Five people were arrested in February for attempting to install malware-infected hardware on a Desert First Credit Union ATM, and one expert says that could be the beginning of a worrisome trend for financial institutions.
“This recent series of attacks represented the first widespread ‘jackpotting’ activity in the U.S. Previous jackpotting campaigns have been spotted in Europe and Latin America in recent years,” said David Vergara, VASCO Data Security International’s director of security product marketing.
“A group of hackers stole more than $1 million by hijacking ATM machines in the U.S., which prompted the recent U.S. Secret Service warning,” added Vergara.
Before Desert First Federal Credit Union made jackpotting news, NCR Corp., one of the world’s largest ATM makers, informed its customers that it had received reports from the Secret Service that ATMs could be at risk.
“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” the NCR alert stated. “This represents the first confirmed cases of losses due to logical attacks in the U.S. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”
Owen Wild, security marketing director at NCR, added that these forms of attacks occur globally and “impact all ATM manufacturers.”
What exactly is jackpotting?
Jackpotting often takes place in plain sight. Crooks will dress the part and pose as ATM technicians. In some cases, they may manually drill a hole into the machine or open it using a generic key that can be bought online. They next install a laptop or cellphone into the machine that can be remotely activated to direct the ATM to discharge money. Generally, the “technician” doesn’t take the money, but rather an accomplice later in the day.
Jack Lynch, SVP and chief risk officer at PSCU, explained that jackpotting is a concerted team effort.
“In some cases, they are just putting a hole in the side of the ATM — they actually don’t have to break in. They attach an endoscopy-type camera onto a smartphone or laptop and figure where to connect in,” said Lynch. “They install the malware and take control of the machine and start spitting cash out.”
Lynch said if the crooks “know what they are doing” and “have the right machine picked out,” they can empty an ATM in a matter of minutes. “It’s a fairly quick process,” he said.
Depending on a financial institution’s money management platform, Lynch said, an ATM can hold $10,000 to $50,000, or more, in cash on a daily basis.
Is your ATM at risk?
VASCO’s Vergara said that with financial institutions focusing on self-service channels like ATM and mobile, “to drive down costs and better serve customers,” it shouldn’t come as a surprise that more cybercrimes are emerging.
“The relatively low-tech skimming attacks still represent the vast majority of ATM losses," he said, "but more coordinated attacks using physical access to the machine, through a master key and keyboard, along with more sophisticated malware are enabling much bigger paydays for hackers.”
According to Lynch, the rise in jackpotting incidents is related to a decline in counterfeit-card fraud as a result of EMV. As such, he said “we will continue to see fraudsters looking to find the weakest link” to commit other types of fraud.
“Crooks have uncovered a weakness in ATMs that are running older operating systems such as Windows XP or potentially old firmware revisions,” he said.
While credit union executives may take comfort in ATMs that are stationed at branch locations under a watchful eye, many CUs also offer standalone ATMs at off-site locations.
“Standalone, unattended ATMs are typically more vulnerable,” said NCR’s Wild.
He advised credit union executives concerned about jackpotting to ask the following three questions:
• What type of ATMs do I have, and how old/current are the ATMs that I currently have in the field?
• In what environments are my ATMs deployed?
• What have I done to protect my credit union and members from the major forms of attack vectors?
Vergara added that credit unions should know the latest physical security innovations that can be deployed with existing machines and investigate features for new ATMs.
“There should be a strong physical security of ATMs along with regular physical inspections,” he said. “Limit the exposure to less supervised ATM locations and always run the latest OS and implement security updates quickly.”
