What can IADs do to prevent TLS Man-in-the-Middle ATM attacks?
Enabling TLS and TLS certificate validation and ensuring the latest firmware and software updates are installed at the ATM is the best way to protect ATMs from man-in-the-middle attacks. This will also help to prevent other common types of jackpotting attacks.
If transactions begin failing upon enabling TLS certificate validation, you will need to install the root certificate file (rootcert.pem) for your payment processor on the ATM.
For your convenience we have compiled the root certificates for every payment processor in North America into a single rootcert.pem file which can be downloaded below.
Message Authentication Code (MAC Keys)
MAC keys are loaded just like master keys and ensure that messages between ATMs and payment processors can't be tampered with along the way. This added layer of security protects against black box and other types of authorization manipulation attacks. For this reason DPL strongly encourages IADs to push their ISOs and processors to support MAC keys. In Canada, security regulations require IADs to use MAC keys and as a result there have not been any Ethernet man-in-the-middle attacks.
Hyosung Retail ATMs
Hyosung also recommends enabling the CDU binding option on their WinCE 6.0 and WinCE 7.0 Retail ATMs.
Steps to Follow to Enable CDU Binding for WinCE and WinCE 7.0 Retail ATMs:
1. Go to Customer Setup
2. Go to Optional Function2
3. Go to Device Option
4. Push CDU Binding Option so that you see the option is "Enabled" in the screen menu.
When CDU binding is enabled, the dispenser board will only accept commands from the mainboard on the ATM and prevents certain jackpotting attacks. When the mainboard is replaced, error code 400BC is generated on the ATM and the CDU encryption sequence needs to be performed to clear the error. When the CDU board is replaced, error code 400BC is generated if that CDU board was installed on an ATM with CDU binding enabled. If you’re installing a CDU board that didn’t have CDU binding enabled on it previously, the CDU encryption process is not necessary.
The CDU binding option was released in AP V06.01.23 on 02/22/16 but was not enabled by default. CDU binding is now “enabled” by default in AP V06.02.10, which was released on 02/18/22. Please be aware that this setting will not change if you are upgrading software. If you previously have CDU binding disabled, it will remain disabled when you upgrade to AP V06.02.10 software. You must manually change the setting to Enabled.
For RMS (MoniView) Customers
Hyosung is adding new features to their upcoming releases to make it easier for RMS (MoniView) software customers to remotely enable the CDU Binding setting. Utilizing the new features will require both the software on the ATM and the MoniView software to be updated first. If you are a licensed MoniView customer, please request MoniView v03.04.02.01 from SoftwareOrders@nhausa.com. The Retail software version required on the ATM to support this new feature is WinCE 06.02.11.
Genmega ATMs
Genmga recommends pairing the mainboard to the CDU on their ATMs. For instructions on how to pair the mainboard to the CDU on Genmega ATMs click here. If you have any questions, or require further information regarding CDU Pairing on Genmega ATMs, please contact your Genmega distributor or Genmega directly for assistance.
General Use How to Guides
We've created "How to" TLS configuration guides for the latest GenMega, Hyosung and Triton ATMs which can be downloaded below.
Additional Recommendations
To protect your ATMs from logical and other types of attacks, we recommend correctly setting up TLS along with adopting other ATM security best practices. For additional information regarding ATM security best practices download our free guide to ATM security below.
Still Have Questions?
If you’d like further technical information or have any questions, please contact us directly by calling us toll free at 1-800-561-8880 or by emailing support@dplwireless.com.