Never let it be said that the world’s cyberthieving population isn’t always on the hunt for better and more efficient ways to use technology to separate individuals from their money. With the new year comes a new variation on the ATM skimming attack that started cropping up throughout 2014. Called “black box” attacks, they rely on hooking up an ATM to a piece of hardware (a “black box”) in order to push commands that force the machine to dispense cash.
To make a basic black box hack work, attackers have to physically access the top of the cash machine, from which point they disconnect the ATM’s cash dispenser from its “core” (the computerized brain of the device). At that point, crooks then plug their devices into the dispenser and issue commands that force it to cough up dollars.
Thieves in 2015, however, seemed to have begun refining the method some, according to security blogger Brian Krebs. Particularly enterprising cybercriminals recently added an element to the black box attack – a USB-based circuit board that investigators believe was used purely to fool the ATM’s core into believing it was still properly connected to the cash dispenser.
“They didn’t have to do this [to get away with the money] but our guess is they thought this component would buy them some time,” said Charlie Harrow, solutions manager for global security at NCR.
The black boxes are also changing, according to NCR. Instead of using a computer, the most recent variation on this ATM jackpotting scam made use of a brand new Samsung Galaxy 4 to act as the conduit through which commands to the cash dispenser were sent.
“Which meant that the real attacker sending the commands was somewhere remote from the ATM,” Harrow said.
This does present a bit of a puzzle for investigators – operating the cash dispenser remotely seems prima facie to be of limited value since co-conspirators would still need to be present at the hacked cash machine to retrieve the money. Harrow says more likely than not, the remote activation is a security measure for whomever is behind the black box attack plan.
“There is no honor among thieves, and these guys will delegate responsibility,” Harrow observed. “That way, you have the Mr. Big back at the hideout who’s sending the commands, and the mules are the ones at the ATMs. So the mule who has the black box is unable to activate the attack unless he gets the command from the Mr. Big, and the mobile phone is the best way to do that.”
Better than a method to keep “employees” in line, using a mobile phone almost makes it more difficult for investigators to figure out how the attackers pushed commands through to the cash dispenser.
“The mobile phone was simply a pass-through for commands sent from the remote server, so we had no idea about commands being sent to the dispenser,” Harrow recalled. “It took us a while to figure out how they were doing this attack.”
Black boxes are one of two types of ATM attacks that have been labeled by NCR as “logical.”
The other type uses malware to achieve the “jackpotting” result that the black box hardware achieves – in both cases the ATM is taken over and forced to spit out cash. Both attacks are also made possible through the USB ports located on top of the ATM – without that physical access thieves can’t get attacks off the ground. So far, malware attacks have been more common.
“It’s one of two logical attacks we have seen increasing in frequency,” said Owen Wild, NCR’s global marketing director, noting that the company has seen only two black box attacks so far, including this one. “So far we’ve seen far more malware attacks than black box attacks. The ATM malware attack is simpler because you don’t need hardware. But in principle, there’s no reason black box hacks couldn’t become more common.”
The easiest fix for this type of attack isn’t technical, or in many cases even practical. NCR strongly recommends that its customers deeply consider using wall-mounted instead of stand-alone units, especially in areas that are not well supervised by staff.
However, NCR noted that these types of attacks, by their nature, also require a better tech-based solution.
“All things considered, this is a pretty cheap attack,” Harrow said. “If you know the right commands to send, it’s relatively simple to do. That’s why better authentication needs to be there.”
NCR recently shipped a software update for its ATMs aimed at beefing up the encryption used to manage communications between the cash dispenser and the ATM core. More important, however, the systems will also be changed such that the encryption key exchange can only be done between the cash dispenser and the core when the dispenser has already received a specific authorization sequence.