Preview Mode Links will not work in preview mode

You can also listen and subscribe to COMMERCE NOW on these channels: 

Aug 6, 2018

Podcast Summary:

Black box attacks. Cyber attacks. Malware. Manipulation of the hard drive. There are so many factors and variations when it comes to jackpotting attacks that it can make your head spin. These attacks are constantly evolving in their sophistication, but that doesn’t mean you should give up the security ghost. Every attack teaches us something new – from the preferred ATM target to the preferred type of malware. Studying these attacks and closely scrutinizing every aspect of a jackpotting attempt allows us to get ahead of the attacks and become proactive instead of reactive.

In this episode, our security gurus Scott Harroff and Bernd Redecker will discuss the lessons and takeaways banks can learn from jackpotting and security, and how they can get ahead of the problem BEFORE it costs them.



Sign-up for Security Alerts:

DN website:



Amy Lombardo:                00:01                    

Black box attacks, cyber-attacks, malware, manipulation of the hard drive, there are so many factors and variations when it comes to jackpotting attacks that can make your head spin. These attacks are constantly evolving in their sophistication. But that doesn't mean you should give up the security ghost. Every attack teaches us something new, from the preferred ATM target to the preferred type of malware. Studying these attacks and closely scrutinizing every aspect of a jackpotting attempt allows us to get ahead of the attacks and become proactive instead of being reactive. In this episode, you'll hear from two security gurus, Scott Harroff and Bernd Redecker. They'll discuss the lessons and takeaways banks can learn from jackpotting and how they can get ahead of the problem. I am Amy Lombardo and this is COMMERCE NOW.

Scott Harroff:                     01:05                    

Hello again, and I'm Scott Harroff, your host for this episode of COMMERCE NOW. If you recall, Amy Lombardo and I had a great conversation on jackpotting a few weeks ago. And today I'm joined by Bernd Redecker, Diebold Nixdorf's Director of Corporate Product and Solution Security, and we will take a deeper dive into what recent jackpotting attacks can teach all of us and the best ways to protect against them. Thanks for joining me today Bernd.

Bernd Redecker:              01:29                    

Scott, it's a pleasure to be here. And thanks for the opportunity.

Scott Harroff:                     01:32                    

Okay, so let's recap a little from the last jackpotting podcast. First, we've seen an expansion of jackpotting attacks in 2018, especially in the Americas. Secondly, while these attacks don't feature brut force, they combine aspects of physical and logical manipulation of ATMs. And then looking back at four ATM security alerts from this year, it's clear that protecting yourself requires a holistic security approach. So, diving right in Bernd, can you remind our audience that although there is no one type of jackpotting attack, what are some of the major types of jackpotting that can occur.

Bernd Redecker:              02:07                    

Scott, thank you very much. The term jackpotting, first of all, basically refers to getting money out of an ATM. And jackpotting is coming from the gambling machines, basically you win the jackpot. Jackpotting as such, the term has been defined or it has been created already some years ago. There is a general distinction between different verines. One is called a black box jackpotting and black box simply means that the attacker brings his own electronics. As you already said, jackpotting is always a combination of a physical and a logical breach. When this is done on-sight, like with a black box, the attacker has to open the machine, he brings his own processor, his own CPU, connects the cash hunting device of the ATM with his box and then has the machine paying out money. Of course it's not as easy as it sounds at the moment. They will have to circle then security measurements. They will have to break security measures which are there, which are in place or which should better be in place. But I guess we'll talk about that a little bit later.


There's another attack vector. And that comes with all the equipment which is already present at the machine. So the second one would be attacking the hard disk drive of the existing CPU in the ATM. We see several cases where they rip off the disk of the ATM, take it back to their car, infect it with malicious software, put it back in again and then jackpot the machine. And that, again, has different verines. Some of them have malware, some of them have even modified legal applications. And we can go through that as we touch the different alerts. And especially this year we have seen a [inaudible 00:04:04] of that. I guess we are going to touch now, right?

Scott Harroff:                     04:08                    

Yeah. And these attacks are really only across the four alerts that we just talked about. And I know there's other types of jackpotting. And as we've seen recently, these attacks continue to evolve very quickly. So it really is crucial to stay up to date and know what's going on. Can you talk about the January 25 alert and give us some specific takeaways?

Bernd Redecker:              04:29                    

Yeah, the January 25 alert ... And by the way, if you would like to, please register for our security alerts, can find them on our home page. Alert from January 25th refers to, again, a combination of both attacks. It was HD a replacement attack. However, it was also using physical manipulation in the ATM, which means they did a combination of both to be able to get to the cash. And the challenge here is looking at outdated stuff, looking at outdated protections may open potential attack factor which the attackers then exploit, which means we definitely have to take care that protection is checked and verified over the time, machines are updated in a timely manner, and policies which are on the machine get updated.

