The world’s largest ATM makers, Diebold Nixdorf and NCR, have released software updates for their devices.

The problems found were of the type of deposit forgery (“fake of the deposit”). CERT / CC specialists say that such vulnerabilities are rare, but last year two such bugs were found at once: Diebold Nixdorf fixed the CVE-2020-9062 bug affecting ProCash 2100xe ATMs running on Wincor Probase, and NCR fixed the CVE bug -2020-10124 found in SelfServ ATMs running APTRA XFS.

Diebold ATM

Both of these vulnerabilities are almost identical. The root of the problem was that the ATMs did not require authentication, encrypt, or verify the integrity of messages sent between the cash acceptor and the host computer. As a result, an attacker who has physical access to connect to an ATM can fake these messages and artificially increase the amount of cash deposited during the deposit.

As a rule, such attacks are accompanied by quick withdrawals. Usually they happen either on weekends, or the attack is immediately followed by transactions to other banks, that is, the scammers try to profit from non-existent funds as quickly as possible, until a problem with the balance is found in the bank.