Corporate Product & Solution Security ACTIVE SECURITY ALERT 020-27/0003 –Jackpotting with Black Box in Europe 20200715/LN/02 July 15, 2020 Summary Recently Diebold Nixdorf became aware of an increasing number of jackpotting attacks with black boxes against ProCash terminals in certain European countries. The majority of the current incidents are reported for ProCash 2050xe USB terminals. Some of the successful attacks show a new adapted Modus Operandi on how the attack is performed. Although the fraudster is still connecting an external device, at this stage of our investigations it appears that this device also contains parts of the software stack of the attacked ATM. Diebold Nixdorf is continuing to analyze these new attacks. During this process, the company would like to point to the recommendations for countermeasures against the known logical attack vectors and the importance of their implementation. In addition, Diebold Nixdorf urgently recommends customers verify whether these recommended countermeasures have been put into operation to better protect your ATM fleet. Where applicable, this should also include checking irregular event alerts generated by the monitoring system to interrupt such attacks. Description of Attack In general, jackpotting refers to a category of attacks aiming to dispense cash from an ATM illegitimately. The black box variant of jackpotting does not utilize the software stack of the ATM to dispense money from the terminal. Instead, the fraudster connects his own device, the "black box", to the dispenser and targets the communication to the cash-handling device directly. In the recent incidents, attackers are focusing on outdoor systems and are destroying parts of the fascia in order to gain physical access to the head compartment. Next, the USB cable between the CMD-V4 dispenser and the special electronics, or the cable between special electronics and the ATM PC, was unplugged. This cable is connected to the black box of the attacker in order to send illegitimate dispense commands. Some incidents indicate that the black box contains individual parts of the software stack of the attacked ATM. The investigation into how these parts were obtained by the fraudster is ongoing. One possibility could be via an offline attack against an unencrypted hard disc. For details on the different jackpotting variants and recommendations on countermeasures for different cash devices, please reference the fact sheet about jackpotting (20180726 FACT SHEET Jackpotting). This information is confidential and may be legally privileged. If you are not the intended recipient, any disclosure, copying, or distribution is prohibited. © 2020 Diebold Nixdorf, all rights reserved CUSTOMER CONFIDENTIAL Corporate Product & Solution Security ACTIVE SECURITY ALERT Recommendation for countermeasures Diebold Nixdorf understands the impact of these kind of attacks and provides guidance to customers in identifying and deploying potential solutions. From a holistic security approach, Diebold Nixdorf recommends – regardless of the region and the system - implementing the following: 1) Implement protection mechanisms for cash modules  Use software stack with latest security functionality.  Use the most secure configuration of encrypted communications including physical authentication  For CMD V4 based Terminals we recommend to verify the implementation of the following: o Use firmware version 2011 (or later) for CMD V4 (Release with SI1850228) o Enable firmware fuse (FRM_FUSE=1) o Enable secure encryption handling (AUTOENCRYPTION=2; AUTOTK=1) o Enable enhanced keystore format (KEYSTOREFORMAT=1) o Enable 3DES encryption (DES_MODE =1) o Verify that the encryption is active and monitor the encryption status 2) Implement Hardening of the Software Stack  Implement hard disk encryption mechanisms to protect the ATM from software modifications and access to secrets (offline attacks).  Introduce intrusion prevention mechanisms in order to identify deviating system behavior and protect the ATM during operation (online attacks).  In particular, the security solution should protect the XFS interface against unauthorized usage. 3) Limit Physical Access to the ATM  Use appropriate locking mechanisms to secure the head compartment of the ATM.  Control access to areas used by personnel to service the ATM.  Implement access control for service technicians based on two-factor authentication.  Terminal operators should conduct frequent visual inspections of the terminal. This information is confidential and may be legally privileged. If you are not the intended recipient, any disclosure, copying, or distribution is prohibited. © 2020 Diebold Nixdorf, all rights reserved CUSTOMER CONFIDENTIAL Corporate Product & Solution Security ACTIVE SECURITY ALERT 4) Set up additional measures  Follow network security best practices including segmented and secured LAN/VLAN with intrusion, detection and prevention.  Activate system / host based firewall and apply adequate configuration.  Implement a secure connection with the host via TLS and Message Authentication Code (MAC).  Ensure real-time monitoring of security relevant hardware and software events including unexpected opening of the top hat compartment of the ATM.  Investigate suspicious activities such as deviating or non-consistent transaction or event patterns, which are caused by an interrupted connection to the dispenser.  Keep your operating system, software stack and configuration up to date. This is of particular importance for the core security HW components like EPP, card reader and cash devices as well as all banking related software components.  Implement secure software update processes and follow security best practices on password management of remote access tools. In general, we highly recommend using solutions specific to self-service terminals. For detailed information, please contact your local sales department, a hardware integration representative or your Diebold Nixdorf security expert. Additional Information & Contact: Diebold Nixdorf Corporate Product & Solution Security security@dieboldnixdorf.com Check out the Diebold Nixdorf Security blogs: https://blog.dieboldnixdorf.com/category/security/ Did someone forward you this document? Subscribe now to receive Active Security Alerts This information is confidential and may be legally privileged. If you are not the intended recipient, any disclosure, copying, or distribution is prohibited. © 2020 Diebold Nixdorf, all rights reserved CUSTOMER CONFIDENTIAL