Recent updates
Keep up with our latest security updates.
June 9, 2023
What’s a Rich Text element?
The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.
Static and dynamic content editing
A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!
How to customize formatting for each rich text
Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.
September 2, 2024
September 2, 2024
Man in the Middle Attacks
NCR Atleos is continuing to receive reports of Man-in-the-middle (MitM) jackpotting attacks in the U.S. These attacks are a form of cyberattack that are targeting Financial Institutions that lack cryptographic protection on the communications link between the ATM and the acquiring host. Such attacks also target ATM deployments where the configuration of the communications encryption is flawed.
An MitM attack, typically involves connecting a device either inside the ATM top box or at a nearby router to allow the acquiring host's messages to be intercepted and modified by a specific card belonging to the attacker is entered into the ATM. The card used will be untraceable back to the attacker. Often, stolen, or prepaid cards are used to allow the attacker to remain anonymous.
Drive-Up ATMs, where the attacker has access to the top box are often targeted.
These types of attacks are possible when:
- The communications between the ATM and acquiring host are not protected at all; or
- The communications between the ATM and acquiring host are not protected correctly.
To guard against this type of attack, NCR Atleos recommends:
- Communications between the ATM and acquiring host MUST be encrypted using TLS 1.2 (as a minimum).
- Care must be taken to ensure that protection is applied correctly. Specifically, encryption must be correctly configured, and encryption must be applied end-to-end
- Correct Encryption Configuration: some text
- Host TLS certificates must chain to an authorized root.
- Host TLS certificate name must be added to ATM software build.
- ATM software build must enforce TLS implementation.
- Choose the correct cipher.
- Protection must be applied end-to-end. This means TLS 1.2 must be implemented directly in the ATM PC Core.
- Correct Encryption Configuration: some text
Ifa router is used, then the communications link between the ATM and the router must be protected. If protection is only applied over the communications link from the router to the acquiring host, then attackers can exploit the network link between the ATM PC core and the router. The communications link between the ATM and the router is the most common location for a MitM attack.
- For defence in depth protection, cryptographic MACing can also be applied to sensitive authorization messages.
- ATM’s which have configurations with public facing topbox access can optionally be fitted with a unique physical key per ATM
Further information about complete ATM logical security can be found in Logical security best practices whitepaper.
For questions, please reach out to your NCR Atleos Representative
Thank you and kind regards,
The NCR Atleos Security team
November 28, 2023
November 28, 2023
Transaction Reversal Fraud at ATMs - Update for S1 Currency Dispenser
This communication is an update to the security alert issued on 30 May concerning a series of Transaction Reversal Fraud (TRF) at ATMs in the United States, United Kingdom and Europe. In these attacks, the criminal uses a tool to break the shutter off the ATM which provides access to pull notes from the exposed S2 dispenser cash transport shuttle. The S1 dispenser has not been the main target of these attacks, but in principle similar attack vectors could be applied to S1.
At this time, no new TRF attacks have been reported to NCR Atleos.
We are issuing this update to announce that software changes to detect this class of TRF on the S1 dispenser have now been released. NCR Atleos recommends that ATM deployers treat these software updates as important and apply to ATMs at the earliest update opportunity. Any ATM that does not have this software update is at risk of cash losses due to TRF.
Software update details:
NCR Atleos has made an update to the base XFS platform software for S1. This software change will enable the S1 dispenser to detect this specific class of TRF. Base XFS platform and application software upgrades must both be applied to protect against this attack method.
Application software upgrades have previously been announced and released.
For details on how to obtain this new platform software, and information on application software pre-requisites, please contact your NCR Atleos representative.
November 16, 2023
November 16, 2023
Man-in-the-middle ATM attacks
NCR Atleos is aware of a recent rise in man-in-the-middle (MitM) jackpotting attacks on banks with unprotected ATM communications in the U.S. and Thailand. This type of attack typically involves connecting a device and/or introducing malware into the network to allow host messages to be intercepted and modified when a specific card belonging to the attacker is entered into the ATM. The card used will be untraceable to the attacker. Typically, stolen or prepaid cards are used. These types of attacks are possible when the communications between the ATM and host are not protected.
