, faster data transfer technologies.

"The problem with biometrics is that unlike passwords or pin codes, which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image," said Olga Kochetova, security expert, Kaspersky Lab. "Thus, if your data is compromised once, it won’t be safe to use that authentication method again. That is why it is extremely important to keep such data secure and transmit it in a secure way. Biometric data is also recorded in modern passports – called e-passports - and visas. So, if an attacker steals an e-passport, they don’t just possess the document, but also that person’s biometric data. They have stolen a person’s identity."

There are also signs of ongoing discussions in underground communities regarding the development of mobile applications based on placing masks over a human face. With such an app, attackers can take a person’s photo posted on social media and use it to fool a facial recognition system.

The use of tools capable of compromising biometric data is not the only potential cyberthreat facing ATMs, according to the Kaspersky Lab researchers. Hackers will continue to conduct malware-based attacks, blackbox attacks, and network attacks to seize data that can later be used to steal money from banks and its customers.

Read the full threat overview report about upcoming cyberthreats to cash machines and measures that can be implemented in order to protect banks from these threats on Securelist.com.

The news caused one British regulator to write a letter to banks telling them to report on the steps that they are taking to secure biometrics. What makes this report so disturbing is that, whereas compromised ATM and credit cards can be reissued, you can’t change someone’s biometric data.

Source: CUInsight and Kaspersky Lab.

Assess Your Systems and Manage Your Risk

As technology changes, every credit union faces new security issues. Let Credit Union Resources help you stay on top of it—your future could depend on it. Our team of technology professionals provides guidance on compliance, shares best practices, and performs audits. We have a vested interest in your success, and your cybersecurity matters to us. To find out how we can help you manage cybersecurity and operational risks, contact:

Idrees Rafiq

469-385-6799

800-442-5762, ext. 6799

irafiq@curesources.coop

Deanna Brown

469-385-6464

800-442-5762, ext. 6464

dbrown@curesources.coop

 

About Credit Union Resources Inc.

Credit Union Resources is a service corporation that provides industry-leading solutions and expertise to credit unions across the country. Credit Union Resources is a part of the Cornerstone Credit Union League, a regional trade association representing the interests of credit unions in Arkansas, Oklahoma, and Texas.