Diebold Nixdorf, which generated $ 3.3 billion in sales and service from ATMs last year, is warning businesses, banks, and other customers of a new hardware-based form of "jackpotting," the industry term for attacks that use it Quickly empty thieves ATMs.
The new variant uses a device on which parts of the company's own software stack are executed. Attackers then connect the device to the ATM internals and issue commands. Successful attacks can result in a flow of money that sometimes spends up to 40 bills every 23 seconds. The devices are attached either by accessing a key to unlock the ATM housing or by drilling holes or otherwise breaking the physical locks to gain access to the interior of the machine.
In previous jackpotting attacks, the attached devices, known in the industry as black boxes, typically invoked programming interfaces included in the ATM operating system to direct commands that would ultimately reach the hardware component that issued cash. More recently, Diebold Nixdorf has seen a flood of black box attacks that contain parts of the company's software.
"Some of the successful attacks show a new, customized Operandi mode for carrying out the attack," Diebold Nixdorf warned in an active security alert sent to Ars by a company representative last week. "Although the fraudster is still connecting an external device, at this stage of our investigation it appears that this device also contains parts of the software stack of the attacked ATM."
The advisory said elsewhere:
In general, jackpotting refers to a category of attacks aimed at illegally spending money at an ATM. The black box variant of jackpotting does not use the ATM software stack to issue money from the terminal. Instead, the fraudster connects his own device, the "black box", to the donor and aims directly at communicating with the cash handling device.
In recent incidents, attackers focus on outdoor systems and destroy parts of the fascia to gain physical access to the headspace. Next, the USB cable between the CMD-V4 dispenser and the special electronics or the cable between the special electronics and the ATM PC was disconnected. This cable is connected to the attacker's black box in order to send illegal output commands.
Some incidents indicate that the black box contains individual pieces of the software stack of the attacked ATM. The investigation into how these parts were obtained from the fraudster is still ongoing. One possibility could be an offline attack on an unencrypted hard drive.
Imitation of the ATM
The growing number of attacks target the company's ProCash line terminals, particularly the ProCash 2050xs USB model. The ongoing attacks are occurring in "certain European countries," the report said.
Bruno Oliveira, an ATM security expert, said he had heard of the earlier form of the black box attack. The connected device manipulates the APIs, which are included in operating system extensions such as XFS or CFS and communicate with remote servers operated by financial institutions. Black boxes that mimic an ATM's internal PC can be either laptops or Raspberry or Arduino hardware that are relatively easy to build, Oliveira said. Black boxes are one of four jackpotting techniques that Diebold Nixdorf describes here.
In some cases, the connected devices establish a direct connection to the ATM and issue commands so that it spits out money. The other form of black box attack attaches to network cables and records cardholder information as it is passed between the ATM and the transaction center that processes the session. The connected device then changes authorized maximum payout amounts or masquerades as the host system so that the ATM can spend large sums of money.
The jackpotting brochure linked above describes two other types of attacks. The first replaces the legitimate hard drive with one created by the attackers. The other uses phishing attacks against bank employees. When attackers gain access to a financial institution's network, they issue commands that infect ATMs with malware that can be used to clean up computers.
Good news and bad news
The new attack variant described by Diebold is both good and bad news for consumers. On the one hand, there is no evidence that thieves are using their recently acquired software stack to steal card data. The bad news is that attackers appear to have proprietary software in their hands that makes attacks more effective. The recent increase in the successful jackpot ultimately leads to higher fees as financial institutions pass on the costs of the losses. Diebold has taken a number of safeguards that ATM owners can take to protect themselves from attacks.
There is little ATM users can do to prevent jackpotting. However, it is important to only use ATMs from large banks and to avoid ATMs from corner shops. It is also a good idea to shield the keyboard from entering PINs and check bank statements for unauthorized transactions every month.