New type of attack siphons money from ATMs. Financial institutions are implementing countermeasures
New type of attack siphons money from ATMs. Financial institutions are implementing countermeasures

​​Financial institutions operating Diebold Nixdorf ATMs are facing new types of attacks. Tests conducted by AEC experts show that existing devices with an out-of-date system are unable to withstand an attack. Attacks on cashpoints, which are also widely used by banks in the Czech Republic and Slovakia, have recently been reported in many European countries.



A major Slovak financial institution asked specialists from AEC, a leading cyber security provider, to test its ATMs. It did so after Diebold Nixdorf, one of the largest ATM suppliers, responded to the attacks with official security warnings. One of the things it shows is that the ATM manufacturer is looking into how it is possible that the attackers were apparently able to eavesdrop on communications within the device on an out-of-date version of the ATM.

During testing, AEC carried out a step by step simulation of the attacker's activities. The latest incidents fall into a category called ATM jackpotting, where the attacker gets under the chosen device's cover. Here, with the help of their own, specially modified device, the attackers connect to the ATM's USB port and communicate directly with the dispenser, i.e. the device that issues cash from the ATM. Another type of attack tested was one in which the attacker connects to the ATM's USB port and then tries to increase his access rights to the level of administrator so that he can subsequently evade the restrictions for uploading his own code.

"We have verified that a person who knows where to look can get to the ATM's hidden USB port in a matter of seconds," warns Tomáš Sláma, head of penetration testers at AEC, adding, "The result was the finding that those ATMs that did not have updated firmware, are not sufficiently resistant to this type of attack, and can be used to illegally withdraw money."

According to Tomáš Sláma, this is the reason why every responsible bank should employ experts to regularly check its resistance to various types of vulnerabilities, just as one of the banking houses in Slovakia did in this case.

Since it was set up, AEC's ethical hackers have become leaders in the field of cyber security. Thanks to their extensive experience, knowledge and erudition, they can test the security system of any ATM, and therefore they are regularly approached by a number of the world's leading banking companies. The AEC team provides a comprehensive security audit. This is used to alert the client to vulnerabilities in the system of the device being tested and offer recommendations on how to give it better security settings, thus significantly reducing the risk of misuse.

"In this case, after testing their device, we unequivocally recommend that clients update the firmware," says AEC's head of penetration testers, specifying, "The update increases the level of security in the communication between the system that allows money to be released and the dispenser. After it is installed, the device no longer accepts the attacker's specious commands."



 Contact us