Criminals sneak card-sniffing software on Diebold ATMs

IDG News Service - Diebold Inc. has released a security fix for its Opteva automated teller machines after cybercriminals apparently broke into the systems at one or more businesses in Russia and installed malicious software.

Diebold learned of the incident in January and sent out a global security update to its ATM customers using the Windows operating system. It is not releasing full details of what happened, including which businesses were affected, but said criminals had gained physical access to the machines to install their malicious program.

"Criminals gained physical access to the inside of the affected ATMs," Diebold said in its security update. "This criminal activity resulted in the operation of unauthorized software and devices on the ATMs, which was used to intercept sensitive information."

The break-in occurred in Russia and affected "a number" of machines, said DeAnn Zackeroff, a company spokeswoman. "The incident was a low-tech break-in to the ATM, but they had a high-tech knowledge of how to install the virus," she said.

Diebold did not say exactly how the criminals were able to install the software on the systems, but its security update advises customers that there are several factors that can increase the risk of such a hack. They include using administrative passwords that have been compromised, not using the locked-down version of Windows that Diebold provides, or misconfiguring the Symantec firewall software that comes with the ATMs.

After studying samples submitted to the VirusTotal Web site, security vendor Sophos reported Tuesday that the code has been in circulation since at least November 2008.

Whoever wrote the malware, called Troj/Skimer-A by Sophos, probably had an insider's knowledge of the Diebold ATMs, said Vanja Svajcer, a Sophos virus researcher. "It uses quite a lot of functions that are not documented," he said. The software replaces files in the Diebold folder, looks for printer and screen data, and scans for transactions in Ukrainian, Russian and U.S. currencies, he said.

Troj/Skimer-A does not spread from computer to computer like a virus, however. The criminals have to gain access to an ATM's internal computer to install the code, Svajcer said. "You have to have physical access to install the malware on the machine, which is not an easy thing to do."

Sophos has not seen this type of ATM malware before, but cybercriminals are always hungry for payment card information and have been turning to increasingly sophisticated tricks in order to get it. In the past few months there have been breaches at least two major credit-card processing companies, and criminals have been known to install card-skimming hardware on bank machines to steal payment card numbers, along with miniature cameras that capture passwords.

Last fall, the U.K.'s Daily Telegraph newspaper reported that an organized crime syndicate had tampered with hundreds of payment card scanners, programming them to send payment card numbers over mobile phone networks.

"This is just another example of the growing level of sophistication and aggression when it comes to ATM-related crime," Zackeroff said.