An ATM black box attack, which is a type of ATM cash-out attack, is a banking-system crime in which the perpetrator bores holes into the top of the cash machine to gain access to its internal infrastructure. The machine’s cash dispenser is then disconnected and attached to an external electronic device, or black box, that uses native ATM commands to cause the machine to release currency, bypassing the need for a card or transaction authorization.
A black box attack is a form of logical attack that has increased in recent years against ATMs. Rather than exploit software vulnerabilities, logical attacks use existing native protocols, middleware and communications to the machine's core to achieve fraud. Attackers physically access the top part of the ATMs where the USB ports are located to attach black box devices or download malware. These newer logical attacks are different but equally as dangerous as popular ATM attack strategies such as card skimming or network-based attacks.
Black box attackers typically have no knowledge of the target system's internal operating system or application control software. Therefore, black boxes simply rely on the outputs produced by the ATMs in response to their inputs and do not leave a trace on the targeted payment terminal. Researchers simulating this type of attack identified the input as requests submitted by the black box through the ATM user interface and the output as either cash withdrawal or a failure.
ATMs with poor physical barriers and off-premises, retail ATMs are more vulnerable to black box attacks because criminals can easily infiltrate their physical hardware. However, bank-branch ATMs are not immune from these types of attacks.
Recent ATM black box attacks
In 2017 and 2018, criminals used a toolkit called KoffeyMaker in multiple black box ATM attacks targeting Eastern European financial institutions. Kaspersky Lab researchers who investigated KoffeyMaker in connection with the attacks found that the devices used were Windows laptops containing ATM dispenser drivers and a patched KDIAG tool. Those behind the attacks secretly opened an ATM at each targeted bank, connected the device to the cash dispenser, closed the ATM and left. A USB GPRS modem was later used to access the device remotely, run the KDIAG tool and execute a command to the ATM to dispense money for another attacker to collect before retrieving the laptop.
How to prevent ATM black box attacks
Ensuring ATM software and hardware are up to date is crucial for eliminating risks associated with black box attacks. Security experts advise that careful monitoring and regular inspection of ATMs is the best way to prevent a black box attack. According to Kaspersky Lab, banks can defend against black box attacks by using hardware encryption between an ATM’s computer and dispenser. Organizations should also implement a stronger data security strategy that would include the use of encryption to protect sensitive cloud-based data.
Major ATM manufacturers have also issued guidance on how banks and other deployers can protect their machines. Additionally, law enforcement agencies have arrested some criminals and hackers for alleged involvement in black box attacks.