The rise of ATM jackpotting: A brief and costly history
On April 26 at 10 a.m. EST, ATM Marketplace will host an in-depth webinar on ATM jackpotting, the newest — and potentially most devastating — mode of criminal attack to make its way around the globe, only recently arriving in the U.S.
The event is sponsored and presented by TMD Security, European ATM security experts who have spent years tracking and studying ATM crime in order to develop effective protection against ATM physical and logical attacks.
In advance of the webinar, ATM Marketplace spoke with Vincent Wong, program director for Security Management Software at TMD Security, about the comparatively short and extremely costly history of ATM jackpotting.
The following is part one of our conversation. In part two, we'll look at the recent arrival of jackpotting in the U.S. and ways that ATM deployers can protect their fleet — and their business — against this scourge.
Q: The term ATM jackpotting is familiar to everyone, but what is jackpotting exactly?
A: Jackpotting gets its name because the criminal finds a way to send dispense commands to the ATM dispenser and literally empties the ATM of cash.
The criminal either plants malware on the ATM — using a USB mass storage device, for example, which sends commands to the dispenser — or disconnects the dispenser from the PC core and attaches their own black box to the dispenser — a notebook device for example, that has malware on it, or inserts a replacement hard disk with malware inside the PC core — to send cash-out commands.
There are a variety of attack vectors, depending on the ATM hardware and software configuration.
Q: When and where did ATM jackpotting originate?
A: The first reported attacks were in Mexico in 2013, and jackpotting quickly spread to numerous countries in Europe and Asia Pacific. The first attack in the U.S. was reported this year.
It is a growing global challenge. Organized crime knows no boundaries, and migrates to the next weakest link. If jackpotting has not happened in a particular country or ATM network to date, it is only a question of time until it will.
Q: What types of jackpotting are you seeing now, mostly?
A: There are two main types: malware and black box attacks.
A typical jackpotting attack involving malware is done in two phases and targets 20 to 60 ATMs in one attack, so financial losses can be significant. If we assume an ATM has $40,000 inside it, cash losses from one attack could range from $800,000 to $ 2.4 million.
In a jackpotting attack, the criminal prepares the ATM by installing malware that sits waiting until the criminal returns to trigger the dispense-cash commands.
This second phase, triggering the attack, may occur days or weeks later. In the meantime, the ATM performs transactions as normal, and no one realizes that the ATM has been targeted for jackpotting.
When the criminal returns, he triggers the cash dispense by using, for example, a preconfigured card or special PIN number.
There are a number of different MOs for black box attacks: In ATMs that have serial port communications, for example, the criminal drills or cuts holes in the fascia to hijack the EPP cable to send commands to the dispenser.
Holes in the fascia have also been used to access communications to the dispenser in ATMs with USB devices. How the criminal gets access to the ATM communications depends on the ATM model and configuration.
In another MO, the criminal opens the top box, disconnects the dispenser from the PC core, attaches his own black box and sends commands to the dispenser.
In ATMs that use dispenser pairing or encryption as a security measure, the criminal may try and trick the dispenser into resetting and pairing with his black box instead of the original ATM PC.
This is accomplished by inserting an endoscope into the vault to make contact with the dispenser switch. This attack has happened in Mexico.
Q: In a jackpotting attack that uses malware, how does the criminal get the malware on to the ATM?
A: There are two scenarios, offline and online malware attacks.
In an offline malware attack, the criminal typically opens the ATM top box, powers down the ATM and inserts a USB mass storage device or CD that contains the malware. He then reboots the ATM.
If the BIOS is not protected, the criminal can edit the BIOS and boot up the ATM PC from his USB mass storage device that contains the malware. The ATM is not protected from the malware because the criminal also will have removed or disabled the anti-virus or whitelisting software on the ATM.
In an online malware attack, as before, the criminal opens the top box and then inserts the malware using a USB mass storage device, or logs in to the ATM via Windows admin — if he has managed to steal login credentials — to install the malware.
Or he could use remote desktop access — or the authorised software distribution system, if that system is not secure and controlled — to remotely download the malware.
These are just a few ways. There are more.
Q: Up to now, card skimming has been the main ATM security concern in the U.S. Now that America is finally moving to EMV, should we expect to see more logical attacks such as jackpotting?
A: Skimming will remain a concern while the magnetic stripe remains on the card because it is easy to copy the card data in one country and then use it for fraudulent withdrawals cross-border in countries where full implementation of EMV has not happened yet.
However, fraud always hunts out the next weakest link, so we can expect that the logical and physical attacks that have been seen internationally will migrate to the U.S.
Register now for ATM jackpotting: The latest news on attack methods, targets, trends and defenses, a free one-hour webinar on April 26 at 10 a.m. EST, presented by TMD Security and hosted by ATM Marketplace.
Continue to part two of the series ATM jackpotting in America: The gathering storm
Companies: TMD Security GMBH
Suzanne Cluckey Suzanne’s editorial career has spanned three decades and encompassed all B2B and B2C communications formats. Her award-winning work has appeared in trade and consumer media in the United States and internationally. She is now the editor of ATMmarketplace.com and BlockChainTechNews.com www