A vulnerability in ATMs could allow hackers to make the machines spit out thousands of pounds in just a few minutes. Speaking at the Black Hat conference in Las Vegas, experts from Rapid7 showed how criminals could make ATMs dispense money with just a few changes.

Using the technique, they said they could get up to $50,000 (£38,000) from an unattended machine in just 15 minutes, according to Computing. The security firm has shared the exact method with ATM manufacturers and banks, but did not fully disclose it publicly to avoid aiding would-be thieves.

At a basic level, the scam involves skimming a card with a modified point of sale system or ATM and stealing both its identifying data and the PIN entered by the victim. The data can be downloaded wirelessly from the skimming device using a smartphone.

Criminals can then make external changes to an ATM and recreate the stolen card, allowing them to use it to drain cash from the machine.

The scam involves a card-shaped device inserted into the machine that helps to set up the secure connection needed to make transactions.

They are only able to withdraw cash for a limited time, but skimming multiple cards could allow them to steal large amounts of money from banks.

“With this paper and lecture, I hope to improve the overall knowledge of financial institutions and ATM manufacturers regarding the lengths that carders will go to in order to use stolen credit card data,” said Rapid7 senior security consultant Weston Hecker in his whitepaper.

“My goal is to encourage proper maintenance and communication with fraud backend systems, in order to reduce the negative impact of attacks against these systems.”

With the US slowly adopting chip and PIN technology, it is anticipated that such exploits could become more widely used as the base of potential victims grows.

You may also like...

Keep Up To Date - Subscribe To Our Email Newsletter Today

Get the latest industry news direct to your inbox on all your devices.

We may use your information to send you details about goods and services which we feel may be of interest to you. We will process your data in accordance with our Privacy Policy as displayed on our parent website