Business News of Tuesday, 9 December 2014
A new form of ATM fraud that involves withdrawing monies from ATM machines without cards is fast growing in Ghana.
This new form of advanced cybercrime, is committed by some fraudsters who insert audiovisual micro-chips into ATM machines to pick sound and video, and transmit it via the internet to their colleagues at home.
The chip is also enhanced to pick details of ATM cards of unsuspecting customers, which are then decoded to hack into their accounts.
The Director, Fraud Unit, at the Criminal Investigation Department (CID) Headquarters of the Ghana Police Service, Superintendent Felix Koku Mawusi, who confirmed the story in an interview with Business Day stated that, some fraudsters who engaged in this crime have been apprehended by the Police and put before the court.
He explained that the micro-chip is slotted into an ATM machine to be locked up.
“It is then logged onto the internal memory system of the machine, transmitting data and sound to these fraudsters in their homes,” he said.
According to him, the data is analyzed and used to hack into the accounts of unsuspecting customers who engage the services of ATM machines.
He indicated that the money is then withdrawn by the fraudsters simply by entering a series of digits without the use of cards.
Supt. Mawusi stated that this new form of crime was detected by the police earlier this year, and notices have been sent to all banks to fix CCTV cameras on their machines to curb the canker.
“We also advised them to put security personnel at the ATM machines noted to have recorded this form of cyber theft,” he said.
He added that most of the banks in the country have also initiated moves to upgrade their ATM machines to block hackers from getting into the system.
Earlier this year, a Russian security company, Kaspersky Labs discovered a flaw in cash machines that allows criminals to quickly steal cash from ATM machines.
Reuters' report has it that, the Interpol alerted countries in Europe, Latin America, Africa and Asia, known to have been targeted – and is carrying out a widespread investigation.
It was gathered that Kaspersky Labs discovered the hack, which is enabled by entering a series of digits on the keypad of ATMs.
Infected cash machines can be instructed to dispense 40 notes at once, without a credit or debit card.
Kaspersky Labs produced a video showing how the hack was carried out.
Prior to trying to obtain the cash, targeted machines are infected with malicious software via a boot CD.
However, before this could be done, hackers need physical access to the workings of the machine.
Once the malware – known as Tyupkin – has been installed, the “mule” sent to collect the cash must enter a code on the machine’s key pad.
But Tyupkin then requires a second unique code – randomly generated by an algorithm at a remote location – to unlock the machine and dispense the cash.
It is this part of the process that ensures the hacker who has this algorithm retains control over when and how often these illegal withdrawals occur.
“Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software,” said Vicente Diaz, principal security researcher at Kaspersky.
“Now we are seeing the natural evolution of this threat with cyber criminals moving up the chain and targeting financial institutions directly.”
Kaspersky carried out its initial investigation at the “request of an unnamed financial institution.”
However, the attack does not affect individual customers, instead simply instructing the machine to dispense notes, with no link to bank accounts.
“The fact that many ATMs run on operating systems with known security weaknesses and the absence of security solutions is another problem that needs to be addressed urgently,” Kaspersky wrote.
Earlier this year another malware strain, known as Ploutus, allowed hackers to command machines to dispense cash by sending a text message to them.
In 2010, hacker Barnaby Jack discovered a technique he dubbed “Jackpotting” – in which a cash machine could be made to spew out money.
Mr Jack died of a suspected accidental drug overdose in 2013, just days before he was due to give a presentation on the weaknesses in medical devices.
Additional files from theguildng.com