ATM / POS Fraud , Fraud Management & Cybercrime , Incident & Breach Response

Hackers Practice Unauthorized ATM Endoscopy

New Black Box Cash-Out Attack Seen in Mexico; Black Box Attacks Surge in Europe
Hackers Practice Unauthorized ATM Endoscopy
ATM attackers have used flexible endoscopes to fool ATM sensors as part of black box attacks. (Photo: Benutzer:Kalumet, via Creative Commons)

Criminals in Mexico have added endoscopes to their ATM-attack toolkits. The technology, originally developed 150 years ago to help doctors look inside bodies, and later updated with lights and cameras, is now being used to trick ATM sensors into dispensing all of their funds, manufacturer NCR warns.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

NCR says it's so far seen the technology used only in Mexico as part of an attack campaign involving black boxes, which get plugged into a cash machine and instruct it to dispense cash on demand in what is referred to as a jackpotting or cash-out attack.

So far, at least one of these attacks was successful, NCR says, noting that attackers were able to gain physical access to the device. "In this new attack, free-standing ATM models were targeted," according to a Friday alert issued by NCR. "Criminals accessed the top box to connect a black box controller. Additionally, criminals opened the ATM front door and removed the dispenser shutter to provide physical access to the safe."

USB endoscope; not suitable for medical use. (Photo: Finn Årup Nielsen)

NCR's alert adds: "Endoscope technology was then inserted through the cash exit opening in the safe to manipulate sensors in the dispenser to simulate physical authentication." This bogus authentication allowed the black box to instruct the ATM to dispense cash, it adds.

Security experts have long warned that all ATMs should be installed in well-monitored locations and ATM enclosures well secured and alarmed, because attackers who are able to gain physical access to the inside of an ATM enclosure can wage ATM attacks, although other attack techniques are also available (see Attackers 'Hack' ATM Security with Explosives).

Emergency Firmware Update Issued

Since discovering the black box attack that uses an endoscope, NCR has created an emergency firmware update that appears to block the attack in full. "We have not seen any successful attacks on units with the updated firmware," NCR says, adding that "any customer who may be concerned about an immediate threat of black box [attacks]" should contact it directly to receive a copy of the new firmware

But NCR says that all ATMs must also comply with NCR's "level 3" dispenser protection guidelines, which defend against black box attacks by encrypting internal communications.

"Encrypting the communications between the ATM core and the dispenser will prevent black box attacks," NCR's guidance states. "If attackers attempt to send commands to the dispenser directly, the dispenser will recognize these commands as invalid. Only commands from the ATM software stack will be authenticated and processed by the dispenser."

ATMs that do not comply with these guidelines will remain at risk from black box attacks, even if ATM deployers install the emergency firmware update, NCR warns.

Full Update Coming Soon

NCR says the updated firmware will be part of a general update that it plans to release in three months. "NCR will release a general global update for the currency dispenser in January 2018 which will contain enhancements to the physical authentication options," it says. "This update will be included in all future releases of NCR APTRA XFS platform software."

Some older ATMs from NCR, however, will not get a firmware fix. "This update is not applicable to Personas ATMs due to limitations in the capabilities of this older technology," NCR says. It recommends that customers "plan a migration to newer models of ATMs to ensure they are able to deploy the most current security solutions."

Black Box Attacks Surge in Europe

The warning over black box attacks being paired with endoscopes in Mexico comes as the European Association for Secure Transactions, or EAST, warns that in the first six months of the year, black box attacks have surged, at least in Europe.

In the first half of this year, there were 114 black box attacks reported against ATMs in Europe, it says. This represents a three-fold increase from the 28 attacks reported during the same period in 2016.

EAST's data comes via authorities in 21 countries: Austria, Belgium, Cyprus, Czech Republic, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Liechtenstein, Luxembourg, Netherlands, Norway, Portugal, Romania, Spain, Sweden, Switzerland, United Kingdom. Those countries have a collective installed base of more than 373,000 ATMs.

ATM Malware and Logical Attacks

Number of attacks against European ATMs involving malware or so-called "logical attacks," such as black box attacks, reported to EAST since 2014, as shown in first-half (H1) and second-half (H2) periods of each year.

"Eleven countries, four of them major ATM deployers, reported such attacks," EAST says in a report. "All the reported attacks were 'cash out' or 'jackpotting' attacks using equipment typically referred to as a 'black box.' This type of attack continues to spread across Europe."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.