’s Cyber Kung Fu Master Class: ATM fraud, with Gemalto

Xavier Larduinat of Gemalto teaches us about the nasty practice of skimming

Tags: Cyber crimeGemalto NV ( Arab Emirates
  • E-Mail’s Cyber Kung Fu Master Class: ATM fraud, with Gemalto This month’s Cyber Kung Fu Master: Xavier Larduinat, marketing and communications manager for Banking and Security Innovation at Gemalto.
By  Stephen McBride Published  July 23, 2015

Just when you think your Kung Fu is attuned to the cyber nasties, an attack can come from somewhere you thought impossible. “Surely, if I am not sitting at my computer, tablet or smartphone, I cannot be assailed by cyber bandits,” you could reasonably assert.

Alas, you still need training and this month’s master is here to oblige.

So far, in’s digital dojo, we have covered DDoS, DNS cache-poisoning, phishing, website security, software vulnerabilities and SQL injection. This month we are going to show you how vulnerable your money is and how to protect it, as we take a look at ATM fraud.

So assemble on the mats for your next lesson in… Cyber Kung Fu (gong!).

Meet this month’s Cyber Kung Fu Master: Xavier Larduinat, marketing and communications manager for Banking and Security Innovation at Gemalto

Larduinat is in charge of promoting Gemalto’s cyber-security offerings. Prior to working in the digital security market, which he has been a part of since 2001, he spent 14 years in the semiconductor design and test industry with multiple international product marketing assignments, including ones in Germany, and the US.

Larduinat holds a Masters degree in Electronic Engineering from INSA Lyon, France, where he graduated in 1987.

The attack: ATM fraud

Automated teller machines (ATM) are not normally where the mind drifts when thinking about cyber security. They probably strike you as secure; as a means of withdrawing cash, not losing it. But criminals intent on robbing banks no longer need to barge through a branch’s door brandishing shotguns.

And nor, according to this month’s Cyber Kung Fu Master, do they need to hack the bank’s network. The process of compromising an ATM is a lot more physical than cracking other devices, but once the pieces are in place, criminals can sit back and collect the most sensitive of data from customer after customer.

“The main type of attack at ATMs is a skimming attack, aimed at collecting a maximum amount of cardholders’ PANs [primary account number], expiration dates, names and PIN [personal identification number] codes,” explains Master Larduinat. “In order to do so, hackers install several hardware elements in the ATM cavity, then remove those hardware elements before the scam [is discovered].”

The first piece of hardware Larduinat is talking about is the skimmer itself. For an attack to be successful, cyber criminals need to install this card-reading apparatus on top of the genuine, bank-controlled card reader, inside the ATM itself. For stealth purposes, the skimmer is also connected to the genuine reader and passes on everything it reads, so the teller machine continues to behave as normal, all while the skimmer collects PANs, expiry dates and account-holder names from every card used at the terminal.

Continues on next page>>

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code