Thoughts On The First ATM Multivendor Malware Targeting Card Holders

With reference to the above link on SC Magazine, there are a couple things I find unclear about this threat – how does it get deployed, how does it get to the ATM?  And how can the attacker steal the card if the ATM is at a guarded location?

Keep in mind that all ATMs also have a camera and DVR, which are independent from the ATM itself; hacking the ATM machine with this Trojan doesn’t mean owning also the camera.  Yes, you could cover it up, I suppose, but wouldn’t that attract the very attention the attacker is attempting to avoid?  Until these two questions are answered, I’m not too worried about this Trojan. Just yet.  Hackers/attackers have plenty of other effective ways in which to steal my card information.

One recommendation I always give to ATM users – do NOT use those situated at gas stations or any other ATM that isn’t guarded and/or directly connected to a bank.  Firstly, those at the gas stations are incredibly expensive – $5 per transaction at times – and absolutely unprotected.    An ATM connected to a bank’s LAN or somehow directly connected to a bank (most likely via a VPN) is far more likely to be protected and, therefore, hard to hack.

So, beware where you use your card.