A new crime wave is hitting automated teller machines (ATMs); the common banking appliances are being rigged to spit out their entire cash supplies into a criminal’s waiting hands.

The crime is called “ATM jackpotting” and has targeted banking machines located in grocery shops, pharmacies and other locations in Taiwan, Europe, Latin America and, in the last several months, the United States. Rough estimates place the total amount of global losses at up to $60 million.

What is jackpotting?

ATM jackpotting is a combination of a physical crime and a cyberattack. Typically, a criminal with a fake ID enters a grocery shop or pharmacy posing as an ATM technician, then uses a crowbar to open the top of the ATM – the “top hat” – to gain access to the personal computer that operates the machine.

If a legitimate customer approaches the machine in the meantime, it can operate as usual until activated otherwise by the malware

Once he or she has access to the PC, they remove the hard drive, disable any anti-virus software, install a malware program, replace the hard drive and then reboot the computer. The whole operation takes about 30 seconds. The malware then enables the thief to remotely control the ATM and direct it to dispense all its cash on command.

An accomplice – the “mule” – later approaches the ATM to collect the bounty, as the “technician” remotely directs the machine to dispense all its cash. If a legitimate customer approaches the machine in the meantime, it can operate as usual until activated otherwise by the malware.

ATMs in supermarkets and pharmacies tend to be targeted because they may not be as well-protected, and store personnel likely would not know who is authorised to work on the ATM. In contrast, anyone approaching an ATM at a bank location would be more likely to be challenged.

Emergence of criminal activity

The crime first emerged in the United States several months ago, and the U.S. Secret Service, financial institutions and ATM manufacturers have been scrambling to find a solution. Older ATMs are particularly vulnerable.

In some cases, financial institutions have not embraced the highest levels of security offered by ATM manufacturers because of costs, and because previously the crime was not common in the U.S. One estimate is that losses north of $10 million have occurred in the U.S. just in the last couple of months.

There are solutions, and then there are ways to get around the solutions,” says Samir Agarwal, Accelerite’s general manager for security.

ATM jackpotting originated back in 2010 when Barnaby Jack, a New Zealand hacker and computer expert, demonstrated how he could exploit two ATMs
Hackers remove the hard drive, disable any anti-virus software, install a malware program, replace the hard drive and then reboot the computer

ATM protection technology

Accelerite is a California-based software company that focuses on the digital enterprise, including hybrid cloud infrastructure, endpoint security, Big Data analytics, and the Internet of Things. Accelerite’s solution to the ATM jackpotting problem is built on the company’s Sentient security framework.

Accelerite’s approach to ATM jackpotting is to immediately stop the dispensing of cash when any sign of trouble is detected. The system can track alarms, such as when a “top hat” is opened, when a hard disk is removed, if the antivirus software has been tampered with, and so on.

The system can send a notification within 20 seconds that the ATM is being hacked and then automatically shut down the machine. If the bad guy reboots the machine, the system can confirm there was a previous alert and shut it down over and over.

We create multiple lines of defense,” says Agarwal. “The criminal would decide it’s not worth his while and walk away.”

The consequences of jackpotting impact every level of the industry, including ATM manufacturers and financial institutions

Origins of ATM jackpotting

ATM jackpotting originated back in 2010 when Barnaby Jack, a New Zealand hacker and computer expert, demonstrated how he could exploit two ATMs and make them dispense cash on the stage at the Black Hat computer security conference in Las Vegas. Since then, malware has been created and made available on the “Dark Web” that can instruct an ATM to dispense all its cash on demand.

Previously ATM jackpotting attacks have focused on more cost-conscious global markets and those likely to use older-model ATMs with fewer security features. Strong U.S. law enforcement also likely prevented criminals from taking the risk – until now. Attacks in the United States have raised awareness.

There is more cognisance of the possibility of bad things happening,” says Agarwal. “This came out of nowhere and had not happened in the past in the United States. This crime is unlike what you hear about hacks or when data is stolen – there’s just money being stolen.”

Best practices to prevent an attack

However, the consequences impact every level of the industry, including ATM manufacturers and financial institutions. Also, the supermarket and grocery shops that are targeted face additional security challenges, and even consumers could lose confidence in ATMs if they think their personal information could be at risk.

There are best practices that can also prevent an attack. For example, an ATM computer could have a “white list” of approved applications and not allow anything to be installed that is not on the list; for instance, no malware. Another approach is to encrypt the disk drive so that a key or certificate is needed in order to install new software.

Agarwal notes that solving the challenge of ATM jackpotting illustrates the need to combine both physical and cybersecurity approaches to protect modern companies.

It’s the reality as we move into a more digital world,” he says. “Physical security at that level will be difficult to protect, and you will be depending more on cyber solutions. It’s the direction the world is moving into.

Download PDF version

Author profile

Larry Anderson Editor, SourceSecurity.com

An experienced journalist and long-time presence in the US security industry, Larry is SourceSecurity.com's eyes and ears in the fast-changing security marketplace, attending industry and corporate events, interviewing security leaders and contributing original editorial content to the site. He leads SourceSecurity.com's team of dedicated editorial and content professionals, guiding the "editorial roadmap" to ensure the site provides the most relevant content for security professionals.

