ATMs across the United States have been hit with a form of IT hacking called jackpotting, in which attackers pose as technicians, compromise a device with malware, and return later to collect piles of cash.
A more elaborate cousin of credit card skimming, jackpotting is a crude but effective form of attack in which criminals stealthily place a skimming attachment onto a card reader at an ATM and gain fraudulent access to unwitting customers’ financial accounts. Since popping up, it’s resulted in a massive crime spree from coast to coast. Here’s why jackpotting has security researchers worried about the evolution of cyberthreats and what you and your IT team can do to keep your business safe.
A jackpotting attack, to the untrained eye, starts innocuously enough. Hackers, cloaked as technicians to avoid scrutiny, brazenly walk up to an ATM and get to work compromising its physical and digital security. First, they load malware onto the device via a USB key or direct laptop connection and establish remote access to the ATM. When done, they set the ATM to display an out-of-order screen and bounce. At this point, no one—nearby pedestrians, bystanders, or even company employees—may have any idea as to what’s about to happen.
After this first stage is complete, another person (usually either part of a cash-out crew or a mule they’ve brought on board specially for the occasion) comes up to the ATM, bag in hand, when they think they’re less likely to be detected. Shadowy co-conspirators, issuing remote commands from behind the scenes, direct the ATM to churn out a stream of cash—which the attacker on site quickly stuffs into the bag before departing. The fake technician then returns to the site to retrieve their equipment from the compromised ATM, and the job is done.
As Gizmodo reports, ATMs can dispense up to nearly $2,500 per minute, so hackers can extract a sizable payday from a jackpotting exploit. It’s a small-scale version, if you will, of the famous Ode to Joy scene in Die Hard, in which Hans Gruber’s international criminal organization cracks open the Nakatomi Corporation’s vault and helps itself to heaps of riches before attempting—and failing, thanks to renegade NYPD cop John McClane—to make their getaway
This technique is also increasingly popular among international hacking groups today. Not every ATM is susceptible to jackpotting, since many of the newer models come with both physical and digital security features to ward off a jackpotting attempt. As WIRED notes, the jackpotting ATM of choice in the United States appears to be a series of older models made by Diebold Nixdorf. Banks in rich countries often sell these older models to financial institutions in developing countries when they’re upgrading their own ATMs, which is one likely reason why hackers first plied this new criminal trade overseas before exporting it here.
The first reports of jackpotting emerged in Mexico in 2013, when intrepid criminals emptied ATMs after hacking them with an external keyboard and sometimes even SMS messages. In 2016, hackers in Taiwan made off with $2 million from ATMs, and a form of jackpotting malware referred to in some quarters as ATM jackpot was also used to score roughly $346,000 from 21 ATMs in Thailand during 2017. Then, jackpotting hit American shores. AP reported that the Secret Service had issued a confidential warning about jackpotting to American financial institutions, adding that hackers tied to international crime syndicates had already lifted $1 million from ATMs here using a form of malware called Ploutus-D.
The exploit spread across the country, popping up in locations from the East Coast to the Pacific Northwest. ATMs running Windows XP are considered particularly vulnerable, which may come as a surprise to exactly zero IT pros. Stand-alone ATMs located in pharmacies, big box retailers, and drive-through stations are most likely to be targeted, since they’re isolated and less often monitored by on-site staff.
What can we learn from jackpotting ATM attacks?
First of all, you need to keep an extremely close eye on anything involved with processing financial transactions, whether that’s a credit card reader or a stand-alone ATM displaying an out-of-order message. Hackers will stop at nothing to loot customers’ and financial institutions’ resources, even boldly showing up in person to carry out their attacks in plain sight, so constant vigilance is a must when it comes to locking down your company’s security. As Daniel Regalado recommends, and these new jackpotting attacks have proven, it’s just as important to address physical security as it is to focus on digital security.
You can get out in front of new threats, like jackpotting, by tightening every aspect of the IT environment and securing all devices connected to it, not just the obvious ones—that includes ATMs, card readers, printers, copy machines, and basically any device touching sensitive data. IT teams can also take advantage of innovations, like devices with built-in security features, to better protect the endpoint. For example, ATM manufacturers can put strict limits on an ATM’s ability to load foreign code, which may thwart jackpotting attacks. Next-generation printers operate in much the same way, using firmware whitelisting to ensure only authentic code is loaded into the memory and even rebooting and notifying IT if they have been compromised.
While everybody has idly wished at one point or another that they could magically tell an ATM to “open sesame,” nabbing a little extra cash to pay for that sweet new smartphone they’ve been eyeing, jackpotting is no laughing matter. It often leads to a world of hurt for the victims on the receiving end. Fortunately, you can help defend users from such criminal IT hacking scams and save the day by taking proactive security measures right now.