ATM makers Diebold and NCR deploy fixes for 'deposit forgery' attacks

ATMs from the two companies had bugs that could have allowed card fraudsters to modify the amount of money they deposited on their card, and then abuse the new account balance for illegal cash withdrawals.
Written by Catalin Cimpanu, Contributor

Two of today's biggest ATM manufacturers, Diebold Nixdorf and NCR, have released software updates to address bugs that could have been exploited for "deposit forgery" attacks.

Deposit forgery attacks happen when fraudsters can tamper with an ATM's software to modify the amount and value of currency being deposited on a payment card.

Such attacks are usually followed by quick cash withdrawals, either during weekends or via transactions at other banks, with the fraudsters trying to capitalize on the inexistent funds before banks detect any errors in account balances.

Two similar bugs impact Diebold Nixdorf and NCR ATMs

Deposit forgery bugs are rare, but two have been discovered last year and patched this year. Diebold Nixdorf patched CVE-2020-9062, an issue impacting ProCash 2100xe USB ATMs running Wincor Probase software, while NCR patched CVE-2020-10124, a bug in SelfServ ATMs running APTRA XFS software.

At their core, both bugs are identical, according to advisories published today by the CERT Coordination Center at Carnegie Mellon University.

CERT/CC says the ATMs do not encrypt, authenticate, or verify the integrity of messages sent between the ATM cash deposit boxes and the host computer.

An attacker that has physical access to connect to the ATM can tamper with these messages when cash is deposited and artificially inflate the deposited funds.

Diebold and NCR have secured their devices by releasing software updates that have hardened the communications between the cash deposit module and the host computer.

Disclosure and reporting delayed due to sanctions

Both vulnerabilities, and others, have been discovered by security researchers working at Embedi, a Moscow-based security firm that was sanctioned by the US Treasury Department in June 2018 for allegedly working with the Federal Security Service (FSB), Russia's top intelligence agency, to bolster Russia's "offensive cyber capabilities."

Before working with Embedi researchers on coordinating the public disclosure of these bugs, the CERT/CC at CMU had to obtain a special permit from the Office of Foreign Assets Control (OFAC) at the US Treasury Department.

Crazy-expensive weird gifts you can find on Amazon if you're insane

Editorial standards