In case you missed it

What are the obstacles to adoption of mobile credentials for access control?
What are the obstacles to adoption of mobile credentials for access control?

Using a smart phone as an access control credential is an idea whose time has come – or has it? The flexible uses of smart phones are transforming our lives in multiple ways, and the devices are replacing everything from our alarm clocks to our wallets to our televisions. However, the transformation from using a card to using a mobile credential for access control is far from a no-brainer for many organisations, which obstacles to a fast or easy transition. We asked this week’s Expert Panel Roundtable: When will mobile credentials dominate access control, and what are the obstacles to greater adoption?

How to choose the right security entrance for effective customer security
How to choose the right security entrance for effective customer security

Security and systems integrators across the nation are recommending and providing long-term security solutions to their customers. But when it comes to physical security entrances, integrators can easily fall into the trap of simply fulfilling an end user’s exact request without much pushback. Why? We believe the complexity and variety of entrances available makes it difficult to consult on the best solution, but also because there are a lot of assumptions at play. 1) Ask questions to determine the correct security entrance solution There is confusion in the security industry on the meaning of the word, “turnstile.” End users, when requesting a solution, tend to use the word “turnstile” to describe anything from an old fashioned, 3-arm turnstile to a high-tech optical turnstile to a security revolving door. We encourage security integrators to ask questions to discover how their clients want to mitigate the risk of unauthorised entry or “tailgating.” This can help determine the correct security entrance solution to meet the end user’s goal and budget. By asking the right questions and offering true solutions, you can enhance a relationship built on trust and consultation leading to potential repeat business. Below are four physical security goals—crowd, deterrence, detection, and prevention—accompanied by the type of “turnstile” and its capabilities. This breakdown can help the integrator to confidently address an end user’s request for a “turnstile,” and then recommend a solution that truly fulfills their security goals. 2) Explore options for crowd control Typically seen in stadiums, amusement parks, universities, and fitness centres, tripod turnstiles are considered a low security solution for crowd management. Designed for counting employees or slowing down high traffic volume to collect tickets or payments, tripod turnstiles are built to withstand the most abusive of conditions. Here’s what security integrators should know about tripod turnstiles: Low capital cost, but high annual operating cost due to needed 24/7 guard supervision Lack of sensors can lead to defeat – turnstiles can be crawled under or jumped over without alarm/notification to guard staff Little to no metrics capabilities available – no sensors or alarms if defeated High throughput, handling 30 persons per minute in one direction Full height turnstiles are a tall, robust solution for perimeter fence lines, metro stations or parking garages 3) Choose an effective deterrent A physical deterrent to infiltration, full height turnstiles are a tall, robust solution for perimeter fence lines, metro stations or parking garages. While full height turnstiles do physically stop tailgating (an unauthorised person following someone in the next compartment), they have no means to prevent piggybacking. Two people in collusion can gain access through the full height turnstile by badging once and then squeezing into the same compartment. Here are some other things to note about full height turnstiles: Low capital cost, low annual operating cost Guard supervision is up to the user Little to no metrics capabilities available – no sensors or alarms if defeated Moderate throughput, handling 18 persons per minute in one direction 4) Ensure your chosen turnstile can detect tailgating A staple in lobby security to accommodate visitors, optical turnstiles utilise complex sensors to detect a tailgating attempt. Most models available today offer sliding or swinging barriers. A very common assumption in the security industry is that optical turnstiles prevent unauthorised entry, which isn’t true. In fact, once the barriers are open, a second user can slip through. Or, in the case of a wide lane for disabled use, two people can walk through side by side. In either case, an alarm is generated and supervision is therefore essential in order to respond swiftly. The cost of 24/7 supervision must be factored into the security budget. Here are some other points to make note of: Moderate capital cost, but high annual operating cost due to need for 24/7 guard supervision Sensors detect tailgating and sound an alarm for post-tailgating reaction, but turnstiles can still be defeated Moderate metrics capabilities available (for example, # times tailgating occurred, passback rejection) High throughput, handling up to 30 persons per minute in one direction 5) Determine prevention tactics for staff and visitor safety The entry solution of choice for Fortune 1000 companies, security revolving doors and mantrap portals completely prevent tailgating due to their working principle, ensuring the safety and security of staff and visitors. Commonly used at employee-only entrances, security doors are an unmanned entrance solution that cannot be defeated; sensors in the ceiling prevent tailgating (following in a trailing compartment). Optional piggybacking detection systems are also available (preventing two people in the same compartment from entering). The benefits of utilising a truly unmanned door are unparalleled: guard staff can be reduced or reallocated, and this entrance offers an ROI of just 1-2 years. Here’s more information security integrators should know about security revolving doors and portals: High capital cost, low annual operating cost due to no required guard supervision Sophisticated metrics capabilities available, allowing the end user to prove the value of their security investment Security revolving doors = 20 persons per minute, simultaneously in two directions; Security portals = 6 persons per minute in one direction Biometric devices and bullet-resistant glass can be incorporated for an even higher level of security As we’ve demonstrated here, “turnstile,” in the eyes of an end user, is a complex term that can range from a low security, crowd control solution to a high security, tailgating prevention entrance. Security integrators need to first accurately determine the security goals of their customers and then break down the “turnstile” barrier of confusion to recommend the best solution for fulfilling those goals.

