zhu difeng - Fotolia

NCR patches ATM vulnerabilities

NCR has patched ATM vulnerabilities discovered by Positive Technologies

ATM maker NCR has issued software security updates after researchers reported flaws in encryption of communications between ATM computers and dispensers that could enable attackers to steal cash.

The researchers found that attackers could install obsolete insecure software on the controller of an ATM cash dispenser and issue commands to dispense cash.

Criminals could steal cash in this way by taking advantage of poor physical security to connect a computer to the dispenser, Positive Technologies researchers Vladimir Kononovich and Alexey Stennikov told attendees of the Black Hat USA security conference in Las Vegas.

“Our research indicated that not all requests from the ATM computer to the dispenser were encrypted,” said Alexey Stennikov, head of hardware security analysis at Positive Technologies.

“Instead, encryption was applied only to requests deemed critical by the manufacturer, such as dispensing cash. But some of the so-called non-critical requests can be just as dangerous.”

The first vulnerability, CVE-2017-17668, was caused by insufficient protection of the memory write mechanism in the NCR S1 dispenser controller.

On firmware versions prior to 0x0156, the researchers found that an unauthenticated user could execute arbitrary code, bypass the prohibition on firmware downgrading, and install obsolete firmware versions containing known vulnerabilities.

Read more about ATM security

A similar vulnerability, CVE-2018-5717, was found in the NCR S2 dispenser. Firmware version 0x0108 corrects the issue.

ATM logic attacks using physical or network access have become a frequent occurrence in recent years. According to the European Association for Secure Transactions (East), 114 black box attacks were performed in 11 European countries in the first six months of 2017.

An increase in attacks

Also in 2017, Positive Technologies reported that the number of malware-assisted ATM logic attacks in Europe had increased by 287% in 2016 compared to the previous year. GreenDispenser malware, for example, was used to steal approximately $180,000 from ATMs in Eastern Europe in 2015–2016.

At Positive Hack Days 8 in 2018, the Leave ATM Alone hands-on contest gave participants the opportunity to probe modern ATMs for vulnerabilities of various types, including weak encryption.

Security experts advise that in order to deal with the wide variety of possible attacks, ATM security measures could be both physical and logical.

Physical security measures include perimeter surveillance, access control, intrusion detection, central monitoring and ensuring that ATMs are well-lit, secure and alarmed locations.

Logical security measures include firewalls, a tracking and monitoring system, encryption technologies, logical access control, fraud detection systems and protection of communication links.

However, in September 2017, Europol issued a warning that cyber attacks on bank cash machines were a growing problem in light of criminal capabilities to access ATMs via bank networks.

The primary goal of ATM malware is to connect to and control peripheral devices inside the ATM to withdraw stored cash and/or collect information from bank customers, according to a report by Europol’s European Cybercrime Centre (EC3) and security firm Trend Micro

Content Continues Below

Read more on Hackers and cybercrime prevention

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

new programmed ATM card that can make you rich in less than three days,i got one from Brain Hackers Tech World,many of us have heard and read different headlines about this clone blank ATM card but still you don't believe it, i want you to know that the cards are real and they can really hack any ATM machine, before i got a card from Brain Hackers i have contacted different companies but all they tell me is one story or the other i almost loose hope until one day i saw this company email on the net i decided to give try,lucky for me, the card was sent to me within three days through DHL COURIER SHIPPING SERVICES from this genuine company called Brain Hackers, that is why i am sharing this to everyone as a good news that this blank cards are real and can make anyone rich you can reach Brain Hackers Tech World VIA ( brainhackers @ aol . com )...
Hello, are you guys ready to make real cash??? No dulling moment anymore. No more depending on cheap check every week. Get thousands of dollars or any currency of your choice and make this life worth living for. Order for a blank ATM card now.
How does it work? Our cards are loaded with a balance of $5000 to $100,000.00 with different daily withdrawal limits depending on the card you are buying and you can use the blank atm card to shop online and withdraw cash from any ATM machine closer to you.
★ Is this real? Yes, as shown in the video we withdrew cash multiple times without any issues. You can do it too.
★ Can I be traced? No, your withdrawal/transactions are completely anonymous.
★ Can i trust this method? Yes, we have not had any issue when doing this for the past 5 years now.
★ Are people using this ATM card? Absolutely, alot of people {our trusted customers) have quit their jobs to withdraw money on daily basis.
★ How do I get my card? We will ship your Blank Card /w Pin few hours after receiving clear payment through a courier service International and give you the tracking details of your card, 2-4 business day delivery service. once you receive the card you can start cashing out.
★Is this real? YES: we are 100% real and been doing this since 2015
Contact us to order a working blanK ATM Card that you can use to withdraw a minimum amount of $1000 and maximum amount of $10,000 daily withdrawal limit. Online maximum purchase limit is $30,000