NCR Atleos

Man in the Middle Attacks

NCR Atleos is continuing to receive reports of Man-in-the-middle (MitM) jackpotting attacks in the U.S. These attacks are a form of cyberattack that are targeting Financial Institutions that lack cryptographic protection on the communications link between the ATM and the acquiring host. Such attacks also target ATM deployments where the configuration of the communications encryption is flawed.

An MitM attack, typically involves connecting a device either inside the ATM top box or at a nearby router to allow the acquiring host's messages to be intercepted and modified by a specific card belonging to the attacker is entered into the ATM. The card used will be untraceable back to the attacker. Often, stolen, or prepaid cards are used to allow the attacker to remain anonymous.

Drive-Up ATMs, where the attacker has access to the top box are often targeted.

These types of attacks are possible when:

The communications between the ATM and acquiring host are not protected at all; or
The communications between the ATM and acquiring host are not protected correctly.

To guard against this type of attack, NCR Atleos recommends:

Communications between the ATM and acquiring host MUST be encrypted using TLS 1.2 (as a minimum).
Care must be taken to ensure that protection is applied correctly. Specifically, encryption must be correctly configured, and encryption must be applied end-to-end
1. Correct Encryption Configuration: some text
  - Host TLS certificates must chain to an authorized root.
  - Host TLS certificate name must be added to ATM software build.
  - ATM software build must enforce TLS implementation.
  - Choose the correct cipher.
2. Protection must be applied end-to-end. This means TLS 1.2 must be implemented directly in the ATM PC Core.

Ifa router is used, then the communications link between the ATM and the router must be protected. If protection is only applied over the communications link from the router to the acquiring host, then attackers can exploit the network link between the ATM PC core and the router. The communications link between the ATM and the router is the most common location for a MitM attack.

For defence in depth protection, cryptographic MACing can also be applied to sensitive authorization messages.
ATM’s which have configurations with public facing topbox access can optionally be fitted with a unique physical key per ATM

Further information about complete ATM logical security can be found in Logical security best practices whitepaper.

For questions, please reach out to your NCR Atleos Representative

Thank you and kind regards,

The NCR Atleos Security team

Sign up for NCR Atleos Security Updates

As part of our commitment to ATM security, we regularly provide alerts and updates to the market on global ATM security issues and situations.
We issue alerts when:

We receive reports of new ATM attacks
We receive reports of modifications to ATM attack methods
Industry compliance issues require actions by ATM deployers

Keep yourself fully informed by signing up today.

First name*

Last name*

Email*

Company*

Country*

Title*

Click here to opt-in to NCR Atleos Security Updates*

*By checking the subscription box, you agree to receive emails from NCR Atleos about products, updates and promotions that may be of interest to you. You can withdraw your consent at any time by clicking here to manage your subscription choices, and click here to access NCR Atleos’s Privacy Policy.

Submit

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.