You'll need more than luck: A winning defense against ATM jackpotting
Azerbaijan; Belarus; Belgium; Bulgaria; Czech Republic; Denmark; France; Hungary; India; Italy; Kazakhstan; Malaysia; Norway; Romania; Russia; Spain; Taiwan; Thailand; the United Kingdom; Ukraine; the United States.
Twenty-one nations with one thing in common: jackpotting. And that's actually only about half of the number of countries that have experienced a jackpotting episode.
The last country on the list — the U.S. — is also the latest to join this roll-call of dubious distinction, experiencing its first several jackpotting attempts late last year.
The losses from jackpotting are at once quantifiable and intangible. In coordinated attacks dating back to 2013, a gang responsible for developing Carbanak and Cobalt malware emptied ATMs of more than 100 banks in 40 countries of more than $1.2 billion. The combined damage to the reputations of those 100 FIs is incalculable.
All of this is to say that in today's criminal underworld, jackpotting is serious business. And, increasingly, the business of ATM security providers is to help financial institutions and independent deployers understand, anticipate and defend against logical attacks such as jackpotting.
In an April 26 webinar, ATM jackpotting: The latest news on attack methods, targets, trends and defenses, TMD Security experts Tom Moore, Matthias Thiele and Vincent Wong presented a one-hour crash course of sorts
Their presentation examined the methodologies behind the various types of logical attacks collectively known as jackpotting.
As part of this, they walked webinar participants through each stage of an attack — which can take a criminal organization as long as three months to set up, depending on the type and scope of the operation.
"In the case of a malware attack, the jackpotting malware can sit silently waiting on the ATM undetected while normal ATM transactions take place, for days or even weeks until a criminal visits the ATM and triggers the dispense command," Moore said.
Wong explained that criminals typically launch this type of attack with a spear-phishing exploit aimed at getting control of a financial institution's servers and installing malware to set up the ATM jackpotting "payoff."
In one attack he said, "The criminals moved money into their bank accounts, and then inflated the account balances so that they had an endless amount of cash to withdraw from ATMs. They then laundered the money so that it could not be traced."
This type of remote malware attack is rare, though, compared with malware and black box attacks that begin and end at the ATM itself, and involve direct access to the machine's PC.
Wong cited statistics from the European Association for Secure Transactions showing that 98 percent of attacks the 192 attacks carried out in 2017 were of the black box variety.
And, he said, the total number of attacks last year — representing a 231 percent increase over the number in 2016 — also demonstrated how quickly this method has caught on with thieves.
The types of malware used in these on-site ATM attacks are sometimes developed by the criminal organization, but are also readily available for purchase on the dark web.
Thiele walked webinar participants through the steps of both online and offline malware and black box attacks, explaining how each targets the ATM's hard drive and indicating which physical points on the ATM are vulnerable to attack.
He acknowledged that certain makes and models of ATMs were known to be targets, but warned, "All ATM brands and models are vulnerable to jackpotting attacks, and all deployers need to understand the vulnerabilities of the ATMs in a particular network — do a risk assessment — and put defenses in place."
Moore described the multilayered approach deployers need to take in order to protect their ATMs against the full range of jackpotting exploits and the signs they should watch for in order to detect — and deter — a jackpotting attack in progress.
The webinar, ATM jackpotting: The latest news on attack methods, targets, trends and defenses, is now available for on-demand replay.
Companies: TMD Security GMBH
Suzanne’s editorial career has spanned three decades and encompassed all B2B and B2C communications formats. Her award-winning work has appeared in trade and consumer media in the United States and internationally. She is now the editor of ATMmarketplace.com and WorldofMoney.comwww