Scott Harroff:                     05:22                    

Yeah. And I'll tell you, as I keep looking at what goes on, our original alerts on the Diebold side having XFS 4139 and then 4141, then 4146 and 4148, it just seems like these guys ... You close one door and turn the lock so they can't open it, and they turn right around and they start looking for the next door as soon as you finish turning the lock on the first door. So help us understand a little bit about how the May alert is different than the January alert.

Bernd Redecker:              05:53                    

In that case, the attackers brought their own laptop. So the difference there is January it was disk infected, in May they brought their own computer in case it was infected. It was a small notebook. They disconnected the original PC, which means all of a sudden all logical countermeasures are completely obsolete, they can't help any longer. They connected directly to the dispenser and then they have been using physical measurements to trick the whole machine into communicating with a second notebook. That's the bad thing about it, we are seeing these combinations of physical and logical attacks more and more, taking advantage of processes.


The bad thing is it doesn't help any longer to build another fence, to build another protection mechanism, which they are then starting to re-engineer. We have to change completely the way we protect the machines. And what has shown good progress is going to a model where we have more behavioral situation. And basically that's what we did in the May topic. However, please keep in mind, of course you will have to update the machines. We have machines out there, we just have been involved in an investigation with a customer with the average age of the machine, was 17 years unpatched, never updated. These machines are liable for attacks or can fall into attacks just because they are that old and that outdated. If we update them regularly, if we maintain them regularly, on a regular base, we can protect them. But of course the attackers, as soon as we close a door, are going to try and find another one.

Scott Harroff:                     07:45                    

Yeah, and there's something I really want to drill in on there a little bit, Bernd, because I'm in front of a lot of customers here in the US and I get this perception, especially from some of our larger financial institutions, that they've got the opinion that I'm running, I won't mention product names, but I'm running Vendor X antivirus product or I'm running Vendor Y whitelisting product or I'm running Vendor Z super security product on my hard drive, and because I've got all these products protecting me from a security standpoint, from the yellow vendor and the red vendor and the blue vendor and everybody else, because I've got all this security on my hard drive I don't need to do software updates. And what I think I just heard you clearly say is that's not the case. If you've got the greatest security running on your hard drive but you're missing this firmware update, you're vulnerable, right?

Bernd Redecker:              08:42                    

It depends. Of course it depends. You are right, there is no silver bullet. There is no bulletproof solution. What we have to take into consideration is protection on let's call it three layers, interconnected layers or interconnected levels. One is against what we would refer to as IT or cyber attacks, like malware trying to reach the ATM PC or we have to provide protection against malicious users and we have to think about protection when the machine is being switched off. That is very often forgotten. That would cover attacks directly against the devices. There is no difference, from a logical point of view there is no difference, whether I switch off the machine, the PC, or whether I directly connect to the dispenser. But if we do not offer protection or if we do not consider protection on all of these layers, then there is room for attacks. If there is a gap somewhere, there is room for attacks. If we don't encompass, and that's what I see as upcoming attacks, processes, there is room for attacks.


What is also a little bit misleading, and again, like you Scott, I don't want to talk about product X, Y or Zed, the ATM in most cases is running a little bit specialized but more or less standard PC, which means we are looking at a standard operating system which you know from your office environment. So why the heck don't we deploy office protection tools? The biggest difference is, think about your computer, when you switch it on, well maybe not in your home environment but definitely in your office environment, the first thing you will have to do is you will have to enter a password, even before the operating system starts. Well, here, with ATMs or with POS systems, we are looking at machines, and especially with ATMs, we are looking at machines which are out in the wild 24/7, there is no dedicated user on it who would be able to put in a password when you boot it, which means you will need dedicated security measurements for exactly these environments.


If you start deploying standard office environments to these areas, you can think about that, in reality from my experience it has never been a very good solution because there has to be a trade off. When you look at standard antivirus, for instance, your machines or your pattern on your home PC gets updated, well at least hourly. You can't do that with an ATM. It will spoil the bandwidth, it will spoil potentially availability of the machine. So you have to think about other measurements dedicated for self-service machines, dedicated for 24/7, machines running unattended. So we have to take a different perspective on this to be able to offer protection.

