Many ATMs can be compromised within 30 minutes

An extensive testing session carried out by bank security experts at Positive Technologies has revealed that most ATMs can be hacked in under 30 minutes, and even less, in certain types of attacks.

Cybercriminals are using various sophisticated methods including physical access and remote access by compromise the bank network in order to steal money from ATM.

The report said: “Experts tested ATMs from NCR, Diebold Nixdorf, and GRGBanking, and detailed their findings in a 22-page report published this week. The attacks they tried are the typical types of exploits and tricks used by cyber-criminals seeking to obtain money from the ATM safe or to copy the details of users’ bank cards (also known as skimming). Experts said that 85% of the ATMs they tested allowed an attacker access to the network. The research team did this by either unplugging and tapping into Ethernet cables, or by spoofing wireless connections or devices to which the ATM usually connected to. Researchers said that 27% of the tested ATMs were vulnerable to having their processing centre communications spoofed, while 58% of tested ATMs had vulnerabilities in their network components or services that could be exploited to control the ATM remotely.”

Recent ATM based attacks targeted by malicious hackers stealing cash from cardless ATM using a new form of SMS phishing attack that force let user give away their bank account credentials into the phished website.

U.S. Secret Service also warned the new form of ATM skimming attack called “Wiretapping” targeting the financial institutions by creating a small size of the hole in the ATM machine and steal the customer data directly from card reader inside of the ATM Machine.

Also, attackers trying to inject the ATM malware families such as Alice, Ripper, Radpin and Ploutus, that is frequently available on the dark web market.

Voxox’s Unprotected Server Exposes Over 26 Million Text Messages

Security researchers have found an unprotected database containing tens of millions of text messages,  security codes, password reset links, two-factor codes, and shipping notifications.

The exposed server belongs to a California-based communications firm, Voxox. It was not difficult to find the server as it was not protected with a password, and was searchable for both names and telephone numbers, TechCrunch reported.

The security flaw was first noticed by a Berlin-based security researcher Sebastian Kaul. He found the database on a search engine, Shodan, that is used to search publicly available devices and databases.

Voxox act as a gateway between app developers and customers’ phones.  It converts shortcode into text messages and delivers it to the users’ phones.

The exploited database of Voxox has the text messages sent to users from companies like Google, Amazon, and Microsoft.

The firm pulled the database offline after being inquired by the TechCrunch researcher.

 Other findings from a cursory review of the data by the TechCrunch research team includes:

  • We found a password sent in plaintext to a Los Angeles phone number by dating app Badoo;
  • Several Booking.com partners were sent their six-digit two-factor codes to log in to the company’s extranet corporate network;
  • Fidelity Investments also sent six-digit security codes to one Chicago Loop area code;
  • Many messages included two-factor verification codes for Google accounts in Latin America;
  • A Mountain View, Calif.-based credit union, the First Tech Federal Credit Union, also sent a temporary banking password in plaintext to a Nebraska number;
  • We found a shipping notification text sent by Amazon with a link, which opened up Amazon’s delivery tracking page, including the UPS tracking number, en route to its destination in Florida;
  • Messenger apps KakaoTalk and Viber, and quiz app HQ Trivia use the service to verify user phone numbers;
  • We also found messages that contained Microsoft’s account password reset codes and Huawei ID verification codes;
  • Yahoo also used the service to send some account keys by text message;
  • And, several small to mid-size hospitals and medical facilities sent reminders to patients about their upcoming appointments, and in some cases, billing inquiries.

The more you say you know about phishing, the more vulnerable you are … Until you’re hoodwinked

A study in which researchers sent phishing emails to 1,350 students has yielded a startling find: those who believe they know how to tell a phishing scam from a genuine email are actually more susceptible to the attack.

The study by the University of Maryland, Baltimore County (UMBC) involved various phishing tests to assess whether any demographic segments were more susceptible to phishing attacks.

Responses were gathered from students in disparate , from engineering and mathematics to arts and social sciences. Researchers demonstrated that phishing awareness, hours spent on the computer, cyber training, cyber club or cyber scholarship affiliation, age, academic year, and college affiliation significantly affected student susceptibility.

Some interesting findings emerged, including that older students were more able than their younger peers to spot a phishing email and avoid clicking on the links inside. Less surprising results were those by gender, described by the researchers as not statistically relevant, while engineering and IT majors had some of the lowest click rates.

What was not so anticipated, though, was that students who boasted about their knowledge of phishing and how to avoid it were actually more susceptible than those who were less confident in their ability to sniff out phishing.

As many as 59% of subjects who opened the phishing email also clicked on its phishing link, and approximately 70% of those subjects who participated in an additional demographic survey clicked on the bait links inside.

“Contrary to our expectations, we observed greater user susceptibility with greater phishing knowledge and awareness,” paper authors Alejandra Diaz, Alan T. Sherman, and Anupam Joshi said. “Students who identified themselves as understanding the definition of phishing had a higher susceptibility than did their peers who were merely aware of phishing attacks, with both groups having a higher susceptibility than those with no knowledge of phishing.”

 

UMBC researchers are the first to admit they have no convincing explanation for this surprising find, but they ventured a couple of guesses nevertheless:

For one, they theorize that falling victim to a phishing scheme in the past might increase a user’s awareness about phishing. In other words, those clumsy enough to fall for a phishing scheme may become proportionally more skeptical of the contents of their inbox overnight. The logic behind this assumption is sound from a psychological perspective, so it’s reasonable that previous experience indeed played an important factor in the results.

“In hindsight, it might have been wiser to have asked in the post-event survey what was the level of phishing awareness the user had when they opened the phishing email,” the researchers were careful to point out.

Their second hypothesis – likely also a correct scenario and a contributing factor to the finding – is that respondents who fell for the phish were simply over-confident in their knowledge about phishing.

“Typically, the most important and devastating vulnerability a company can have is its very own people,” the authors said, citing an IBM study. “The human factor, or error, is responsible for 95% of security incidents. Malicious actors aim to use social engineering to exploit users into giving up valuable and confidential information […] We hope our results will help businesses and colleges improve their cybersecurity practices,” they noted.