EU Authorities Fight Back Against “Black Box” ATM Attacks

Europol has announced that a total of 27 related arrests have been made since the ATM black box threat first emerged in 2015. Eleven arrests have been made in France, four in Estonia, three in the Czech Republic and Norway, and two in The Netherlands, Romania and Spain.

A black box attack is a logical attack against cash dispensers. It requires gaining access to the inner workings of the machine, usually, notes Europol, “by drilling holes or melting.”

Once access is achieved, the cash dispenser is disconnected from its core working, and connected instead to the hacker’s own electronic device — the so-called black box. The attacker then simply issues the necessary commands to empty the cash dispenser; an act known as ‘jackpotting’, which bypasses any need for a card or transaction authorization.

Since a black box attack simply empties the whole machine, rather than attempting to extract available cash from an individual account, a single successful attack can potentially steal hundreds of thousands of Euros.

According to Europol, black box attacks have increased dramatically. It quotes a recent report from the European ATM Security Team (EAST) which reports 58 such attacks in 2016 compared to just 15 in 2015. In reality, however, the majority of attacks fail. Although the attacks increased, the related losses fell by 39% from €0.74 million to €0.45 million.

EAST attributes this fall largely to its own work. “While the rise in ATM black box attacks is a concern,” said executive director Lachlan Gunn, “we are pleased to note that many of these attacks were not successful. In 2015, to help the industry counter such attacks, our EAST Expert Group on ATM Fraud (EGAF) worked with Europol to produce a document entitled ‘Guidance & recommendations regarding logical attacks on ATMs’.”

EAST will be leading a breakout session discussing black box attacks at the third global Financial Crime & Security (FCS) Forum, being held in The Hague on 8th/9th June 2017.

Despite the potential for high value individual attacks, black box attacks are rare in comparison to other ATM-related attacks. “ATM related fraud attacks increased by 26%, up from 18,738 in 2015 to 23,588 in 2016,” reports EAST. “This rise was mainly driven by a 147% increase in Transaction Reversal Fraud (up from 5,104 to 12,581 incidents). The downward trend for card skimming http://www.securityweek.com/cybercriminals-developing-biometric-skimmers-atm-attacks continues with 3,315 card skimming incidents reported, down 20% from 4,131 in 2015. This is the lowest number of skimming incidents reported since 2005.”

Overall, actual fraud-related ATM losses increased only marginally — up by 2% from €327 million in 2015 to €332 million in 2016.