Diebold Nixdorf and NCR Address Deposit Forgery Bugs in ATMs
The worldβs leading ATM manufacturers, Diebold Nixdorf and NCR, have released software updates for their devices to fix vulnerabilities known as deposit forgery. According to CERT/CC experts, such vulnerabilities are rare, but last year two separate bugs of this type were discovered: Diebold Nixdorf fixed the CVE-2020-9062 bug affecting ProCash 2100xe ATMs running on Wincor Probase, while NCR addressed the CVE-2020-10124 bug found in SelfServ ATMs operating on APTRA XFS.
Both vulnerabilities were nearly identical. The root of the problem was that the ATMs did not require authentication, nor did they encrypt or verify the integrity of messages exchanged between the cash deposit module and the main computer. As a result, an attacker with physical access to the ATM could forge these messages and artificially increase the amount of cash being deposited during a transaction.
Typically, such attacks are followed by rapid cash withdrawals. They often occur on weekends or are immediately followed by transactions to other banks, as fraudsters try to profit from non-existent funds as quickly as possible before the bank detects the balance discrepancy.