To guard against this type of attack, NCR Atleos recommends:
- Transmission of sensitive cardholder data across all networks be encrypted using TLS 1.2 (as a minimum) between the ATM and the host. This is because MitM attacks can be used to skim cardholder data. PCI DSS Requirement 4.1 states the use of strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.
- Care must be taken to ensure that protection is applied end to end. This means TLS 1.2 must be implemented directly in the ATM PC Core.
- If a router is used, then the link between the ATM and the router must be protected.
- If protection is only applied over the link from the router to the host, then attackers can exploit the network link between the ATM PC core and the router. The link between the ATM and the router is the most common location for a MitM attack.
- MACing should be applied to sensitive authorization messages.
Further details can be found in our Logical security best practices whitepaper.
Questions? Contact your NCR Atleos representative.
May 30, 2023
May 30, 2023
Transaction Reversal Fraud at ATMs - Update
Guidance and recommendations
NCR is monitoring a series of Transaction Reversal Fraud (TRF) at ATMs in the United States, United Kingdom and Europe. In these attacks, the criminal uses a tool to break the shutter off the ATM which provides access to pull notes from the exposed S2 dispenser cash transport shuttle.
NCR recently issued a security alert to warn ATM deployers of an escalation of TRF attacks against NCRATMs in the United States. These attacks have since spread across several cities in the U.S., and we are aware of attacks in the U.K. Industry reports have also identified similar attacks on other vendors ATM’s in Europe.
In response, NCR advised software setting changes be made in the base XFS platform layer or in the ATM application flow to mitigate losses due to these attacks. NCR also released packages that could be used in the North American Activate Enterprise (AE), Edge and USN application environments to apply the recommended platform setting change.
At this time, we are issuing an update to announce that software changes are being developed that can detect this class of TRF. NCR recommends that ATM deployers treat these software updates as critical and apply to ATMs at the earliest opportunity. Any ATM that does not have this software update is at risk of cash losses due to TRF.
Software update details:
NCR is making updates to the base XFS platform software and the NCR application software. We are implementing software changes that will enable the S2 dispenser to detect this specific class of TRF. The mitigation advice previously given to customers will only address the most common field attack method. These critical software upgrades are required to provide protection from possible variations in the attack technique. Base XFS platform and application software upgrades must both be applied. While this software update will detect probable fraud scenarios, it is also possible that genuine equipment malfunction could also be detected as fraud.
Customers who have subscribed to NCR’s Software Distribution* Managed Service offer will be contacted by our software operations teams to coordinate the distribution of the TRF update.
(*including customers who purchased the Service and Software Management bundle or the Integrated Managed Services bundles that include Software Distribution)
For NCR ATM as a Service customers these SW updates will be applied ASAP.
For details on how to obtain this new platform and application software, please contact your NCR representative.
May 9, 2023
May 9, 2023
Money Order Fraud at ATMs in the U.S.
NCR is investigating a series of incidents at ATMs in the United States where criminals are depositing fraudulent money orders into the ATM.
The criminal then withdraws funds from the account prior to the FI determining that the money order is not legitimate.
As the money order contains the same fields as a standard check, the ATM recognizes the money order as legitimate.
The cardholder withdraws the cash immediately, so by the time the financial institution (FI) understands the orders are fraudulent, the loss is incurred.
This is leading to a loss for the FI who has accepted the Money Order as a deposit.
At this time, we are aware of two concentrated incidents (multiple counterfeit orders deposited in a short space of time) resulting in a five-figure monetary loss.
This fraud is possible on any ATM where checks/money orders can be deposited. Its fraud is not targeted at, or unique to any ATM in the field.
NCR Guidance:
The NCR guidance is for the financial institutions to review their business rules and practices as it relates to funds availability, review current deposit risk review rules through the check image item processor, and potentially consider blocking common transit and routing numbers where money order fraud was originating from, through the FI terminal handler"
At this time, the current routing numbers which we have seen reports from are:
- 071926786
- 091203586
- 000008002
- 091203557
- 091900533
- 091916187
- 103101864
- 102100400
- 103104900
There may be additional routing numbers identified. We encourage you to frequently check the NCR Security Alert Archive as we will update this alert as needed with additional routing numbers
For NCR ATM as a Service customers who use NCR for transaction processing, please contact your NCR Account Representative to request this change.
