Cybercriminals are hawking their claimed ability to exploit newly introduced biometric-based ATM authentication technologies.

Many banks view biometric-based technologies such as fingerprint recognition to be one of the most promising additions to current authentication methods, if not a complete replacement to chip and PIN.

Crooks, however, regard biometrics as a new opportunity to steal sensitive information, research by Kaspersky Lab shows.

Credit card-related financial fraud against ATMs started many years ago with primitive skimmers – homemade devices attached to an ATM and capable of stealing information from the card’s magnetic strip and PIN with help of a fake ATM pin pad or a web camera. This information was subsequently used to make counterfeit cards.

Over many years, the design of such skimmers has been improved to make them less visible. Following the introduction of much harder (but not impossible) to clone chip-and-pin payment cards, the devices evolved into so-called “shimmers”. These shimmers added the ability to gather information from the card’s chip, giving sufficient information to conduct an online relay attack. The banking industry is responding with new authentication solutions, some of which are based on biometrics.

Crooks have recently begun boasting about the ability to offer next generation ATM skimmers that circumvent these additional biometric-based authentication controls.

According to a Kaspersky Lab investigation into underground cybercrime, there are already at least twelve sellers offering skimmers capable of stealing victims’ fingerprints. Moreover, at least three underground sellers are already researching devices that could illegally obtain data from palm vein and iris recognition systems.

Researchers at the Russian security software firm spotted the first wave of biometric skimmers in “presale testing” last September. Evidence collected by Kaspersky Lab researchers since suggests that during this prototype development process, developers discovered several bugs. The main problem was the use of GSM modules for biometric data transfer – they were too slow to transfer the large volume of data obtained. As a result, new versions of skimmers will use other, faster data transfer technologies.

Ongoing discussions in underground communities cover the development of mobile applications based on placing masks over a human face. With such an app, attackers might be able to take a person’s photo posted on social media and use it to fool a facial recognition system.

“The problem with biometrics is that, unlike passwords or pin codes which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image,” said Olga Kochetova, a security expert at Kaspersky. “Thus, if your data is compromised once, it won’t be safe to use that authentication method again. That is why it is extremely important to keep such data secure and transmit it in a secure way.”

“Biometric data is also recorded in modern passports – called e-passports -- and visas. So, if an attacker steals an e-passport, they don’t just possess the document, but also that person’s biometric data,” she added.

The use of tools capable of compromising biometric data is not the only potential cyber-threat facing ATMs, according to the Kaspersky Lab researchers. Hackers will continue to conduct malware-based attacks, blackbox attacks and network attacks to seize data that can later be used to steal money from banks and their customers.

More on Kaspersky’s research into the latest generation of threats against cash machines in general, together with possible countermeasure, can be found in a blog post on Kaspersky Lab’s Securelist.com blog here. ®