Carding and black box attacks: common ATM hacking techniques by Dominique René


It doesn’t take a rocket scientist to comprehend why the numerous automated teller machines in the streets lure criminals. Whereas physical methods used to dominate the thieves’ repertoire, their tactics have evolved toward more intricate techniques based on the use of electronic devices. ATM attacks involving the so-called “black boxes” equipped with a single-board computer are gearing up for a rise these days. This article is going to cover the essentials of this growing exploitation vector.

Last year, the Chief Executive Officer of ATMIA (the ATM Industry Association) Mike Lee said black box attacks were shaping up to be a major threat to the global cash machine ecosystem.

A commonplace ATM consists of ready-made electromechanical parts put together within a single box. The manufacturers equip their machines with cash dispenser modules, card readers and other elements made by third parties. In other words, these entities resemble LEGO building kits to an extent, except that they are intended for adults. The off-the-shelf units are placed into an ATM’s case that typically includes two sections: the upper one, referred to as the customer service area; and the bottom one, known as the vault.

USB and COM ports are used to connect all the electromechanical components to the system unit that performs the function of the host in this case. SDC (serial distributed control) links can be leveraged for this type of connection on older ATM models.

The multi-pronged evolution of carding

ATMs with huge amounts of cash in them have always enticed carders. At the dawn of this crime vector, the crooks took advantage of gaping holes in the physical defenses of ATMs. In particular, they used skimmers and shimmers to pilfer data stored on magnetic stripes, furtively installed bogus PIN pads and tiny cameras to see people’s secret codes, and even used phony ATMs.

Later on, when the manufacturers started equipping their machines with unified software that complied with clear-cut standards such as XFS (eXtensions for Financial Services), carders added malware to their toolkit. These strains include Trojan.Skimmer, Backdoor.Win32.Skimmer, Ploutus, ATMii, and other numerous catalogued and uncatalogued infections that get injected into an ATM’s host by means of a bootable USB flash drive or remote control TCP port.

Having hijacked the XFS subsystem, the malware can circumvent authorization and issue commands to the cash dispenser. It may also be able to instruct the card reader to read or write data on a credit card’s magnetic stripe, or even to retrieve the transactions log retained on an EMV card’s chip. A device called EPP (Encrypting PIN Pad) is worth mentioning separately. Its goal is to prevent PIN codes from being intercepted. However, XFS allows for two EPP modes: open mode (applies to entering numeric values, such as the amount of cash to be withdrawn); and safe mode (enabled when you are entering your PIN or encryption key). This peculiarity of XFS may facilitate a MITM (man-in-the-middle) attack, where a malefactor intercepts the command to enable safe mode sent from the host to the EPP and then instructs the EPP PIN pad to switch to open mode. In response, the EPP submits the keystrokes in plaintext.

According to Europol, ATM malware has become highly sophisticated over the past few years. Carders can contaminate a machine without having to access it physically. They can plague ATMs by means of remote attacks exploiting a bank’s enterprise network. As per the findings of information security firm Group-IB, ATMs located in at least a dozen European countries were attacked remotely in 2016.

There are techniques that reduce the risk of carders’ malware incursions to a certain extent. These include the use of antivirus suites, disabling firmware updates, blocking USB ports, and hard drive encryption. These countermeasures aren’t very effective, though, in case a carder connects to the peripheral components, such as the card reader, PIN pad or cash dispenser, directly via USB or RS232 serial communication interface instead of compromising the host proper.

Meet the black box

Tech-savvy carders employ what are called black boxes to rob ATMs these days. These are tiny single-board computers, something like Raspberry Pi, programmed to perform a specific task. Black boxes drain ATMs of all the cash in an entirely mystical way as viewed by bankers. The malicious actors connect their “magical” gadget directly to the cash dispenser, only to extract all the money in it. This type of an onslaught gets around all software-based defenses deployed in an ATM’s host, including AV tools, integrity control, full disk encryption, and the like.

Having come across a number of black box implementations, the world’s major ATM makers and law enforcement agencies have pointed out that these dodgy devices could instruct ATMs to give away all the money they hold – up to 40 banknotes every 20 seconds. Special services also emphasize that the criminals mainly zero in on ATMs based in shopping malls, drugstores, and ones available for vehicle drivers to withdraw cash “on the go”.

In order to throw the investigators off their trail, the crafty thieves usually hire a “money mule” to do the dirty job in front of the surveillance cameras. The malefactors also use a peculiar stratagem to make sure their partner doesn’t run off with the black box. They eliminate the core functionality from the black box and connect a smartphone to it that remotely issues commands over IP protocol.

What does this scheme look like from the bankers’ perspective? Here’s what the CCTV cameras record: someone rips up the ATM’s upper customer service area, plugs in their “magic appliance”, closes the section, and walks away. Later on, several people who look just like regular customers come up to the ATM and withdraw huge amounts of money. Then, the carder returns and takes his tiny device out of the machine. The black box heist is typically unearthed a couple of days later when the bank discovers a discrepancy between the empty vault and the cash withdrawal log. In the aftermath of this, there is hardly anything the bank officials can do except scratch their heads.