For all other customers please contact your network/switch provider as they will need to make this configuration change for you.
Contacts
ATM Crime Reporting: Global.Security@ncr.com
Self-Service Security Solutions and Best Practice: NCRSelf-Service.security@ncr.com
January 24, 2023
January 24, 2023
Transaction Reversal Fraud (TRF) in Europe and the USA
NCR has been made aware of three new reports of TRF attacks in Europe and the United States. Attacks have been experienced on “Through The Wall” cash dispense ATMs, and are not limited to any specific model. These attacks are using a method previously described in an alert sent by NCR in March 2021.
These latest attacks are using the Card Reader Manipulation method, subcategory ‘the Jam’, that is described on PAGE 5 in the March 2021 alert.
These attacks can be mitigated by a modification to the transaction flow configuration. For specific information on how to make these configuration changes, please contact your local NCR representative.
Contacts
ATM Crime Reporting: Global.Security@ncr.com
Self-Service Security Solutions and Best Practice: NCRSelf-Service.security@ncr.com
January 20, 2023
January 20, 2023
New “Deep Insert” Card Skimmer M.O. for DIP card readers
Guidance from NCR
NCR has been made aware of two separate successful skimming attacks against ATMs equipped with Tamper Resistant DIP Card Readers in USA.
The skimming technique is using a Deep Insert Skimmer in Tamper Resistant DIP Card Readers, but an additional attack step is performed that sabotages the internal workings of the Tamper Resistant DIP Card Reader. After this sabotage is performed, the skimmer can then operate inside the reader. Sabotaged readers show no signs of outward damage to the ATM user. Similarly, because the skimmer is placed inside the reader, these devices are almost impossible to spot by the typical ATM user.
Note: Deep Insert Skimmers cannot be detected or prevented by fascia skimming prevention solutions such as NCR SPS or third-party equivalents.
Customers are advised to be aware of possible signs of deep insert skimming. The most common indicator is impaired usability of the reader as the skimmer causes increased friction during card insertion and withdrawal; other indicators are card reading failures.
Skimming attacks also require the PIN, and the most common method of PIN capture is use of a covert camera hidden on the ATM. While Deep Insert Skimmers are very difficult to spot, PIN capture cameras are mounted on the outside of the ATM and can be found during inspection if staff are instructed to look for them. PIN cameras are typically hidden behind fake panels added to the ATM fascia. Common locations on NCR 80 Series ATMs are side panels in the PIN Pad recess; complete ATM side panels; or a false bar along the top of the fascia adjacent to the task lighting. Fake panels that conceal a camera will have a small pin hole aperture to allow the camera to view the PIN pad. Any small holes observed in the vicinity of the PIN pad should be considered suspicious.
Card issuers can limit the impact of skimming by increasing the security checks on any magnetic stripe transaction authorization that originates from a chip card in an ATM. All North American ATMs are chip enabled, meaning that every chip card withdrawal should be processed as an EMV transaction. Any chip card transaction from an ATM which is processed using the magnetic stripe is a possible skimmed card. This information should be included in existing fraud detection profiling during the transaction authorization process.
Additional hardware upgrade counter measures against this new M.O. are in development by NCR. Anew model of DIP card reader with hardening against sabotage and internal skimmer detection sensors is scheduled for release at the end of Q1 2023. We will proactively notify customers when this new reader is available.
NCR continues to monitor and review reports of new attack vectors, and encourages customers to maintain a regular physical security review of ATMs in the field for any evidence of tampering
Contacts
ATM Crime Reporting: Global.Security@ncr.com
Self-Service Security Solutions and Best Practice: NCRSelf-Service.security@ncr.com
Security updates archive
Select a year to view the archive.
Sign up for NCR Atleos Security Updates
As part of our commitment to ATM security, we regularly provide alerts and updates to the market on global ATM security issues and situations.
We issue alerts when:
- We receive reports of new ATM attacks
- We receive reports of modifications to ATM attack methods
- Industry compliance issues require actions by ATM deployers