ATM cash-out: A rising threat requiring urgent attention

The PCI Security Standards Council (PCI SSC) and the ATM Industry Association (ATMIA) issued a joint bulletin to highlight an increasing threat that requires urgent awareness and attention.

ATM cash-out

What is the threat?

An ATM cash-out attack is an elaborate and choreographed attack in which criminals breach a bank or payment card processor and manipulate fraud detection controls as well as alter customer accounts so there are no limits to withdraw money from numerous ATMs in a short period of time.

Criminals often manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.

How do ATM cash-out attacks work?

An ATM cash-out attack requires careful planning and execution. Often, the criminal enterprise gains remote access to a card management system to alter the fraud prevention controls such as withdrawal limits or PIN number of compromised cardholder accounts. This is commonly done by inserting malware via phishing or social engineering methods into a financial institution or payment processor’s systems.

The criminal enterprise then can create new accounts or use compromised existing accounts and/or distribute compromised debit/credit cards to a group of people who make withdrawals at ATMs in a coordinated manner.

With control of the card management system, criminals can manipulate balances and withdrawal limits to allow ATM withdrawals until ATM machines are empty of cash.

These attacks usually do not exploit vulnerabilities in the ATM itself. The ATM is used to withdraw cash after vulnerabilities in the card issuers authorization system have been exploited.

Who is most at risk?

Financial institutions, and payment processors are most at financial risk and likely to be the target of these large-scale, coordinated attacks. These institutions stand to potentially lose millions of dollars in a very short time period and can have exposure in multiple regions around the world as the result of this highly organized, well-orchestrated criminal attack.

What are some detection best practices?

  • Velocity monitoring of underlying accounts and volume
  • 24/7 monitoring capabilities including File Integrity Monitoring Systems (FIMs)
  • Reporting system that sounds the alarm immediately when suspicious activity is identified
  • Development and practice of an incident response management system
  • Check for unexpected traffic sources (e.g. IP addresses)
  • Look for unauthorized execution of network tools.

What are some prevention best practices?

  • Strong access controls to your systems and identification of third-party risks
  • Employee monitoring systems to guard against an “inside job”
  • Continuous phishing training for employees
  • Multi-factor authentication
  • Strong password management
  • Require layers of authentication/approval for remote changes to account balances and transaction limits
  • Implementation of required security patches in a timely manner (ASAP)
  • Regular penetration testing
  • Frequent reviews of access control mechanisms and access privileges
  • Strict separation of roles that have privileged access to ensure no one user ID can perform sensitive functions
  • Installation of file integrity monitoring software that can also serve as a detection mechanism
  • Strict adherence to the entire PCI DSS.

ATM makers fix flaws allowing illegal cash withdrawals

ATM manufacturers Diebold Nixdorf and NCR have fixed a number of software vulnerabilities that allowed attackers to execute arbitrary code with or without SYSTEM privileges, and to make illegal cash withdrawals by committing deposit forgery and issueing valid commands to dispense currency.

ATM illegal cash withdrawals

About the vulnerabilities

“Diebold Nixdorf ProCash 2100xe USB ATMs running Wincor Probase version 1.1.30 do not encrypt, authenticate, or verify the integrity of messages between the cash and check deposit module (CCDM) and the host computer. An attacker with physical access to internal ATM components can intercept and modify messages, such as the amount and value of currency being deposited, and send modified messages to the host computer,” the CERT Coordination Center at Carnegie Mellon University explained the root of CVE-2020-9062.

A deposit forgery attack starts with the attacker depositing actual currency and modifying messages from the CCDM to the host computer to indicate a greater amount or value than was actually deposited, and ends with the attacker making a withdrawal of this artificially increased amount or value of currency (at an ATM operated by a different financial institution).

A similar vulnerability (CVE-2020-10124) with the same attack potential has been found in NCR SelfServ ATMs running APTRA XFS 04.02.01 and 05.01.00: the software does not encrypt, authenticate, or verify the integrity of messages between the bunch note accepter (BNA) and the host computer.

Two additional flaws (CVE-2020-10125 and CVE-2020-10126), stemming from the software’s poor implementation of certificates to validate BNA software updates and improper validation of the softare updates for the BNA, may allow an attacker to execute arbitrary code on the host, with or without SYSTEM privileges.

NCR SelfServ ATMs running APTRA XFS 05.01.00 or older also sport two more flaws:

  • CVE-2020-9063 stems from the lack of authentication and integrity protection of the USB HID communications between the currency dispenser and the host computer
  • CVE-2020-10123 is caused by the currency dispenser’s inadequate authentication of session key generation requests from the host computer, allowing the attacker to issue valid commands to dispense currency

Attack prevention

To exploit all of these flaws, attackers must have physical access to internal ATM components, but if they succeed, they can fiddle with the host system and steal money from banks.

Affected organizations are advised to peruse the security advisories and to implement the offered firmware and software updates, as well as make specific configuration changes.

Diebold also advised them to limit physical access to the ATM and its internal components, adjust deposit transaction business logic, and implement fraud monitoring.