ATM manufacturer Diebold Nixdorf warned that unknown threat actors have used its proprietary software in a series of attacks against Diebold’s ProCash 2050xe USB cash terminals to illegally dispense cash across Europe. In a security alert, the company stated that attackers are using an external device known as “black box” and a software stack of the compromised ATM to launch a “Jackpotting Attack”.
How Jackpotting Works
- Attackers launch a jackpotting attack to withdraw cash from an ATM illegitimately.
- To jackpot the ATM, hackers connect their personal device (black box) to the ATM’s communication system to obtain physical access to the ATM machine.
- Then the attacker unplugs the communication cable between the CMD-V4 dispenser and the ATM PC, and connects it to the black box to send illegitimate dispense commands to the ATM.
Countermeasures
Diebold recommendeds certain security measures to defend against ATM threats:
- Implement hard disk encryption mechanisms to protect the ATM from software modifications and access to secrets (offline attacks)
- Introduce intrusion prevention mechanisms to identify deviating system behavior and protect the ATM during operation (online attacks)
- Follow network security best practices including segmented and secured LAN/VLAN with intrusion, detection, and prevention
- Implement a secure connection with the host via TLS and Message Authentication Code (MAC)
- Ensure real-time monitoring of security relevant hardware and software events including unexpected opening of the top hat compartment of the ATM
- Investigate suspicious activities such as deviating or non-consistent transaction or event patterns, which are caused by an interrupted connection to the dispenser
- Keep your operating system, software stack and configuration up to date. This is of importance for the core security HW components like EPP, card reader and cash devices as well as all banking related software components
- Implement secure software update processes and follow security best practices on password management of remote access tools
“Diebold Nixdorf is continuing to analyze these new attacks. During this process, the company would like to point to the recommendations for countermeasures against the known logical attack vectors and the importance of their implementation. Diebold Nixdorf also recommends customers verify whether these recommended countermeasures have been put into operation to better protect your ATM fleet. Where applicable, this should also include checking irregular event alerts generated by the monitoring system to interrupt such attacks,” the advisory added.
