Blog: Don’t be the Jackpot. Protect your ATMs against evolving attacks.

You might have seen some of the headlines earlier this year about “jackpotting.” It’s an ATM hacking scheme that prompts ATMs to dispense cash as if they were a Vegas slot machine.

It sounds sensational—but it’s a real threat. After becoming prominent in Latin America, Europe and Asia over the past several years, jackpotting has made its way into the United States. And many banks and ATMs around the country are vulnerable.

Check out our recent podcast on jackpotting.

Understanding the threat.
If you’re a criminal with some time, a bit of cash, and malicious intent, all it takes [to jackpot an ATM] is buying and downloading malware and manuals for decimated terminals off the Dark Web, getting special tools off the internet, and finding a way to dress up as a service technician. Here’s how attacks typically occur:

Working in a pair, attackers will target less secure ATMs. Depending on the type of ATM and malware used, one attacker may either install malware on the machine’s hard drive or replace the hard drive entirely with one on which they’ve already installed malware. The imposter service technician then closes the ATM back up and leaves.

An accomplice or ‘money mule’ will then pretend to use the terminal as a customer. The first attacker could then remotely force the ATM to dispense all of its cash, sometimes up to thousands of dollars at a time (thus: “jackpot”). The first attacker will then return to the machine to reset it to normal operation as if nothing ever happened.

While this is the most widely publicized version of jackpotting, possibly because it’s reminiscent of Hollywood bank heists, there are currently two types of recognized jackpotting attacks; “malware” attacks, like the one above, and “black box” attacks.

The “malware” approach utilizes the computer of the ATM and the already existing connection to the dispenser unit to initiate withdrawal of cash. “Black box” is a variant of jackpotting, where the ATM PC is not utilized to dispense the money from the ATM. Instead the fraudster connects his own device, the “black box”, to the dispenser and targets the communication to the unit directly. Both are equally devastating.

Upping your defense.
The target of a jackpotting attack is cold, hard cash. No reported attacks have shown customer data being compromised yet, but that doesn’t mean your reputation won’t take a hit if your ATMs are compromised.

The best way to prevent an attack, be it jackpotting or otherwise, is to ensure your security solutions are up to date. Because if your ATM software is aging, you’re not only putting the machines at risk, but your business as well.

Diebold Nixdorf has helped financial institutions around the world understand their security weaknesses, cost vs. risk scenarios, and ways to harden their operations against threats. Here are some of the most effective steps you can take today:

Upgrade your Terminal Software Stack to the Latest Technology.
If you’re not operating an up-to-date version of the terminal software (everything including the operating system, XFS, and terminal software), you should be! You can get our whitepaper on Windows 10 Migration, and how it can benefit your financial institution, here.

Limit Access to the ATM.
Sound physical security shouldn’t go undervalued. Use appropriate locking mechanisms to secure the head compartment of the ATM. Implement access control for service technicians based on two-factor authentication. Implement alarms and PIN pad disarms on high risk ATMs. Control access to areas used by personnel to service the ATM. And conduct frequent visual inspections to see if anything is amiss.

Harden the Software Stack.
Intrusion prevention mechanisms can help you identify deviating system behavior and protect the ATM during operation. This should include monitoring the integrity of and controlling the access to system critical files and the registry. Additionally, the implementation of hard disk encryption will protect the ATM from software modifications initiated by external boot attacks (offline attacks).

Set up Additional Measurements.
Follow network security best practices, including segmented and secured LAN/VLAN with intrusion, detection and prevention. Implement a secure connection with the host via TLS and Message Authentication Code (MAC). Ensure real-time monitoring of hardware and software events, and investigate suspicious activities like deviating or non-consistent transaction or event patterns which are caused by an interrupted connection to the dispenser. Monitor unexpected opening of the head compartment of the ATM. Keep your operating system, software stack and your configuration up to date. Implement secure software update processes and follow security best practices on password management of remote access tools.

Protecting your ATM fleet is a necessity—not just to prevent jackpotting, but all types of attacks. With security solutions from Diebold Nixdorf, you’ll stay one step ahead of the cybercriminals.

Interested in learning more about securing your ATM fleet – or just have a question? We’re here to help. Let’s start a conversation today.