The ATM manufacturers Diebold Nixdorf and NCR have addressed a bug that could have been exploited for ‘deposit forgery’ attacks
The flaws that could have allowed crooks to modify the amount of money they deposited on their card, so-called Deposit forgery, and make fraudulent cash withdrawals abusing of the new account balance
Once modified the account balance, the cybercriminals quickly attempt to make cash withdrawals, before the bank will detect the anomalous increase of the account balance.
“Diebold Nixdorf 2100xe USB automated teller machines (ATMs) are vulnerable to physical attacks on the communication channel between the cash and check deposit module (CCDM) and the host computer. An attacker with physical access to internal ATM components may be able to exploit this vulnerability to commit deposit forgery.” reads the advisory for the CVE-2020-9062.
“NCR SelfServ automated teller machines (ATMs) running APTRA XFS 04.02.01 and 05.01.00 are vulnerable to physical attacks on the communications bus between the host computer and the bunch note accepter (BNA).” reads the advisory for the CVE-2020-10124.
As reported in the advisories published by the CERT Coordination Center at Carnegie Mellon University, both flaws request physical access to the vulnerable ATMs.
The problems are related to the lack of encrypting and authentication of the messages sent between the ATM cash deposit boxes and the host computer.
An attacker with physical access to the device can connect to the ATM to tamper with the messages when cash is deposited and change the amount of money deposited during an operation.
“A deposit forgery attack requires two separate transactions. The attacker must first deposit actual currency and manipulate the message from the BNA to the host computer to indicate a greater amount or value than was actually deposited. Then the attacker must make a withdrawal for an artificially increased amount or value of currency. This second transaction may need to occur at an ATM operated by a different financial institution (i.e., a not-on-us or OFF-US transaction).” continues the advisory.
Both Diebold and NCR have released software updates that protect communications between the cash deposit module and the host computer.
The vulnerabilities have been reported by security firm Embedi, a Russian security firm that was sanctioned by the US Treasury Department in June 2018 for allegedly working with the Russian intelligence agency Federal Security Service (FSB).
For this reason, the CERT/CC requested a special permit from the Office of Foreign Assets Control (OFAC) at the US Treasury Department to disclose the issues discovered by the Russian firm.
(SecurityAffairs – hacking, ATM)