Hackers hit Diebold ATMs with company’s own software

Diebold Nixdorf, a major ATM sales and services company, is warning that thieves have found a new way to make the machines spit out cash. In a security alert issued on July 15, Diebold Nixdorf said that the “jackpotting” attacks—the term used for attacks that quickly empty ATMs—use a device that runs parts of the company’s proprietary software stack.

In the new attack variation, criminals start by breaking through the fascia (the plastic housing that houses the machine). Once they’re in, they hook up a special USB device called a “black box” to a diagnostic port on the ATM. The black box then takes control and issues the machine to dispense money. Successful attacks can “make it rain,” with cash dispensed at 40 bills for every 23 seconds, reports Ars Technica.

Make it rain

The new attacks target the ProCash line terminals, in particular, the ProCash 2050xs USB model, adds the financial tech giant, and are limited to “certain European countries.” In addition, most attacks have been carried out on outdoor ATMs.

Prior to this, most attacks hijacked software contained in the ATM’s operating system, allowing them to issue commands—like, for example, dispense cash. 

For the most recent attacks, however, Diebold Nixdorf noted that the black box attacks used parts of the company’s own software, raising the possibility that criminals have gotten hold of proprietary data. 

Unlike earlier attacks that override the system, the new variation doesn’t need to talk to the ATM, since the black box has everything it needs to target the machine’s cash dispenser. This increases the effectiveness of jackpotting attacks.

“Some of the successful attacks show a new adapted Modus Operandi on how the attack is performed,” the company said in a statement. “Although the fraudster is still connecting an external device, at this stage of our investigations it appears that this device also contains parts of the software stack of the attacked ATM.”

To note, Diebold Nixdorf is one of the largest ATM manufacturers in the world, and accounts for over a third of all machines used worldwide. (Read: Nothing like the mafia: cybercriminals are much like the everyday, poorly paid business worker)

Does it affect me?

While the details of the attack are concerning, experts say that you shouldn’t panic yet. For one, Diebold Nixdorf notes that there isn’t any evidence that the black boxes are used to steal customers’ card data. That’s not to say it won’t affect us. An increase in successful jackpotting attacks may result in higher ATM fees, especially as banks pass on the costs caused by the losses. 

Diebold Nixdorf has since responded to the attacks, issuing defenses that ATM owners can use to protect themselves in the future. It’s also investigating how criminals obtained their software, with one possibility being that it was extracted from an unencrypted hard drive.

ATMs in remote locations are more vulnerable to the new attacks. In particular, these are often installed in places, where they can’t be regularly monitored—either by people or security cameras—leaving them exposed to criminals.

For us, who regularly use ATMs, the recent attacks may not impact us directly, but it’s still worth taking precautions, especially when using the machines. 

In light of the new attacks, choose ATMs located in major banks, and try not to use machines in outdoor areas or mom-and-pop shops. In addition, don’t enter an ATM booth if there are people inside. If you think they’re up to something fishy, just leave the site. 

Before starting a transaction, check the surrounding area for anything out of the ordinary. Look for hidden cameras behind you that can record your keystrokes, or tug the card reader to check for skimmers, which can be used to read your card data. Even check the slot from which cash comes out for suspicious objects. If anything is off, don’t use the ATM.