Security Alerts

Transaction Reversal Fraud at ATMs - Update for S1 Currency Dispenser

This communication is an update to the security alert issued on 30 May concerning a series of Transaction Reversal Fraud (TRF) at ATMs in the United States, United Kingdom and Europe. In these attacks, the criminal uses a tool to break the shutter off the ATM which provides access to pull notes from the exposed S2 dispenser cash transport shuttle. The S1 dispenser has not been the main target of these attacks, but in principle similar attack vectors could be applied to S1.

At this time, no new TRF attacks have been reported to NCR Atleos.

We are issuing this update to announce that software changes to detect this class of TRF on the S1 dispenser have now been released. NCR Atleos recommends that ATM deployers treat these software updates as important and apply to ATMs at the earliest update opportunity. Any ATM that does not have this software update is at risk of cash losses due to TRF.

Software update details:
NCR Atleos has made an update to the base XFS platform software for S1. This software change will enable the S1 dispenser to detect this specific class of TRF. Base XFS platform and application software upgrades must both be applied to protect against this attack method.

Application software upgrades have previously been announced and released.

For details on how to obtain this new platform software, and information on application software pre-requisites, please contact your NCR Atleos representative.

Man-in-the-middle ATM attacks

NCR Atleos is aware of a recent rise in man-in-the-middle (MitM) jackpotting attacks on banks with unprotected ATM communications in the U.S. and Thailand. This type of attack typically involves connecting a device and/or introducing malware into the network to allow host messages to be intercepted and modified when a specific card belonging to the attacker is entered into the ATM. The card used will be untraceable to the attacker. Typically, stolen or prepaid cards are used. These types of attacks are possible when the communications between the ATM and host are not protected.

To guard against this type of attack, NCR Atleos recommends:

• Transmission of sensitive cardholder data across all networks be encrypted using TLS 1.2 (as a minimum) between the ATM and the host. This is because MitM attacks can be used to skim cardholder data. PCI DSS Requirement 4.1 states the use of strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.
• Care must be taken to ensure that protection is applied end to end. This means TLS 1.2 must be implemented directly in the ATM PC Core.
• If a router is used, then the link between the ATM and the router must be protected.
• If protection is only applied over the link from the router to the host, then attackers can exploit the network link between the ATM PC core and the router. The link between the ATM and the router is the most common location for a MitM attack.
• MACing should be applied to sensitive authorization messages.

Further details can be found in our Logical security best practices whitepaper.

Questions? Contact your NCR Atleos representative.

Transaction Reversal Fraud at ATMs - Update

Guidance and recommendations

NCR is monitoring a series of Transaction Reversal Fraud (TRF) at ATMs in the United States, United Kingdom and Europe. In these attacks, the criminal uses a tool to break the shutter off the ATM which provides access to pull notes from the exposed S2 dispenser cash transport shuttle.

NCR recently issued a security alert to warn ATM deployers of an escalation of TRF attacks against NCRATMs in the United States. These attacks have since spread across several cities in the U.S., and we are aware of attacks in the U.K. Industry reports have also identified similar attacks on other vendors ATM’s in Europe.

In response, NCR advised software setting changes be made in the base XFS platform layer or in the ATM application flow to mitigate losses due to these attacks. NCR also released packages that could be used in the North American Activate Enterprise (AE), Edge and USN application environments to apply the recommended platform setting change.

At this time, we are issuing an update to announce that software changes are being developed that can detect this class of TRF. NCR recommends that ATM deployers treat these software updates as critical and apply to ATMs at the earliest opportunity. Any ATM that does not have this software update is at risk of cash losses due to TRF.

Software update details:

NCR is making updates to the base XFS platform software and the NCR application software. We are implementing software changes that will enable the S2 dispenser to detect this specific class of TRF. The mitigation advice previously given to customers will only address the most common field attack method. These critical software upgrades are required to provide protection from possible variations in the attack technique. Base XFS platform and application software upgrades must both be applied. While this software update will detect probable fraud scenarios, it is also possible that genuine equipment malfunction could also be detected as fraud.

Customers who have subscribed to NCR’s Software Distribution* Managed Service offer will be contacted by our software operations teams to coordinate the distribution of the TRF update.

(*including customers who purchased the Service and Software Management bundle or the Integrated Managed Services bundles that include Software Distribution)

For NCR ATM as a Service customers these SW updates will be applied ASAP.

For details on how to obtain this new platform and application software, please contact your NCR representative.

Money Order Fraud at ATMs in the U.S.

NCR is investigating a series of incidents at ATMs in the United States where criminals are depositing fraudulent money orders into the ATM.

The criminal then withdraws funds from the account prior to the FI determining that the money order is not legitimate.

As the money order contains the same fields as a standard check, the ATM recognizes the money order as legitimate.

