News

Biometric ATM authentication not immune to skimming, Kaspersky says

October 5, 2016

Kaspersky Lab experts have been investigating ways that cybercriminals might exploit biometric ATM authentication technologies. Many FIs consider biometric-based solutions to be a promising authentication method, cybercriminals see biometrics as a new opportunity to steal sensitive information, the security company said in a press release.

The Kaspersky investigation concluded that at least 12 sellers are already offering skimmers capable of stealing victims' fingerprints, and at least three are researching devices that could illegally obtain data from palm vein and iris recognition systems.

Kaspersky also found signs of ongoing discussions in underground communities regarding the development of mobile applications that overlay a mask onto a human face. With such an app, attackers can take a person's photo posted on social media and use it to fool a facial recognition system.

"The problem with biometrics is that, unlike passwords or pin codes, which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image," said Olga Kochetova, a security expert at Kaspersky Lab. "Thus, if your data is compromised once, it won't be safe to use that authentication method again. That is why it is extremely important to keep such data secure and transmit it in a secure way. Biometric data is also recorded in modern passports — called e-passports — and visas. So, if an attacker steals an e-passport, they don't just possess the document, but also that person's biometric data. They have stolen a person's identity."

Biometric data compromise is not the only potential cyber-threat facing ATMs, according to Kaspersky researchers, who said that hackers will continue to conduct malware-based attacks, blackbox attacks and network attacks to seize data that can later be used to steal money from banks and their customers.

View Kaspersky Lab videos demonstrating various ATM attack vectors.