For years, hackers and cyber criminals have eyed ATM machines – especially standalone machines not located inside a bank – as potential targets for their financial scams. The latest security hack is known as jackpotting, and it involves infecting an ATM machine with malware so that it will dispense hundreds of thousands of dollars at one time, just as if you had won a casino jackpot.
A short history of jackpotting
In January 2018, the first massive jackpotting attacks were carried out on U.S. ATM machines, raising the very real concern among U.S. law enforcement officials that international groups of cyber thieves might be planning a coordinated attack against the nation’s nearly 400,000 ATM machines. This follows a string of jackpotting attacks in Mexico and Central America, and before that, in Europe and Asia.
In one of the most highly-publicized jackpotting attacks, cyber criminals were able to make off with nearly $2 million in cash in Taiwan. Worldwide, security experts now believe that cyber criminals have made off with more than $10 million in stolen cash. A typical jackpotting attack relies on a combination of software and hardware, and requires physical access to a machine for an extended period of time in order to install malware.
Until recently, it was assumed that these jackpotting attacks could only take place in nations where ATM operators or bank officials could be bribed to turn a blind eye while cyber thieves were installing the malware and walking away with bags of cash. In some cases, jackpotting thieves have dressed up as security technicians in order to take over a hacked ATM machine, right in front of unsuspecting customers.
How jackpotting works
The essence of a jackpotting attack is simple – it requires a physical override of the instructions inside the ATM that tell it how much cash it can dispense at one time. In most cases, ATM machines can only dispense a few hundred dollars at one time – a request for additional funds usually requires a visit inside the bank branch for some sort of security clearance.
But in the case of jackpotting, the amount of cash that can be dispensed at one time is only limited by the amount of physical cash inside the machine itself. Security officials have noted that as many as 40 bills can be dispensed every 23 seconds. Thus, assuming those bills are all nice, crisp $100 bills, that means a basic jackpotting attack could result in nearly $10,000 within minutes.
However, targeting ATMs for a successful jackpotting attack is harder than it sounds. The first step is getting access to the computer hard drive inside the ATM, and this usually requires some sort of tiny camera that can be inserted into the ATM to figure out where to attach a cable. Then, the computer inside the ATM is connected to a computer outside the computer. From there, sophisticated malware is added to the ATM, with instructions that force the machine to allow more cash to be dispensed than typically authorized. For that reason, these attacks are sometimes known as “logical attacks” – they are literally overriding the logic of the machines.
The next step is to send instructions to the ATM to go off-line – the screen will flash an “out of order” message so that other users won’t use the machine. Then cyber thieves show up at the machine with a bag big enough to walk away with the cash; simultaneously, a signal is sent from a remote computer to trigger the ATM to spit out cash.
As you can see, pulling off one of these attacks requires a certain amount of sophistication, as well as the resources of several different team members. This is not the case of a lone gunman walking into a bank for an old-fashioned “stick up.” Instead, it is the work of transnational criminal groups. The fear is that these cyber crime syndicates have perfected their methods on ATM machines located overseas and in developing nations, and are now coming to the United States in search of ever-bigger payouts.
What can stop these jackpotting attacks on ATM machines?
As security officials readily acknowledge, one major security risk is that the machines from the two biggest ATM makers – Diebold Nixdorf and NCR Corp. – are relatively easy to hack into, provided individuals can get physical access to the machine in the first place. Thieves now have a much better idea of how to get access to the hard drives of these machines, as well as how to infect these with malware.
Somewhat amazingly, many banks and other ATM operators turn off many of the security options that come pre-loaded into the machines, mostly to make them easier to operate for consumers. Moreover, many of the machines run on Windows XP, an operating system that has been around for 17 years. While there are new firmware updates issued on a regular basis to protect against these security exploits, they are not always installed in a timely manner.
Finally, many ATM machines – and especially those located in pharmacies, big-box retailers and drive-thrus – do not take advantage of the latest in two-factor authentication technology. Cyber thieves have targeted stand-alone ATMs partly for this reason – they appear to be much more vulnerable than those housed inside and outside of financial institutions.
Thus, as security firm experts point out, the best protection against ATM jackpotting attacks requires addressing each of these three security flaws. Most importantly, stand-alone ATMs should be regularly updated and modernized (both in terms of hardware and software) in order to prevent these attacks from happening in the first place.
Next steps to address the jackpotting phenomenon
The real question, perhaps, is why so many ATM machines are so poorly secured. In developing markets, one could plausibly make the case that any ATM machine – regardless of how well it was secured – was always the potential victim of a bribery scam involving bank officials. Moreover, many of these ATM machines in Asia and Central America were older models purchased “on the cheap” from developed markets, so they were not necessarily equipped with the latest security safeguards. It didn’t take cutting-edge malware technology to make them dispense cash.
But now that the problem has hit U.S. shores, a lot more questions are being raised. Thus far, attacks have occurred all over the nation, and not just in states bordering Mexico. The problem has become so acute, in fact, that the FBI and U.S. Secret Service have been sending out official memos, including Secret Service alerts, to financial institutions, warning them of the risks involved.
ATM machines have always represented a “soft target” in the minds of criminals. What’s now clear is that the ATM card skimmer scams of years past (in which cyber thieves used fake card readers to steal information from bank and credit cards) pale in comparison with what’s possible now with jackpotting scams. Clearly, jackpotting is a serious security risk and one that needs more attention from security experts in order to avoid cyber criminals turning every ATM they visit into casino slot machines with huge jackpots.