NCR Atleos

Physical access jackpot attack

‍

Important information

‍

Dear valued customer,

Please be advised that NCR Atleos is aware of successful Jackpot attacks in the United States using methods that are consistent with some aspects of a Direct Memory Access (DMA) attack. These attacks target free standing cash dispense ATMs located in public shopping malls. These attacks require physical access inside the ATM. The attackers gain access to the ATM top box and add a plug in PCIe card directly inside the PC Core. This facilitates the addition of malware to the PC Core which allows the attackers to jackpot the ATM.

NCR Atleos has recently provided guidance on how to prevent a DMA attack – which you can read here. We are advising that this threat is critical, and that mitigation should be applied as soon as possible, i.e. disable any expansion bus inside the PC Core. Priority should be placed on any ATM where the attacker can gain access inside the ATM top box (e.g. free-standing cash dispense or Drive-Up ATMs.) The PCIe bus must be disabled.

Additionally, Jackpot attacks against Drive Up ATMs in the US continue to be reported. These attacks are using non-DMA methods as described here, and are exploiting a lack of basic protection on those ATMs. It is critical that FULL logical protection needs to be in place as per the standard NCR Atleos Logical security best practices whitepaper.

Specific key items, relevant to this situation, highlighted from the guidance in our white paper areas follows:
‍

BIOS locked down with boot order restricted to primary hard disk
BIOS updated to fully disable PCIe bus as per our alert in June
BIOS passwords changed from default and managed
Administrator passwords (Windows or Activate Enterprise) changed from default and managed
Basic OS hardening applied fully with:
- Keyboard/mouse filter fully applied
- Software management by remote distribution (recommendation)
Full Disk Encryption applied, i.e. all partitions encrypted
Allowlisting applied with correct configuration:
- Inheritance disabled for Authorized Updaters
- Trusted paths or users must not be used as Authorized Updaters
TLS 1.2 deployed correctly with certificate pinning
Encryption and authentication applied to all logical channels into the ATM
XFS Platform software must be up to date with security patches
Dispenser protection enabled with correct authentication sequence set

‍

It is critical that ALL steps in this checklist are deployed. Missing any single step can render an ATM vulnerable to jackpot attack.

If you have any questions or concerns, please reach out to your NCR Atleos representative.

Thank you for your continued partnership,

NCR Atleos Security Team

Sign up for NCR Atleos Security Updates

As part of our commitment to ATM security, we regularly provide alerts and updates to the market on global ATM security issues and situations.
We issue alerts when:

We receive reports of new ATM attacks
We receive reports of modifications to ATM attack methods
Industry compliance issues require actions by ATM deployers

Keep yourself fully informed by signing up today.

First name*

Last name*

Email*

Company*

Country*

Title*

Click here to opt-in to NCR Atleos Security Updates*

*By checking the subscription box, you agree to receive emails from NCR Atleos about products, updates and promotions that may be of interest to you. You can withdraw your consent at any time by clicking here to manage your subscription choices, and click here to access NCR Atleos’s Privacy Policy.

Submit

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.