Analyzing ATM communication

It has been mentioned in the previous sections that an ATM’s system unit and peripherals communicate with each other by means of USB, SDC, or RS232. A carder circumvents the host by connecting to a port of a peripheral device and issuing commands to it directly. Since the common interfaces don’t require any peculiar drivers to operate, this is fairly easy to do.

Meanwhile, the proprietary protocols used for communication between the host and the peripherals engage no authorization mechanisms whatsoever, because the devices are embedded in the trusted area anyway. The fact that these protocols are unsecured makes them low-hanging fruit in terms of data interception and playback attacks.

Therefore, the crooks can use a software or hardware-based network traffic analysis tool to harvest the data as it is being transmitted back and forth. All it takes is connecting it directly to a specific peripheral device’s port, such as a card reader. This way, the carder learns the technical ins and outs of the ATM’s operation, including all undocumented features of its peripherals – for instance, a firmware modification option. This gives the perpetrator full control over the machine. To top it off, it’s quite problematic to identify the involvement of a network traffic analyzer in this scenario.

Unlimited control over the cash dispenser means the ATM vault can be drained without the host’s software being able to log this activity. This may actually seem magical to someone unfamiliar with the software and hardware architecture of an automated teller machine.

Where do black boxes hail from?

ATM manufacturers and subcontractors supply debug tools that test their hardware, including cash withdrawal appliances. A few well-known solutions are RapidFire ATM XFS and ATMDesk.

As a rule, these utilities are only accessible on a personalized authentication basis, plus they won’t run unless the ATM’s vault is open. Nevertheless, by simply altering a few bytes in the binary code of the tool, crooks can put the money withdrawal process to the “test” without any checks at all. What carders do is they install such corrupted utilities onto their laptop or single-board microcomputer, and then connect the device right to the cash dispenser to extract money from it.

Phony processing center

Direct interaction with peripherals bypassing the host is merely one of the common carding tricks. The other methods revolve around the fact that there are plenty of different network interfaces – ranging from X.25 to Ethernet and cellular networks – used by an ATM to connect with the outer world.

It may be possible to identify and determine the whereabouts of many ATMs using the Shodan search service – here’s a brief walkthrough on how to use it. A cybercriminal’s next move is to attack a specific ATM remotely by exploiting a flaw in its security set-up, the admin’s reluctance to implement effective defenses or vulnerable communications between the bank’s offices.

The last mile of the communications network linking an ATM and the processing center is chock full of various technologies that may become a carder’s entry point. The interaction can be based on wired (telephone circuit or Ethernet) or wireless (Wi-Fi or cellular network: LTE, UMTS, CDMA, GSM) communication channels. The applicable security mechanisms are as follows:

  • Software or hardware methods for VPN support (ones that go with the OS, or third-party)
  • SSL/TLS (inherent to a specific ATM make, or developed by another vendor)
  • Data encryption
  • Message authentication.

Unfortunately, it looks like the banks find these technologies too complex, so their employees don’t bother deploying special network protection, or they fail to do it right. In the best-case scenario, an ATM reaches out to a VPN server and connects to the processing center within the private network. Besides, even if a financial institution succeeds in implementing the above security techniques, carders already have viable countermeasures up their sleeve. In other words, ATMs continue to be susceptible to attack even if their security level meets the PCI DSS standard.

One of the PCI DSS requirements is to encrypt data when it is transmitted over a public network. As a matter of fact, there are networks designed to provide end-to-end data encryption, therefore we might be tempted to claim our data is secure just because we use Wi-Fi or GSM. And yet, many of these networks aren’t effective enough in terms of protecting data. All generations of cellular networks have been hacked a long time ago, moreover, some vendors even offer devices that intercept data traveling through them.

With that said, a MITM attack codenamed “phony processing center” can be orchestrated in an insecure communication environment, or within a “private” network where each ATM broadcasts about itself to the other machines. This attack will result in the carder taking full control of all data that bounces between the ATM and the processing center.

Thousands of ATMs are potentially exposed to this form of exploitation. When the information is streaming towards the valid processing center, the hacker injects a fake one that instructs the machine to give away the cash. To add insult to injury, the crook configures the rogue processing center in such a way that the money withdrawal takes place regardless of the card type. Consequently, the hoax works out even in case the card has expired or has zero balance as long as the pseudo processing center “recognizes” it. A crudely made device or processing center emulator originally designed for network debugging can do the trick, allowing malefactors to forge the communication.

About the Author:
Dominique René is a young writer inspired by the present-day groundbreaking technological progress. Dominique’s overwhelming enthusiasm for tech matters stems from her current research in college and innate aspiration to expand her academic outlook. She’s committed to staying on top of innovative trends in computer security, online privacy, threat intelligence, cryptocurrencies, and cloud solutions.



August 19, 2019


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023