Diebold Nixdorf has issued a warning of a wave of
jackpotting attacks against ATM in a number of European countries, with the
vast majority directed at ProCash 2050xe USB terminals.
Jackpotting attacks target ATMs to steal money from the
machines. Other attacks use devices on ATMs to clone and steal credentials of
regular customers, but jackpotting goes directly after the money. It’s a much
more complex attack that requires knowledge of the ATM’s inner workings, and
it’s much more challenging to pull off.
In these recent attacks, criminals destroy parts of the
fascia to access the hardware, disconnect the USB cable between the CMD-V4
dispenser and the special electronics, or the cable between special electronics
and the ATM PC. They then connect their black box and send commands to the
machine, allowing them to dispense money.
The biggest problem with this method, aside from the theft,
is that the attacker likely has access to the software stack or at least some
part of it, which they use in their black boxes.
“Some incidents indicate that the black box contains
individual parts of the software stack of the attacked ATM,” says the
company in the advisory.
“The investigation into how these parts were obtained by the fraudster is
ongoing. One possibility could be via an offline attack against an unencrypted
hard disc.”
So far, it looks like most attacks affected the ProCash
2050xe USB ATM, which means that the criminals might have access to the
software stack for that specific model. In any case, the company advises banks to
update the software stack to the latest versions, use a secure configuration of
encrypted communications, and get the latest firmware for their devices.
Since this is also a physical attack, terminal operators are
advised to frequently inspect the ATMs and control access to areas used by
personnel to service them.