Scott Harroff:                     11:46                    

Yeah, I agree. I think that when you look at an ATM environment there's a lot of different aspects that you need to look at relative to jackpotting. If you've got an ATM that's sitting in the middle of your lobby, maybe you haven't updated the software for 17 years. With it sitting in the middle of your lobby and the doors are only open from eight in the morning until five at night and people are paying attention to what's happening at the ATM, you've got a lot of vulnerabilities on that ATM possibly but what's the likelihood, if you will, of somebody walking into that branch and opening up the ATM and standing there for the next hour taking notes out of the front of the machine and putting it into a great big bag they have on the floor? It's just not likely to happen. It could. But it's just not really likely. And then you move from there and do a drive-up lane, and depending on how it's configured you got a little bit more risk. It's out there 27 by 7 and maybe the lighting's not as great as it could be. And then you go to the other extreme, maybe I've got an ATM at a gas station or an off-site government building or in a college campus and now you've got an ATM that from a physical standpoint's very exposed. Your likelihood goes up.


So I think the other thing, in addition to the tools running on the ATM itself, I think customers really need to look at the physical environment and the risk factors around each ATM and use that as a way to help model what their total exposure is and figure out what to do there and not overlook physical security. I can't tell you the number of customers I've talked to where all their remote ATMs have exactly the same key that they were shipped with from the factory and they have no alarms on the top hat and no one's monitoring to see if the ATMs up or down. So I really agree with you, it's a comprehensive solution that really you've got to look at everything together all at once.

Bernd Redecker:              13:33                    

Like you said, having something like the same key in all machines is never a good solution. Normally security does not come from obscurity, it comes from secrets you have and you possess and you can use in the field, but not from having just something which you think the other one doesn't have. That's impossible. Just one comment on the environment. You're absolutely right, especially when we look at not only the logical attacks, when we look at attacks in total, there are different areas, there are different regions where attacks, some kind of attacks, are more likely than others. Unfortunately, this also applies vice versa. And just because your ATM is in a lobby may help if you think about a bank environment, may help when you're, for instance, in Europe or in North America. We have also seen attacks especially in Latin America where it's not especially a lobby but it's supermarket scenarios where there are ATMs and they have been jackpotted while the store was open.


So the crooks have developed patterns where they really don't care who's looking at them, again, depending on the region, depending on the environment, where they simply don't care whether they are being seen, where they try to disguise. We have seen full operations where they even come with their own protection, not armored but in terms of distracting anybody who goes out there and tries to talk with the one who's currently jackpotting the machine. And of course it never looks like what you would expect jackpotting. It's not cloak and daggers, it's not people with raincoats and black hats. It's always people looking absolutely, in these scenarios, it's always people looking absolutely normal, pretending to do normal transactions. And you can tell from the lock files of the ATM and you can tell from the videos that in fact they were cashing out money instead of really doing a normal withdrawal.

Scott Harroff:                     15:29                    

Yeah, and we've seen the same thing here in the US. We've had big box retailers with ATMs very close to the main entrances and you've got all those people walking in and out of the big box retailer and your point of sale line is right over there. And of course you've got all those surveillance cameras. And right there in the middle of it for an hour they're jackpotting. Hey, let's talk a little bit about the difference between the May alert and the July alert. So they're both black box attacks. Why don't you give our audience a little bit of information around the differences between the July and May alert just to clarify that.

Bernd Redecker:              16:06                    

Well, the main reason we published another alert on jackpotting and black boxing in July was, first of all it was a wave over here in Germany and with also seeing something similar happening in Latin, but what was really astonishing and what was new at that point and time was a way of organization. So we know that the majority of the jackpotting cases, we do have organized crime, we do have organizations in place who do the jackpotting. In that case the biggest difference was that the guys who were in front of the machines, the guys who did the transport, had absolutely no idea what they were doing. They have been hired completely, well, underground style. So they had no clue why they were transporting a notebook from one country to another one.


They didn't have a clue what to do with that in front of the machine other than the description, "Okay, open the machine or break the machine here, there and there. Connect this and then here you go". So that was basically the biggest difference we saw in that. And that it hit in two regions in parallel led us to issue this warning. Again, if the machines are properly updated this should have not been possible. And we have also seen attacks which were unsuccessful due to full protection, at least against known attack vectors. So this proves to help. In this case, the machines were not upgraded. But the main reason for this was the organization grate behind that.

Scott Harroff:                     17:48                    

When we look at these attacks, sometimes when we do our forensics it's a very complicated multi-step process that requires ... You have this version of this and this version of that and you're missing this countermeasure and you're missing that countermeasure. And it's really perfect storm of all these things coming together in conjunction with a technical person at the ATM that's really, really smart. What I think I just heard you say is we can go all the way to the other extreme of you have a not sophisticated person that sort of, kind of just pulls out a hard drive and you're missing a patch and they use that as a way to impact the hard drive and put it back in. That's kind of what happened in the July alert, right? Could you elaborate on that a little bit?

