A new surge of logical attacks on ATMs: what the Belgian experience teaches

In June and July 2020, ATMs of the Belgian bank Argenta were attacked by hackers. Using special software, the criminals seized control of the ATMs and withdrew all the cash that was there. The bank not only suffered financial and reputational losses, but was also forced to take out of service 143 ATMs with a similar software stack to avoid a recurrence of incidents.

What happened in Belgium?

As soon as it became known about the attacks on ATMs in Belgium, Diebold Nixdorf began his own investigation of the incident. It turned out that in all cases, ProCash 2050xe ATMs with the CMD-v4 cash dispensing module were attacked. The attackers destroyed part of the fascia in order to gain physical access to the ATM computer, then disconnected the USB cable connecting the dispenser and the ATM computer, and connected this cable to their own computer or laptop (so-called ‘black box’), which directly sent the command to the dispenser to dispense all cash. This type of attack is called the black box attack.

Black box attacks are one of the varieties of jackpotting, which means hacking into the ATM security system using special software that allows you to take control of cash withdrawal.

As a rule, when jackpotting, hackers use ready-made malware or their own code. However, as the investigation believes, during the attacks in Belgium, the hackers installed components of the ATM software stack on the black box, which they used to interact with self-service devices during the attacks. This method of hacking is not unique, but it has never been seen in Europe before.

The investigation has yet to find out how the ATM software ended up in the hands of attackers. According to one of the versions of the investigation, the criminals simply downloaded it from one of the terminals, where these components were stored on an unencrypted hard drive. It became possible to use this software to steal cash from other self-service devices, since these devices had outdated versions of the basic software and there were no additional encryption tools for the data transmission channel.

What can be done to protect ATM machines from jackpotting?

BS/2 experts in the field of security of self-service devices studied the situation, the vendor's recommendations and made a list of actions that can be taken right now to protect ATMs from jackpotting.

”In order to minimize the risk of jackpotting, in most cases it is enough to encrypt the communication channel between the ATM computer and its dispenser and use the current versions of the ATM system software, however, we recommend a comprehensive approach to the security of self-service devices,” - says the head of technical department of BS/2 Andrey Smirnov.

A comprehensive approach to ATM security includes the following measures.

1.   Ensure encryption of the communication channel between the ATM computer and the dispenser.

2.   Regularly update the software required for the ATM operation to the latest versions.

3.   Ensure compliance of the bank's IT infrastructure with PCI DSS requirements.

4.   Provide the physical security of the ATM.

5.   Use specialized software solutions for ATM security.


An example of such a software solution is Diebold Nixdorf's Vynamic Security platform, which not only protects ATMs from malware but also ensures the security of data transmitted by terminal devices.

How does Vynamic Security protect against jackpotting?

The Vynamic Security software solution consists of several modules, each of which has its own area of responsibility. For example, one of them - the Intrusion Protection module - prohibits the launch of third-party software on the ATM computer, making it impossible to install malware. Another solution module - Hard Disk Encryption - does not allow replacing the ATM hard disk and ensures the safety of the device when it is turned off.

In addition, the full Vynamic Security suite protects ATMs from malicious software infiltration over the network, so any attempt by attackers to download malware onto a terminal device over the network will fail. The solution also allows you to restrict access to data depending on the user group and provides effective access control by managing the rights of individual accounts and user groups with the ability to log all their actions.