A new type of fraud using Sberbank ATMs appeared in Russia. Criminals use the imperfection of technology and inattention of citizens.
According to police, the attacker did not insert a Bankcard into the machine, chose any operation and did not complete it. When the next customer came to the machine, he saw on the screen of ATM a proposal to insert the card and enter the pin code. When he did all, the operation of the attacker was automatically completed, after which the money was debited from the cardholder's account.
First cases of such theft appeared six months ago. But in the last two weeks, the number of complaints from citizens to the police about this has increased rapidly. In all cases, the theft was committed when there was a queue at the ATM.
The the scheme worked only if the pin code was entered within one and a half minutes, otherwise, the terminal interrupted the operation. Police noted that attackers started using this scheme half a year ago but in the last two weeks the number of such incidents increased sharply.
Some experts believe that the problem is in the technology: normally, you must first to insert the card and then choose the operation. The second problem, according to experts, is a too long time-out. The basic time-out is 30 seconds. According to Yevgeny Tsarev, the RTM Group expert, a 90 seconds timeout is a serious vulnerability, and not technical, but social because an unprepared user can easily insert his card without looking at the monitor. Sberbank must reconfigure ATMs and reduce the time of the session, believes Mr. Tsarev.