You are here

What We Learned at DEF CON 24

Written by: Cory R. Lunn, CISA
Another summer, another DEF CON. Drawing in nearly 14,000 attendees, it’s one of the largest hacker conventions in the world. DEF CON is where you hear about the newest security threats and see demonstrations of things like social engineering attacks, which, ultimately, make you question if the contents of your wallet, pocket, and home haven’t already been hacked. Our IT Assurance group recently returned from this year’s Conference and learned about some of the latest and greatest threats to mobile devices, people, cars and everything in between.

One of the more eye opening presentations we attended was about compromising the new chip-enabled debit and credit cards that have finally made it to the United States over the last year. These new chip-enabled cards are meant to be more secure than the traditional magnetic cards as there is a new security key that is created every time you make a transaction. Unfortunately, these ultra-secure cards still have a weakness - ATM machines.

Weston Hecker, a security engineer at Rapid7, demonstrated how an ATM machine can be fitted with a card shimmer (a device used to read the card’s chip) to steal the security data from you card and send that data to another ATM (that has also been hijacked) and withdraw the maximum allowable daily cash limit. To be clear, this is no easy feat, but it’s still possible and only a couple of years away from becoming mainstream. At the end of the day, financial institutions should make sure they outfit their ATMs with foreign device controls that generate alerts if the ATM is manipulated in any fashion. What have you put in place to make sure your institution’s ATM’s are not going to be affected?

For more information, contact Cory R. Lunn, CISA, IT Assurance Supervisor, at 617-261-8187 or

Over the next few months, we will share other insights we learned at DEF CON 24.  Stay tuned!