Criminals in Mexico have added endoscopes to their ATM-attack toolkits. The technology, originally developed 150 years ago to help doctors look inside bodies, and later updated with lights and cameras, is now being used to trick ATM sensors into dispensing all of their funds, manufacturer NCR warns.
NCR says it’s so far seen the technology used only in Mexico as part of an attack campaign involving black boxes, which get plugged into a cash machine and instruct it to dispense cash on demand in what is referred to as a jackpotting or cash-out attack.
So far, at least one of these attacks was successful, NCR says, noting that attackers were able to gain physical access to the device. “In this new attack, free-standing ATM models were targeted,” according to a Friday alert issued by NCR. “Criminals accessed the top box to connect a black box controller. Additionally, criminals opened the ATM front door and removed the dispenser shutter to provide physical access to the safe.”
NCR’s alert adds: “Endoscope technology was then inserted through the cash exit opening in the safe to manipulate sensors in the dispenser to simulate physical authentication.” This bogus authentication allowed the black box to instruct the ATM to dispense cash, it adds.
Security experts have long warned that all ATMs should be installed in well-monitored locations and ATM enclosures well secured and alarmed, because attackers who are able to gain physical access to the inside of an ATM enclosure can wage ATM attacks, although other attack techniques are also available
Emergency Firmware Update Issued
Since discovering the black box attack that uses an endoscope, NCR has created an emergency firmware update that appears to block the attack in full. “We have not seen any successful attacks on units with the updated firmware,” NCR says, adding that “any customer who may be concerned about an immediate threat of black box [attacks]” should contact it directly to receive a copy of the new firmware
But NCR says that all ATMs must also comply with NCR’s “level 3” dispenser protection guidelines, which defend against black box attacks by encrypting internal communications.
“Encrypting the communications between the ATM core and the dispenser will prevent black box attacks,” NCR’s guidance states. “If attackers attempt to send commands to the dispenser directly, the dispenser will recognize these commands as invalid. Only commands from the ATM software stack will be authenticated and processed by the dispenser.”
ATMs that do not comply with these guidelines will remain at risk from black box attacks, even if ATM deployers install the emergency firmware update, NCR warns.
Full Update Coming Soon
NCR says the updated firmware will be part of a general update that it plans to release in three months. “NCR will release a general global update for the currency dispenser in January 2018 which will contain enhancements to the physical authentication options,” it says. “This update will be included in all future releases of NCR APTRA XFS platform software.”
Some older ATMs from NCR, however, will not get a firmware fix. “This update is not applicable to Personas ATMs due to limitations in the capabilities of this older technology,” NCR says. It recommends that customers “plan a migration to newer models of ATMs to ensure they are able to deploy the most current security solutions.”
Black Box Attacks Surge in Europe
The warning over black box attacks being paired with endoscopes in Mexico comes as the European Association for Secure Transactions, or EAST, warns that in the first six months of the year, black box attacks have surged, at least in Europe.
In the first half of this year, there were 114 black box attacks reported against ATMs in Europe, it says. This represents a three-fold increase from the 28 attacks reported during the same period in 2016.
EAST’s data comes via authorities in 21 countries: Austria, Belgium, Cyprus, Czech Republic, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Liechtenstein, Luxembourg, Netherlands, Norway, Portugal, Romania, Spain, Sweden, Switzerland, United Kingdom. Those countries have a collective installed base of more than 373,000 ATMs.
“Eleven countries, four of them major ATM deployers, reported such attacks,” EAST says in a report. “All the reported attacks were ‘cash out’ or ‘jackpotting’ attacks using equipment typically referred to as a ‘black box.’ This type of attack continues to spread across Europe.”