ATMs jackpotting in Europe

ATM manufacturer Diebold Nixdorf warned that unknown threat actors have used its proprietary software in a series of attacks against Diebold’s ProCash 2050xe USB cash terminals to illegally dispense cash across Europe. In a security alert, the company stated that attackers are using an external device known as “black box” and a software stack of the compromised ATM to launch a “Jackpotting Attack”.

How Jackpotting Works

Attackers launch a jackpotting attack to withdraw cash from an ATM illegitimately.

To jackpot the ATM, hackers connect their personal device (black box) to the ATM’s communication system to obtain physical access to the ATM machine.

Then the attacker unplugs the communication cable between the CMD-V4 dispenser and the ATM PC, and connects it to the black box to send illegitimate dispense commands to the ATM

How this happens…

In some cases, the attached devices connect directly to the cash dispenser and issue commands for it to spit out cash. The other form of black-box attack plugs into network cables and records cardholder information as it is relayed back and forth between the ATM and the transaction center that processes the session. The attached device then changes authorized maximum withdrawal amounts or masquerades as the host system to allow the ATM to dispense large sums of money.

New and sophisticated method of ATM jackpotting were identified in several countries over different periods of time in 2016 and 2017 the most recent in Spain this month.

What is Black Box?

Black Box is a sort of ATM logical attack through connection of an unauthorized device (usually unknown Box or laptop) which sends dispenses commands directly to the ATM cash dispenser to “cash-out” the ATM.


Diebold recommended certain security measures to defend against ATM threats:

  • Implement hard disk encryption mechanisms to protect the ATM from software modifications and access to secrets (offline attacks)
  • Introduce intrusion prevention mechanisms to identify deviating system behavior and protect the ATM during operation (online attacks)
  • Follow network security best practices including segmented and secured LAN/VLAN with intrusion, detection, and prevention
  • Implement a secure connection with the host via TLS and Message Authentication Code (MAC)
  • Ensure real-time monitoring of security relevant hardware and software events including unexpected opening of the top hat compartment of the ATM
  • Investigate suspicious activities such as deviating or non-consistent transaction or event patterns, which are caused by an interrupted connection to the dispenser
  • Keep your operating system, software stack and configuration up to date. This is of importance for the core security HW components like EPP, card reader and cash devices as well as all banking related software components
  • Implement secure software update processes and follow security best practices on password management of remote access tools

To sum-up, It is time to protect ATM hardware device physically. It is also a good idea to shield the keyboard while entering PINs and to check bank statements each month in search of any unauthorized transactions.

Leave a Reply

Your email address will not be published. Required fields are marked *

error: Content is protected !!