Why customers should buy products and services from SMBs
Why customers should buy products and services from SMBs

In 1973, a brilliant economist named E.F. Schumacher wrote a seminal book titled ‘Small Is Beautiful:’ taking an opposing stance to the emergence of globalisation and “bigger is better” industrialism. He described the advantages of smaller companies and smaller scales of production, highlighting the benefits of building our economies around the needs of communities, not corporations. In almost every industry or market that exists in the world today, you're likely to find a difference in size between companies. Whether it’s a global retail chain versus a small family-owned store, a corporate restaurant chain versus a mom-and-pop diner or a small bed and breakfast versus a large hotel chain — each side of the coin presents unique characteristics and advantages in a number of areas. Disparity in physical security industry Customers are drawn to products and services from large enterprises as the big names typically imply stability This disparity very clearly exists in the physical security industry, and differences in the sizes of product manufacturers and service providers could have important implications for the quality and type of the products and services offered. All too often, customers are drawn to products and services from large enterprises, as the big names typically imply stability, extensive product offerings and global reach. And that's not to say that these considerations are unwarranted; one could argue that larger companies have more resources for product development and likely possess the combined expertise and experience to provide a wide range of products and services. But the value that a company’s products and services can bring isn’t necessarily directly related to or dependent on its size. In an age where the common wisdom is to scale up to be more efficient and profitable, it’s interesting to pause and think about some of the possible advantages of small- and medium-sized businesses (SMBs). Typically, “small” companies are defined as those with less than 100 employees and “medium” with less than 500. Providing social mobility  Schumacher argued that smaller companies are important engines of economic growth. Indeed, according to the Organisation for Economic Cooperation and Development (OECD), a group of 36 member countries that promotes policies for economic and social well-being, SMBs account for 60 to 70 percent of jobs in most OECD countries. Importantly, SMBs provide resilience in that there are often large economic and social impacts when big companies fail. Smaller companies are better for regional economies in general, as earnings stay more local compared to big businesses, which in turn generates additional economic activity. SMBs are also better at providing social mobility for disadvantaged groups by giving them opportunities and enabling them to realise their potential. Smaller companies are often more innovative, bringing to the market novel technologies and solutions such as Cloud, analytics, AI, and IoT New companies introduce new technologies There's no denying the role of start-ups when it comes to innovation. In the security industry, many new technologies (e.g. Cloud, analytics, AI, IoT) are first brought to the market by newer companies. In general, smaller companies’ products and services often have to be as good or better than others to be competitive in the marketplace. They are therefore often more innovative, bringing to the market novel technologies and solutions. And these companies are also more willing to try out other new B2B solutions, while larger companies tend to be more risk-averse. Customer service Aside from the quality of products and services, arguably one of the most important components of a security company’s success is its ability to interact with and provide customers the support that they deserve. Smaller companies are able to excel and stand out to their customers in a number of ways: Customer service. Customers’ perceptions of a product’s quality are influenced by the quality of support, and smaller manufacturers often possess a strong, motivated customer service team that can be relatively more responsive to customers of all sizes, not just the large ones. A superior level of support generally translates into high marks on customer satisfaction, since customers’ issues with products can be resolved promptly. Flexibility. SMBs have a greater capacity to detect and satisfy small market niches. While large companies generally create products and services for large markets, smaller companies deal more directly with their customers, enabling them to meet their needs and offer customised products and services. And this translates to adaptability, as SMBs become responsive to new market trends. By having a pulse on the market, smaller companies have much more flexibility in their supply chain and can adjust much faster in response to changing demand. Decision-making. Smaller companies are much more agile in decision-making, while larger enterprises often suffer from complex, tedious and lengthy decision-making processes. Communication is easier throughout SMBs, as smaller teams enable new ideas to flow and can solve problems faster. Job satisfaction Employees working for SMBs connect more directly with the company's goals and objectives, which in turn increases motivation and job satisfaction Employees working for SMBs connect more directly with the company's goals and objectives, which in turn increases motivation and job satisfaction. SMBs are also generally more connected to local communities and participation in community activities leads to a greater sense of purpose. Additionally, SMBs have a much smaller impact on the environment, which is increasingly becoming an important consideration for today’s employees and customers. Though Schumacher's book takes a much deeper dive into the large global effects of scale on people and profitability, the general impact of a company’s size on its products and services is clear. It’s important for all players in the security industry to remember that the commitment and dedication to product quality can be found in businesses of all sizes. Ensuring safety of people, property and assets Large manufacturers may catch your eye, but small business shouldn’t be forgotten, as they can offer end users a robust set of attributes and benefits. While all security companies are aiming to achieve a common goal of providing safety for people, property and assets, smaller businesses can provide extensive value when it comes to driving the economy, innovating in the industry, providing quality employment and offering superior customer service.