A new crime wave is hitting automated teller machines (ATMs); the common banking appliances are being rigged to spit out their entire cash supplies into a criminal’s waiting hands.
The crime is called “ATM jackpotting” and has targeted banking machines located in grocery shops, pharmacies and other locations in Taiwan, Europe, Latin America and, in the last several months, the United States. Rough estimates place the total amount of global losses at up to $60 million.
What is jackpotting?
ATM jackpotting is a combination of a physical crime and a cyberattack. Typically, a criminal with a fake ID enters a grocery shop or pharmacy posing as an ATM technician, then uses a crowbar to open the top of the ATM – the “top hat” – to gain access to the personal computer that operates the machine.
If a legitimate customer approaches the machine in the meantime, it can operate as usual until activated otherwise by the malware
Once he or she has access to the PC, they remove the hard drive, disable any anti-virus software, install a malware program, replace the hard drive and then reboot the computer. The whole operation takes about 30 seconds. The malware then enables the thief to remotely control the ATM and direct it to dispense all its cash on command.
An accomplice – the “mule” – later approaches the ATM to collect the bounty, as the “technician” remotely directs the machine to dispense all its cash. If a legitimate customer approaches the machine in the meantime, it can operate as usual until activated otherwise by the malware.
ATMs in supermarkets and pharmacies tend to be targeted because they may not be as well-protected, and store personnel likely would not know who is authorised to work on the ATM. In contrast, anyone approaching an ATM at a bank location would be more likely to be challenged.
Emergence of criminal activity
The crime first emerged in the United States several months ago, and the U.S. Secret Service, financial institutions and ATM manufacturers have been scrambling to find a solution. Older ATMs are particularly vulnerable.
In some cases, financial institutions have not embraced the highest levels of security offered by ATM manufacturers because of costs, and because previously the crime was not common in the U.S. One estimate is that losses north of $10 million have occurred in the U.S. just in the last couple of months.
“There are solutions, and then there are ways to get around the solutions,” says Samir Agarwal, Accelerite’s general manager for security.
Hackers remove the hard drive, disable any anti-virus software, install a malware program, replace the hard drive and then reboot the computer
ATM protection technology
Accelerite is a California-based software company that focuses on the digital enterprise, including hybrid cloud infrastructure, endpoint security, Big Data analytics, and the Internet of Things. Accelerite’s solution to the ATM jackpotting problem is built on the company’s Sentient security framework.
Accelerite’s approach to ATM jackpotting is to immediately stop the dispensing of cash when any sign of trouble is detected. The system can track alarms, such as when a “top hat” is opened, when a hard disk is removed, if the antivirus software has been tampered with, and so on.
The system can send a notification within 20 seconds that the ATM is being hacked and then automatically shut down the machine. If the bad guy reboots the machine, the system can confirm there was a previous alert and shut it down over and over.
“We create multiple lines of defense,” says Agarwal. “The criminal would decide it’s not worth his while and walk away.”
The consequences of jackpotting impact every level of the industry, including ATM manufacturers and financial institutions
Origins of ATM jackpotting
ATM jackpotting originated back in 2010 when Barnaby Jack, a New Zealand hacker and computer expert, demonstrated how he could exploit two ATMs and make them dispense cash on the stage at the Black Hat computer security conference in Las Vegas. Since then, malware has been created and made available on the “Dark Web” that can instruct an ATM to dispense all its cash on demand.
Previously ATM jackpotting attacks have focused on more cost-conscious global markets and those likely to use older-model ATMs with fewer security features. Strong U.S. law enforcement also likely prevented criminals from taking the risk – until now. Attacks in the United States have raised awareness.
“There is more cognisance of the possibility of bad things happening,” says Agarwal. “This came out of nowhere and had not happened in the past in the United States. This crime is unlike what you hear about hacks or when data is stolen – there’s just money being stolen.”
Best practices to prevent an attack
However, the consequences impact every level of the industry, including ATM manufacturers and financial institutions. Also, the supermarket and grocery shops that are targeted face additional security challenges, and even consumers could lose confidence in ATMs if they think their personal information could be at risk.
There are best practices that can also prevent an attack. For example, an ATM computer could have a “white list” of approved applications and not allow anything to be installed that is not on the list; for instance, no malware. Another approach is to encrypt the disk drive so that a key or certificate is needed in order to install new software.
Agarwal notes that solving the challenge of ATM jackpotting illustrates the need to combine both physical and cybersecurity approaches to protect modern companies.
“It’s the reality as we move into a more digital world,” he says. “Physical security at that level will be difficult to protect, and you will be depending more on cyber solutions. It’s the direction the world is moving into.”