Bernd Redecker:              18:36                    

Basically, the guys who are in front of the machine, in that case, are not really aware of that there is a missing patch. What they have is they have typically a device or an instruction or a USB stick or whatever it is for this given attack plus a description. Again, breaks machine here, unlocks a hook there, plugs this in there, and then press a button. And that's all they know and all they need to do. They have no clue that a Microsoft patch was missing or the firmware wasn't on the latest release whatsoever. And that's the world we are moving into where the money mules have absolutely no idea on why they are doing what they are doing. They just know it works.


You can also tell that from the controls which are getting embedded into the malware, which is used either in the disk replacement scenarios or in notebooks if we get into re-engineering of them, most of them if we talk about notebooks, most of them have remote connection. If we talk about software and substitution, there is a control embedded where these guys are remotely controlled in terms of the brain who gave them the notebook knows exactly, knows later on exactly how much money is in the machine and how much the mule would have to deliver. But the person on-site does not know that there is a, again, a patch missing. He's not the brains. And they simply hire them and they have reached a level now where they hire them completely anonymously.

Scott Harroff:                     20:13                    

Well, I think the good news here and the bad news here are all wrapped up in the same sentence. We build ATMs to last. They are not something that you put out there and in a year or two or three you replace with a brand new ATM. There's ATMs that have been out there for 10, 20 plus years. And, at the same time, that's a good thing because the customer has a piece of hardware that is very reliable and it's out there running. But on the other side of the coin, a lot of these older ATMs are in an environment where the customer really hasn't done the things that you talked about, Bernd, to keep it up to date. They haven't kept the operating system up to date, they don't have signatures up to date, they don't have whitelisting in place, they don't have encryption in place. They might not have the physical security around the ATM. So you've got a combination of older units with not enough security being one of the main drivers of why organized crime has focused in on that.


These attacks, also they're evolving really, really quickly. So you can't just take the defenses that you've got today and make the assumption that those same exact defenses are going to be perfect for protecting you tomorrow. You've got to keep up on top of this stuff, you've got to keep up with updates and upgrades. And if you don't, then the criminals will find a vulnerability somewhere in a platform and try to target it.


Bernd, is there anything else you want our listeners to take away with today regarding our conversation?

Bernd Redecker:              21:34                    

Yeah, just perfect statement, Scott, just to emphasize on that. Even if the customers don't get attacked, leaving the machine on the old state makes it even more difficult to upgrade them if something happens. So maintenance is nothing you should do only when something happens, you should do it on a regular base. And you can even do that for the old machines. Of course there is an end of life at some time, but until then ... Typical lifespan, when we look at life cycles of machines of software, that is clearly above seven years to some extent. So that shouldn't be a problem to patch and update them over the lifetime.


The other thing I would like to point out or I would like to hint to is we've been talking a little bit about physical protection, we've been talking a lot about logical protection. As we mentioned one or two times, the attacks we are seeing at the moment are also a combination of logical and physical. And what we are seeing, and again on a global scale, it simply doesn't matter where you're looking, to which geography you're looking to. Some are more advanced in the negative way than other regions. But, nevertheless, what we are seeing is that the crooks are also starting to take advantage of banks processes. There is an attack called transaction reversal. There are other attacks where the crooks know exactly that the bank will, in one or the other case for instance, refund cash. And while this is not literally jackpotting but the result is the same, they trick the whole process in a way where it refunds any withdrawals immediately meaning they can withdraw until the machine is empty. And the result of that is very near to a jackpotting again. So if we think about protecting the machines, it is the physical protection, it's the logical protection, protection when the machine is switched off, we have to consider processes. And of course, if we do all these things, we also have to properly monitor the machines. Because it doesn't help at all if the machine sits out there, and again 24/7, lobby, drive-ups, remote locations, whatever we have, it doesn't make any sense if the machine sits out there, it's protected to some effect, knows that it's currently being attacked, cries for help and nobody's listening.

Scott Harroff:                     24:06                    

Yeah, that's a great example Bernd. We're talking about jackpotting and so many times you think about it, and to your point of the outcome is all the cash is gone and the method had nothing to do with a black box or malware, it was just that reversal attack that just kept right on going. So I think one of the things that a lot of our financial institutions should do is really sit down with an expert on security and really walk through all the different things that you and I talked about today and really put a plan together for where are we today, ideally where do we want to be, and what are all the steps that we need to put in place to go from where we are to where we need to be, and then how do we keep up to date once we get to where we want to be?


So Bernd, thanks so much for being here today. It's always great to have someone of your level of expertise and knowledge available to talk to the financial institutions about what's going on in the channel. I want to thank the listeners today for tuning into this episode of Commerce Now. To learn more about jackpotting and how you can better defend your ATM fleet against these evolving attacks, please log on to And, until next time, keep checking back on iTunes or your podcast listening channel for new topics on COMMERCE NOW. And thank you very much again for everybody's attendance today.