A new surge of logical attacks on ATMs: what the Belgian experience teaches
In June and July 2020, ATMs of the Belgian bank Argenta were attacked by hackers. Using special software, the criminals seized control of the ATMs and withdrew all the cash. The bank not only suffered financial and reputational losses but was also forced to take out of service 143 ATMs with a similar software stack to avoid a recurrence of incidents.
What happened in Belgium?
As soon as it became known about ATMs’ attacks in Belgium, Diebold Nixdorf began his own investigation of the incident. It turned out that in all cases, ProCash 2050xe ATMs with the CMD-v4 cash dispensing module were attacked. The attackers destroyed part of the fascia to gain physical access to the ATM computer, then disconnected the USB cable connecting the dispenser and the ATM computer, and connected this cable to their own computer or laptop (so-called ‘black box’), which directly sent the command to the dispenser to dispense all cash. This type of attack is called the black box attack.
Black box attacks are one of the varieties of jackpotting, which means hacking into the ATM security system using special software that allows you to take control of cash withdrawal.
As a rule, when jackpotting, hackers use ready-made malware or their own code. However, as the investigation believes, during the attacks in Belgium, the hackers installed components of the ATM software stack on the black box, which they used to interact with self-service devices. This method of hacking is not unique, but it has never been seen in Europe before.
The investigation has yet to find out how the ATM software ended up in the hands of attackers. According to one of the investigation versions, the criminals downloaded it from one of the terminals, where these components were stored on an unencrypted hard drive. It became possible to use this software to steal cash from other self-service devices. These devices had outdated versions of the basic software, and there were no additional encryption tools for the data transmission channel.
What can be done to protect ATMs from jackpotting?
BS/2 experts in the security of self-service devices studied the situation, the vendor’s recommendations. They made a list of actions that can be taken right now to protect ATMs from jackpotting.
” To minimize the risk of jackpotting, in most cases, it is enough to encrypt the communication channel between the ATM computer and its dispenser and use the current versions of the ATM system software. However, we recommend a comprehensive approach to the security of self-service devices,” – says the head of the technical department of BS/2, Andrey Smirnov.
A comprehensive approach to ATM security includes the following measures.
1. Ensure encryption of the communication channel between the ATM computer and the dispenser.
2. Regularly update the software required for the ATM operator to the latest versions.
- Operating system (Windows 10)
- ATM software at XFS-level (ProBase 1.2/00 or higher)
- Firmware of peripheral devices
3. Ensure compliance of the bank’s IT infrastructure with PCI DSS requirements.
- Building a secure network and ensuring its safe operation.
- Restricting access to data by the business need.
4. Provide the physical security of the ATM.
- Use video surveillance systems (e.g., ATMeye.iQ software solution).
- Use special locks for ATM safes.
5. Use specialized software solutions for ATM security.
An example of such a software solution is Diebold Nixdorf’s Vynamic Security platform, which protects ATMs from malware and ensures the security of data transmitted by terminal devices.
How does Vynamic Security protect against jackpotting?
The Vynamic Security software solution consists of several modules, each of which has its own responsibility area. For example, one of them – the Intrusion Protection module – prohibits the launch of third-party software on the ATM computer, making it impossible to install malware. Another solution module – Hard Disk Encryption – does not allow replacing the ATM hard disk and ensures the device’s safety when it is turned off.
The full Vynamic Security suite protects ATMs from malicious software infiltration over the network, so any attempt by attackers to download malware onto a terminal device over the network will fail. The solution also allows you to restrict access to data depending on the user group and provides effective access control by managing individual accounts and user groups’ rights to log all their actions.
To learn more about the Vynamic Security software solution, contact our company representatives.