NCR has released another security warning regarding a new series of “jackpotting” attacks being conducted on NCR ATMs in India. Although the company released the alert on March 19, the investigation into the attacks remains ongoing.
NCR’s alert states that criminals are gaining access to the ATM’s “top box”, which allows them to connect an unknown device, that still remains unidentified, to the machine’s USB port. The USB “black box” permits the attacker to connect a keyboard to the ATM, issue commands, and force the machine to dispense large quantities of cash at will. More often than not, ATM jackpotting attacks result in an ATM’s cash cassettes being completely emptied.
NCR is continuing to gather additional digital forensic data from hacked machines in India, but based on initial findings, the attackers appear to be using a variant type of ATM malware that has been seen in previous examples of “cashout” or jackpotting attacks. In regards to the jackpotting attacks in India specifically, ATMs in standalone sites have been primary targets, which emphasizes the importance of maintaining strong physical security in these types of locations.
What NCR Recommends…
- Block all attempts to boot the ATM hardware, using removable media – such as USB black boxes.
- Password-protect all access to the BIOS and have robust password management in place.
- Deploy an effective anti-virus mechanism.
Are NCR’s Defenses Enough?
In the wake of NCR’s new alert, it is clear that manufacturer’s existing controls are not defending against jackpotting attacks. It has been argued that many of the recommended controls are not feasible or sufficient in stopping a dedicated attacker. As an additional defense, Agnelo D’Souza, the CISO of Kotak Mahindra Bank, suggests implementing an active anti-malware software on the ATMs that can be centrally monitored in order to prevent malicious code from running.
NuSource Recommends AppGuard…
Blue Ridge Networks’ AppGuard was named “Best Anti-Malware Solution” by the 2014 Homeland Security Awards Program. Using a unique, patented isolation and containment method, AppGuard defends against viruses, zero-day malware, drive-by-downloads, watering hole attacks, ransomware, phishing and many other forms of threats. While most traditional antivirus, whitelisting and sandboxing approaches need to identify the threat, scan for viruses, update their software and disrupt activities in order to provide protection, AppGuard extends its defense without disrupting the computing and network environments. As jackpotting attacks become increasingly present in the ATM network, AppGuard is the first step FIs should take in preventative measures.