Avoiding credit-card scams is easy as long as you use cash. What happens when getting cash proves just as perilous? Hackers have developed a very sophisticated ATM hack that's almost impossible to detect, requires neither an ATM card nor a preexisting PIN, and is being used in the United States.
Moscow-based security firm Kaspersky Lab covered the issue on its blog, explaining that ATM scams are on the rise worldwide. The company's native Russia is a particular hotspot, but the U.S. is second in the number of reported infections.
Scammers start by unlocking an ATM's enclosure, probably with a default master key, and using a CD to infect the machine with a piece of malware known as Backdoor.MSIL.Tyupkin. Days later, they return to the machine and use Tyupkin to dispense up to 40 bills without the need for verification.
Tyupkin only works on ATMs that run Windows 32-bit operating systems and are made by a major manufacturer that Kaspersky Lab did not name. Furthermore, Tyupkin accepts commands only in the dead of night on certain days of the week, keeping the exploit well-hidden most of the time.
When a malefactor does run the program, he or she needs a specially generated PIN based on an algorithm unique to the malware. Then, he or she can withdraw 40 bills at a time directly from the ATM: no user account required.
The good news (if you can call it that) is that since the hack affects ATMs directly, everyday users don't need to worry about this particular hack too much, unless their bank eventually folds due to nonstop theft.
Banks can theoretically also catch malefactors in the act with security cameras, since the scammers must be on-premises both to install the malware and withdraw cash. However, it's difficult to differentiate a scammer and a regular customer from afar, especially if they're blocking the screen with their bodies.
Kaspersky Lab suggests that banks change the locks on their ATM enclosures, since criminals often have master keys, and install physical alarms to go off when an ATM enclosure is opened. Banks that don't tighten their security could find their oversights very costly.