Toll-Free: 1-800-819-6044, International Phone: +82 704-732-6714 [email protected]

At Puloon USA we have long touted the importance of ATM security – both for the sake of the ATM operator as well as the customer. An international incident this summer highlights just one reason why high-quality ATM security is absolutely essential.

In late August, four federal agencies – the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM) – issued a joint statement warning governments about malicious hacking activity stemming from North Korea. “Working with U.S. government partners, CISA, Treasury, FBI, and USCYBERCOM identified malware and indicators of compromise (IOCs) used by the North Korean government in an automated teller machine (ATM) cash-out scheme—referred to by the U.S. Government as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.”


According to CISA, “The BeagleBoyz, an element of the North Korean government’s Reconnaissance General Bureau, have likely been active since at least 2014. As opposed to typical cybercrime, the group likely conducts well-planned, disciplined, and methodical cyber operations more akin to careful espionage activities. Their malicious cyber operations have netted hundreds of millions of U.S. dollars and are likely a major source of funding for the North Korean regime. The group has always used a calculated approach, which allows them to sharpen their tactics, techniques, and procedures while evading detection. Over time, their operations have become increasingly complex and destructive. The tools and implants employed by this group are consistently complex and demonstrate a strong focus on effectiveness and operational security.”

This nefarious group of hackers has attempted to steal upwards of $2 billion dollars since 2015 and “Fraudulent ATM cash outs have affected upwards of 30 countries in a single incident. The conspirators have withdrawn cash from ATM machines operated by various unwitting banks in multiple countries, including in the United States.”

How it Works

In order to perpetrate their crimes the “BeagleBoyz use FASTCash malware to intercept financial request messages and reply with fraudulent but legitimate-looking affirmative response messages in the ISO 8583 format. The BeagleBoyz have functionally equivalent FASTCash malware for both UNIX and Windows that they deploy depending on the operating system running on the server hosting the bank’s payment switch application…The BeagleBoyz use FASTCash for Windows to manipulate transactions processed by a switch application running on a Windows box.”

Stopping BeagleBoyz

CISA has suggested a mitigation solution to help defend ATMs against possible hacking attacks from BeagleBoyz. The mitigation steps include, “Incorporate IOCs identified in CISA’s Malware Analysis Reports on into intrusion detection systems and security alert systems to enable active blocking or reporting of suspected malicious activity.” They also recommend that businesses with an ATM “validate issuer responses to financial request messages,” including:

  • Implementing chip and PIN requirements for debit card transactions;
  • Requiring and verifying message authentication codes on issuer financial request response messages; and
  • Performing authorization request cryptogram validation for all chip and PIN transactions.

Basic Security Steps

In order to ensure the security of your ATM, it’s best to perform some routine checks and updates. These include:

  • Keeping operating system patches up to date;
  • Ensuring that your network communication system is secure;
  • Monitoring ATM software systems to check for changes that have not been approved; and
  • Including layered security that keeps both the operating system and the physical ATM secure.

By paying attention to the possibility of fraudulent hacking attempts to your ATM, owners and operators are more likely to maintain a system that will keep villainous hackers and thieves from actually taking advantage of your machine.