The cardholder withdraws the cash immediately, so by the time the financial institution (FI) understands the orders are fraudulent, the loss is incurred.

This is leading to a loss for the FI who has accepted the Money Order as a deposit.

At this time, we are aware of two concentrated incidents (multiple counterfeit orders deposited in a short space of time) resulting in a five-figure monetary loss.

This fraud is possible on any ATM where checks/money orders can be deposited. Its fraud is not targeted at, or unique to any ATM in the field.

NCR Guidance:

The NCR guidance is for the financial institutions to review their business rules and practices as it relates to funds availability, review current deposit risk review rules through the check image item processor, and potentially consider blocking common transit and routing numbers where money order fraud was originating from, through the FI terminal handler"

At this time, the current routing numbers which we have seen reports from are:

• 071926786
• 091203586
• 000008002
• 091203557
• 091900533
• 091916187
• 103101864
• 102100400
• 103104900

There may be additional routing numbers identified. We encourage you to frequently check the NCR Security Alert Archive as we will update this alert as needed with additional routing numbers

For NCR ATM as a Service customers who use NCR for transaction processing, please contact your NCR Account Representative to request this change.

For all other customers please contact your network/switch provider as they will need to make this configuration change for you.

Contacts

ATM Crime Reporting: Global.Security@ncr.com

Self-Service Security Solutions and Best Practice: NCRSelf-Service.security@ncr.com

Transaction Reversal Fraud (TRF) in Europe and the USA

NCR has been made aware of three new reports of TRF attacks in Europe and the United States. Attacks have been experienced on “Through The Wall” cash dispense ATMs, and are not limited to any specific model. These attacks are using a method previously described in an alert sent by NCR in March 2021.

These latest attacks are using the Card Reader Manipulation method, subcategory ‘the Jam’, that is described on PAGE 5 in the March 2021 alert.

These attacks can be mitigated by a modification to the transaction flow configuration. For specific information on how to make these configuration changes, please contact your local NCR representative.

Contacts

ATM Crime Reporting: Global.Security@ncr.com

Self-Service Security Solutions and Best Practice: NCRSelf-Service.security@ncr.com

New “Deep Insert” Card Skimmer M.O. for DIP card readers

Guidance from NCR

NCR has been made aware of two separate successful skimming attacks against ATMs equipped with Tamper Resistant DIP Card Readers in USA.

The skimming technique is using a Deep Insert Skimmer in Tamper Resistant DIP Card Readers, but an additional attack step is performed that sabotages the internal workings of the Tamper Resistant DIP Card Reader. After this sabotage is performed, the skimmer can then operate inside the reader. Sabotaged readers show no signs of outward damage to the ATM user. Similarly, because the skimmer is placed inside the reader, these devices are almost impossible to spot by the typical ATM user.

Note: Deep Insert Skimmers cannot be detected or prevented by fascia skimming prevention solutions such as NCR SPS or third-party equivalents.

Customers are advised to be aware of possible signs of deep insert skimming. The most common indicator is impaired usability of the reader as the skimmer causes increased friction during card insertion and withdrawal; other indicators are card reading failures.

Skimming attacks also require the PIN, and the most common method of PIN capture is use of a covert camera hidden on the ATM. While Deep Insert Skimmers are very difficult to spot, PIN capture cameras are mounted on the outside of the ATM and can be found during inspection if staff are instructed to look for them. PIN cameras are typically hidden behind fake panels added to the ATM fascia. Common locations on NCR 80 Series ATMs are side panels in the PIN Pad recess; complete ATM side panels; or a false bar along the top of the fascia adjacent to the task lighting. Fake panels that conceal a camera will have a small pin hole aperture to allow the camera to view the PIN pad. Any small holes observed in the vicinity of the PIN pad should be considered suspicious.

Card issuers can limit the impact of skimming by increasing the security checks on any magnetic stripe transaction authorization that originates from a chip card in an ATM. All North American ATMs are chip enabled, meaning that every chip card withdrawal should be processed as an EMV transaction. Any chip card transaction from an ATM which is processed using the magnetic stripe is a possible skimmed card. This information should be included in existing fraud detection profiling during the transaction authorization process.

Additional hardware upgrade counter measures against this new M.O. are in development by NCR. Anew model of DIP card reader with hardening against sabotage and internal skimmer detection sensors is scheduled for release at the end of Q1 2023. We will proactively notify customers when this new reader is available.

NCR continues to monitor and review reports of new attack vectors, and encourages customers to maintain a regular physical security review of ATMs in the field for any evidence of tampering

Contacts

ATM Crime Reporting: Global.Security@ncr.com

Self-Service Security Solutions and Best Practice: NCRSelf-Service.security@ncr.com